Android Packaging
Your Android applications must meet specific packaging and compilation requirements before you can submit them for scanning.
See Supported Languages and Platforms for instructions for other platforms.
You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) agent-based scanning. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.
Veracode supports the scanning of Java and Kotlin applications compiled for Android. Veracode also supports these mobile frameworks:
Veracode does not support other cross-platform development frameworks.
Supported Android JREs and Compilers
Language | Platform | Supported Versions |
---|---|---|
Jetpack | Android | All stable releases through January 2022 |
Java and Kotlin | Android | Android 2.2–13 (API Levels 8–33) |
NOTE Initial support for Android 12 (API Level 31), Android 13 (API Level 33). |
Veracode supports scanning Android applications written in Java and Kotlin and packaged as an Android Package (APK) or Android App Bundle (AAB).
Veracode can analyze Android application code with or without debug
symbols. When you provide debug builds of Android application code, Veracode can provide source file and line number information about the location of findings.
For a successful scan, you cannot obfuscate the Android application.
Supported Android Frameworks
Veracode supports and provides high-quality results for Android applications using these frameworks.
Framework | Supported Versions |
---|---|
AWS Mobile SDK for Android | 2.2.4 |
Parse Android SDK | 1.9.4 |
ExoPlayer | 2.x |
Compilation Guidance for Debug Builds
If you use Android Studio to develop your project:
- Select a debug build variant from the Build Variants menu. Verify that you set all submodules to Debug.
- Name the APK using this format:
<app_name>-<productFlavor>-debug.apk
To build with Android Studio on the command-line interface, use
gradlew
with theassembleDebug
option.With the standard
javac
compiler, on the command line, add the-g
option to obtain debug symbols, for example:javac -g foo.java
If you are using ant to build the project, you must enable the
debug
property in thejavac
tasks, for example:<javac debug="on"> ... set of classes </javac>
If you are developing the project with Eclipse, go to Project > Properties and select the Java Compiler properties. Under Classfile Generation, select these options:
- Add variable attributes to generated class files
- Add line number attributes to generated class files
- Add source file name to generated class files
If you want to include Software Composition Analysis (SCA) findings in your Static Analysis, you must also include the dependencies. This is the default behavior. If you had opted out of sharing dependencies, you must remove the
dependenciesInfo
section from thebuild.gradle
file.