Best / Open Automated and Manual Source Code Analysis Tool - Android

Lint :

        Android lint tool is a static code analysis tool that checks your Android project source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.

     Android Studio, the configured lint and other IDE inspections run automatically whenever you compile your program. You can also manually run inspections in Android Studio by selecting Analyze > Inspect Code from the application or right-click menu. The Specify Inspections Scope dialog appears so you can specify the desired inspection profile and scope.

    lint tool processes the application source files.

You can configure lint checking at different levels:

• Globally, for the entire project
• Per project module
• Per production module
• Per test module
• Per open files
• Per class hierarchy
• Per Version Control System (VCS) scopes

Configuring lint in Android Studio

Android Studio allows you to enable or disable individual inspections and configure project-global, directory-specific, and file-specific settings for lint.
You can manage inspection profiles and configure inspection severity within Android Studio using the File > Settings > Project Settings menu to open the Inspections page with a list of the supported profiles and inspections.

Download Link : http://developer.android.com/sdk/index.html#win-bundle

 Agnitio :

           A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.

Features

• Security code reviews
• Security code review metrics and reporting
• Application security code review tool
• Static analysis security guidance and reporting

Download Link : http://sourceforge.net/projects/agnitiotool/files/latest/download

DroidBench :

                       is an open test suite for evaluating the effectiveness of taint-analysis tools specifically for Android apps. The suite can be used to assess both static and dynamic taint analyses, but in particular it contains test cases for interesting static-analysis problems (field sensitivity, object sensitivity, tradeoffs in access-path lengths etc.) as well as for Android-specific challenges like correctly modeling an application’s lifecycle, adequately handling asynchronous callbacks and interacting with the UI.

Version 1.1 comprises the following categories

• Arrays and Lists
• Callbacks
• Field and Object Sensitivity
• Inter-App Communication
• Lifecycle
• General Java
• Miscellaneous Android-Specific
• Implicit Flows
• Reflection

 Download Link : https://github.com/secure-software-engineering/DroidBench

SuSi:

        is a tool for the fully automated classification and categorization of Android framework sources and sinks

       There exist different kinds of sensitive sources and sinks in the area of Android security. For instance, the user’s location information or address book can be treated as a source, while the network connection or the SMS message sending facilities can be seen as sinks. In general, sources and sinks are accessed through specific API methods (e.g, getLastKnownLocation() for the user’s current location).

     SuSi is a tool that automatically generates a list of Android sources and sinks by analyzing the complete Android source code. Our approach is version-independent and can simply be run again when a new Android version is released. This relieves security analysts from having to regularly create new lists of sources and sinks by hand.


Download Link : https://github.com/secure-software-engineering/SuSi

     

DidFail:

            DidFail (Droid Intent Data Flow Analysis for Information Leakage) uses static analysis to detect potential leaks of sensitive information within a set of Android apps. DidFail combines and augments FlowDroid (which identifies intra-component information flows) and Epicc (which identifies properties of intents such as its action string) to track both inter-component and intra-component data flow in a set of Android applications. DidFail's two-phase analysis allows for fast user-response time by using precomputed phase-1 analysis results.

Note:

• This tool is a research prototype. It is not intended for industrial use. 

Download Link : https://www.cs.cmu.edu/~wklieber/didfail/didfail.zip

Androwarn :

                   is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.

The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali.

Download Link : https://github.com/maaaaz/androwarn

FlowDroid – Taint Analysis :

                          FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. Unlike many other static-analysis approaches for Android we aim for an analysis with very high recall and precision. To achieve this goal we had to accomplish two main challenges: To increase precision we needed to build an analysis that is context-, flow-, field- and object-sensitive; to increase recall we had to create a complete model of Android’s app lifecycle.

   

                        Our analysis is based on Soot and Heros. FlowDroid uses a very precise callgraph which helps us to ensure flow- and context-sensitivity. Its IFDS-based flow functions guarantee field- and object-sensitivity. Because an accurate and efficient alias search is crucial for context-sensitivity in conjuction with field-sensitivity, we want to highlight this part of our analysis, which is inspired by Andromeda. 

 

Note: soot-infoflow-android is part of FlowDroid, a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications.

 

Download Link : https://github.com/secure-software-engineering/soot-infoflow-android

 

 

Best Secure Source Code Analysis Tools

Secure Source Code Analysis tools :

                                                are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw.

                                             Throughout the SDLC there are points at which an application security consultant should get involved. Performing security activities across the lifecycle has proven to be  far more cost-effective than either a “big design up front” security effort or a single pre-production security review. The reason for intervening at regular intervals is that potential issues can be   detected early on in the development life cycle where they are less costly to address. 

                                               Integration of security code review into the System Development Life Cycle (SDLC) can yield dramatic results to the overall quality of the code developed. Security code review is not a silver bullet, but is part of a healthy application development diet. Consider it as one of the layers in a defense-in-depth approach to application security. Security code review is also a cornerstone of the approach to developing secure software. The idea of integrating a phase into your SLDC may sound daunting, yet another layer of complexity or an additional cost, but in the long term and in today's cyber landscape it is cost effective, reputation building, and in the best interest of any business to do so.

