Lint :
Android
lint
tool is a static code analysis tool that
checks your Android project source files for potential bugs and
optimization improvements for correctness, security, performance,
usability, accessibility, and internationalization.
Android Studio, the configured
lint
and other IDE inspections run automatically
whenever you compile your program. You can also manually run inspections in Android Studio
by selecting Analyze > Inspect Code from the application or right-click menu.
The Specify Inspections Scope dialog appears so you can specify the desired inspection
profile and scope.lint
tool processes the application source files.You can configure
lint
checking at different levels:- Globally, for the entire project
- Per project module
- Per production module
- Per test module
- Per open files
- Per class hierarchy
- Per Version Control System (VCS) scopes
Configuring lint in Android Studio
Android Studio allows you to enable or disable individual inspections and configure project-global, directory-specific, and file-specific settings forlint
.You can manage inspection profiles and configure inspection severity within Android Studio using the File > Settings > Project Settings menu to open the Inspections page with a list of the supported profiles and inspections.
Download Link : http://developer.android.com/sdk/index.html#win-bundle
Agnitio :
A tool to help developers and security professionals conduct manual
security code reviews in a consistent and repeatable way. Agnitio aims
to replace the adhoc nature of manual security code review
documentation, create an audit trail and reporting.
Features
- Security code reviews
- Security code review metrics and reporting
- Application security code review tool
- Static analysis security guidance and reporting
DroidBench :
is an open test suite for evaluating the effectiveness of taint-analysis tools specifically for Android apps. The suite can be used to assess both static and dynamic taint analyses, but in particular it contains test cases for interesting static-analysis problems (field sensitivity, object sensitivity, tradeoffs in access-path lengths etc.) as well as for Android-specific challenges like correctly modeling an application’s lifecycle, adequately handling asynchronous callbacks and interacting with the UI.Version 1.1 comprises the following categories
- Arrays and Lists
- Callbacks
- Field and Object Sensitivity
- Inter-App Communication
- Lifecycle
- General Java
- Miscellaneous Android-Specific
- Implicit Flows
- Reflection
Download Link : https://github.com/secure-software-engineering/DroidBench
SuSi:
is a tool for the fully automated classification and categorization of Android framework sources and sinksThere exist different kinds of sensitive sources and sinks in the area of Android security. For instance, the user’s location information or address book can be treated as a source, while the network connection or the SMS message sending facilities can be seen as sinks. In general, sources and sinks are accessed through specific API methods (e.g, getLastKnownLocation() for the user’s current location).
SuSi is a tool that automatically generates a list of Android sources and sinks by analyzing the complete Android source code. Our approach is version-independent and can simply be run again when a new Android version is released. This relieves security analysts from having to regularly create new lists of sources and sinks by hand.
Download Link : https://github.com/secure-software-engineering/SuSi
DidFail:
DidFail (Droid Intent Data Flow Analysis for Information Leakage) uses
static analysis to detect potential leaks of sensitive information
within a set of Android apps. DidFail combines and augments
FlowDroid (which identifies intra-component information flows) and
Epicc (which identifies
properties of intents such as its action string) to track both
inter-component and intra-component data flow in a set of Android
applications. DidFail's two-phase analysis allows for fast user-response
time by using precomputed phase-1 analysis results.
Note:
- This tool is a research prototype. It is not intended for industrial use.
Androwarn :
is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali.
Download Link : https://github.com/maaaaz/androwarn
FlowDroid – Taint Analysis :
FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware
static taint analysis tool for Android applications. Unlike many other
static-analysis approaches for Android we aim for an analysis with very
high recall and precision. To achieve this goal we had to accomplish two
main challenges: To increase precision we needed to build an analysis
that is context-, flow-, field- and object-sensitive; to increase recall
we had to create a complete model of Android’s app lifecycle.