linttool is a static code analysis tool that checks your Android project source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.
Android Studio, the configured
lintand other IDE inspections run automatically whenever you compile your program. You can also manually run inspections in Android Studio by selecting Analyze > Inspect Code from the application or right-click menu. The Specify Inspections Scope dialog appears so you can specify the desired inspection profile and scope.
linttool processes the application source files.
You can configure
lintchecking at different levels:
- Globally, for the entire project
- Per project module
- Per production module
- Per test module
- Per open files
- Per class hierarchy
- Per Version Control System (VCS) scopes
Configuring lint in Android StudioAndroid Studio allows you to enable or disable individual inspections and configure project-global, directory-specific, and file-specific settings for
You can manage inspection profiles and configure inspection severity within Android Studio using the File > Settings > Project Settings menu to open the Inspections page with a list of the supported profiles and inspections.
Download Link : http://developer.android.com/sdk/index.html#win-bundle
A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.
- Security code reviews
- Security code review metrics and reporting
- Application security code review tool
- Static analysis security guidance and reporting
DroidBench :is an open test suite for evaluating the effectiveness of taint-analysis tools specifically for Android apps. The suite can be used to assess both static and dynamic taint analyses, but in particular it contains test cases for interesting static-analysis problems (field sensitivity, object sensitivity, tradeoffs in access-path lengths etc.) as well as for Android-specific challenges like correctly modeling an application’s lifecycle, adequately handling asynchronous callbacks and interacting with the UI.
Version 1.1 comprises the following categories
- Arrays and Lists
- Field and Object Sensitivity
- Inter-App Communication
- General Java
- Miscellaneous Android-Specific
- Implicit Flows
Download Link : https://github.com/secure-software-engineering/DroidBench
SuSi:is a tool for the fully automated classification and categorization of Android framework sources and sinks
SuSi is a tool that automatically generates a list of Android sources and sinks by analyzing the complete Android source code. Our approach is version-independent and can simply be run again when a new Android version is released. This relieves security analysts from having to regularly create new lists of sources and sinks by hand.
Download Link : https://github.com/secure-software-engineering/SuSi
DidFail (Droid Intent Data Flow Analysis for Information Leakage) uses static analysis to detect potential leaks of sensitive information within a set of Android apps. DidFail combines and augments FlowDroid (which identifies intra-component information flows) and Epicc (which identifies properties of intents such as its action string) to track both inter-component and intra-component data flow in a set of Android applications. DidFail's two-phase analysis allows for fast user-response time by using precomputed phase-1 analysis results.
- This tool is a research prototype. It is not intended for industrial use.
Androwarn :is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.
The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali.
Download Link : https://github.com/maaaaz/androwarn