Waterfall SDLC Example

1. Requirements definition
   1. Application Security Requirements
2. Architecture and Design
   1. Application Security Architecture and/or Threat Model
3. Development
   1. Secure Coding Practices
   2. Security Testing
   3. Security Code Review
4. Test
   1. Penetration Testing
5. Deployment
   1. Secure Configuration Management
   2. Secure Deployment
6. Maintenance

Agile Security Methodology Example

1. Planning
   1. Identify Security Stakeholder Stories
   2. Identify Security Controls
   3. Identify Security Test Cases
2. Sprints
   1. Secure Coding
   2. Security Test Cases
   3. Peer Review with Security
3. Deployment
   1. Security Verification (with Penetration Testing and Security Code Review).
      
   
   LAPSE Project By OWASP :
                                 is an initiative to make available to developers and auditors a tool for detecting vulnerabilities in Java EE Applications. The project aims to put at their disposal a tool based on the static analysis of code, due to the importance and difficulty of this type of analysis to detect security flaws in Java EE Applications.
   
   
   
                                    LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher
   
   
   
                                      Vulnerabilities detected by LAPSE+ are related to the injection of untrusted data to manipulate the behavior of the application. This type of vulnerabilities are the most common in web applications. The vulnerability categories detected by LAPSE+ are enumerated below:
   
   
   
   • Parameter Tampering.
   • URL Tampering.
   • Header Manipulation.
   • Cookie Poisoning.
   • SQL Injection.
   • Cross-site Scripting (XSS).
   • HTTP Response Splitting.
   • Command Injection.
   • Path Traversal.
   • XPath Injection.
   • XML Injection.
   • LDAP Injection.
   
   You can download LAPSE+ and its tutorial in the following links:
   
   
   
   • LapsePlus_2.8.1.jar - LAPSE+ 2.8.1 plugin for Eclipse Helios.
   • LapsePlus_Tutorial.pdf - Tutorial for the installation and use of LAPSE+..
   
   O2 platform Project By OWASP :
                     
                               is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
   
                               O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex).
   
   
   
   
   

Which looks like below Snapshot :

Install VisualStudio Extension

                          O2 Platform is also available as a VisualStudio Extension which you can download from VisualStudio Gallery (see VisualStudio C# REPL - O2 Platform) or directly using VisualStudio's Extension Manager:

Download Stand-Alone Application

You can run all O2 Tools and Scripts using the stand-alone executable which you can download from:

O2 Platform - Main O2 Gui v5.3.exe

FxCop :

           is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.

            FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses MSIL parsing, and callgraph analysis to inspect assemblies for more than 200 defects in the following areas:

• Library design
• Globalization
• Naming conventions
• Performance
• Interoperability and portability
• Security
• Usage

                          FxCop includes both GUI and command line versions of the tool and supports analyzing .NET 1.x, .NET 2.0 and .NET 3.x components.

            

          FxCop is intended for class library developers. However, anyone creating applications that should comply with the .NET Framework best practices will benefit. FxCop is also useful as an educational tool for people who are new to the .NET Framework or who are unfamiliar with the .NET Framework Design Guidelines.

          FxCop is designed to be fully integrated into the software development cycle and is distributed as both a fully featured application that has a graphical user interface (FxCop.exe) for interactive work, and a command-line tool (FxCopCmd.exe) suited for use as part of automated build processes or integrated with Microsoft Visual Studio® .NET as an external tool.

Download Link : http://archive.msdn.microsoft.com/codeanalysis/Release/ProjectReleases.aspx?ReleaseId=553

Rough Auditing Tool for Security (RATS)  :

                         a rough auditing tool for security, originally developed by Secure Software Inc. It is a tool for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. 

As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Download Link : http://code.google.com/p/rough-auditing-tool-for-security/downloads/list

Splint :

            is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint

Splint Manual :
              A comprehensive guide to using Splint. [HTML] [PS] [PDF]

Download :
              http://www.splint.org/download.html

Yasca:

           is a source code analysis tool that I started writing in 2007. It could best be described as a "glorified grep script" plus an aggregator of other open-source tools. 

           Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code, integrating with other open-source tools as needed.

          Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other languages. Yasca can integrate easily with other tools, including:

• FindBugs
• PMD
• JLint
• JavaScript Lint
• PHPLint
• CppCheck
• ClamAV
• RATS
• Pixy

            Yasca is designed to be very flexible and easy to extend. In fact, writing a new rule is as easy as coming up with a regular expression, the file extensions it applies to, and the name of your new rule. Place that information in a text file in the plugin directory, and run Yasca!

            Yasca has been migrated to Github, and is available at http://scovetta.github.com/yasca and http://github.com/scovetta/yasca.

Download Link : http://sourceforge.net/projects/yasca/

RIPS :

        is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security.

Features

• detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more
• 5 verbosity levels for debugging your scan results
• mark vulnerable lines in source code viewer
• highlight variables in the code viewer
• user-defined function code by mouse-over on detected call
• active jumping between function declaration and calls
• list of all user-defined functions (defines and calls), program entry points (user input) and scanned files (with includes) connected to the source code viewer
• graph visualization for files and includes as well as functions and calls
• create CURL exploits for detected vulnerabilties with few clicks
• visualization, description, example, PoC, patch and securing function list for every vulnerability
• 7 different syntax highlighting colour schemata
• display scan result in form of a top-down flow or bottom-up trace
• only minimal requirement is a local webserver with PHP and a browser (tested with Firefox)
• regex search function

 Download Link : http://sourceforge.net/projects/rips-scanner/files/latest/download

Agnitio :

             A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.

Features

• Security code reviews
• Security code review metrics and reporting
• Application security code review tool
• Static analysis security guidance and reporting

Download Link : http://sourceforge.net/projects/agnitiotool/files/latest/download

Thanks,

RRN Technologies Team.