Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

FindSecBugs for Android

DZone's Guide to

FindSecBugs for Android

Learn how the FindSecBugs plugin works to detect Android app vulnerabilities earlier in the SDLC by integrating with CI tools like Jenkins.

· Mobile Zone ·
Free Resource

Introduction

In order to help Android developers have an automated security testing/assessment solution in the form of SAST (Static Application Security Testing), this article is intended to share the details of the FindBugs security plugin (FindSecBugs), which helps to uncover security vulnerabilities within compiled Java bytecode in Android apps, and can be integrated with Jenkins (CI).

Problem Faced

With the fast pace of development in the Agile world comes

  1. A lack of focus on security from Android developers.

  2. Critical vulnerabilities found in Android apps, which impact businesses' and companies' reputations.

  3. Code quality compromised by missing SAST capability.

  4. Customer trust lost when security vulnerabilities are found.

  5. Lacking security in the Android SDLC.

Solution Approach/Remedial Action

Reducing risk from the security standpoint through an automation solution with SAST capabilities, as part of the development cycle, can help developers. Additionally, it can be included with CI (Jenkins). This can help uncover security-related issues earlier in the development cycle and reduce the risk of critical vulnerabilities.

Below are the details on the FindSecBugs tool to buildup SAST capabilities, further integrate with CI, and share the details on the kind of issue it can help uncover, which can improve the code quality delivered by Android apps. 

Image title

This is one of the vulnerability examples reported by FindSecBugs to highlight the weak areas in the source:

Image title

An example of the FindSecBugs capability to recommend a fix to resolve the vulnerability is shared below, along with the reference standard link on sharing details about the reported vulnerability and its impact.

Image title

Integration With Gradle

Following modification in build.gradlefor FindSecBugs integration in Android App.

  •  Include the findbugs plugin:

apply plugin: 'findbugs'


  • Under the dependencies section:

dependencies {
 findbugs 'com.google.code.findbugs:findbugs:3.0.1'
 findbugs configurations.findbugsPlugins.dependencies findbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.4.4'
}


  • Task to load security rules:

task findSecurityBugs(type: FindBugs) {
  classes = fileTree(project.rootDir.absolutePath).include("**/*.class");
  source = fileTree(project.rootDir.absolutePath).include("**/*.java");
  classpath = files() pluginClasspath = project.configurations.findbugsPlugins findbugs {
    toolVersion = "3.0.1"
    sourceSets = [android.sourceSets] // [sourceSets.main] for Java project        ignoreFailures = true        reportsDir = file("$project.buildDir/findbugsReports")        effort = "max"        reportLevel = "low"    }}


Conclusion

This is just an example sharing the benefits of SAST in Android to help improve quality, identifying and resolving the security issues existing at the code level and helping developers in the Agile world, and providing the flexibility to include this kind of tool as part of a CI (like Jenkins) system. 

Topics:
mobile ,mobile security ,mobile testing ,sast ,debugging ,security ,android

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}