Compilation Instructions for Android

Compilation Guide

See the master compilation guidelines for instructions for other platforms.

Veracode supports the scanning of Java and Kotlin applications compiled for Android. In addition, we support these other mobile frameworks:

Other cross-platform development frameworks are not supported.

Supported Android JREs and Compilers

Language Platform Supported Versions Compatibility Support
Java and Kotlin Android API Levels 8-27 (Android 2.2-8.x) API Level 28 (Android 9)
Veracode supports scanning Android applications written in Java and Kotlin and packaged as an Android Package (APK).

The Veracode Platform can analyze Android application code with or without debug symbols. Providing debug builds of Android application code allows the Veracode Platform to provide source file and line number information about the location of flaws found.

Supported Android Frameworks

Veracode supports and provides high quality results for Android applications using the following frameworks.
Framework Supported Versions
AWS Mobile SDK for Android 2.2.4
Parse Android SDK 1.9.4

Compilation Guidance for Debug Builds

  1. If you use Android Studio to develop your project:
    • Select a debug build variant from the Build Variants menu. Verify all submodules are also set to Debug.
    • Use the APK created with the naming standard of <app_name>-<productFlavor>-debug.apk.
  2. To build with Android Studio on the command-line interface, call gradlew with the assembleDebug flag.
  3. With the standard javac compiler on the commandline, add the -g option to get debug symbols, for example:
    javac -g foo.java
  4. If you are using ant to build the project, the debug property in the javac task(s) needs to be turned on, for example:
    <javac debug="on"> ... set of classes </javac>
  5. If you are developing the project with Eclipse, go to Project > Properties and select the "Java Compiler" properties. Under "Classfile Generation", select the following:
    • Add variable attributes to generated class files
    • Add line number attributes to generated class files
    • Add source file name to generated class files

Packaging Guidance

  • For a successful scan, the Android application cannot be obfuscated.