Android Source Code Scanning (Fortify)

Hello, in this article, I will show you how to scan an application developed for the Android platform using Fortify.

Pre-Scan Checks

Before scanning, the following items should be checked.

• You made sure that the pre-scan codes were scanned with “gradle” or “gradlew” from CMD / Terminal and gave build success.
• Check if the gradle version of the application is supported by Fortify. If your application also has “kotlin”, you will need to check the version in it. You can check the link for an example.

Terminal

Scan with Gradle

We open a terminal that looks at the location of the project to be scanned.

Before scanning, we build the relevant application with gradle and check whether it gives success or not.

In this step, we will need to enter a command like the one below.

gradle clean assemble

The explanations of the above command are as follows.

• gradle : build automation tool for multi-language software development. It controls the development process in the tasks of compilation and packaging to testing, deployment, and publishing.
• clean : Deletes the build directory.
• assemble : Assembles the outputs of this project.

We used clean and assemble commands while building the related project. In some projects, these may not be enough for the gradle build process. I recommend adding the different parameters used in the Gradle step during the Fortify scanning phase, otherwise there may be incompleteness / scarcity / errors in the scan outputs.

We ran the Gradle command and got the Build Success output. Now we move on to code scanning using Fortify Sourceanaylzer.

In this step, we will need to enter a command like the one below.

sourceanalyzer -b build-id -clean

The explanations of the above command are as follows.

• sourceanalyzer : It is the executable file that Fortify uses to scan the source code.
• -b : You can think of it as a session in a web application. Here, Fortify will use the name we give when it wants to keep the data it obtained for the project to be scanned in a field and access this field.
• -clean : If there has been a scan using this name before, here we empty it using the relevant command. According to best practices, it is recommended to use this command before each scan.

After the clean process, Translation (the process of making the scanned codes understandable by Fortify) needs to be done. For this we enter the following command.

sourceanalyzer -b build-id gradle clean assemble

The explanations of the above commands are as follows.

• gradle clean assemble: Fortify will use gradle command as scanning method. It will run the clean command first and then the build command, making the relevant project understandable (Translation phase).

After the translation made using Gradle, the screen will be as follows. What we need to pay attention to here is whether there is a “Build success” text.

If we see the build fail , it means that the project encountered an error while building it with gradle. It is necessary to resolve the related error and start scanning again. Since we see success, we can continue.

This step is the part where the codes built with gradle are scanned (Analyze) with Fortify and the outputs will be produced. For the analysis process, it will be necessary to enter a command like the following.

sourceanalyzer -b build-id -scan -f output.fpr

The explanations of the above commands are as follows.

• -scan : We use this parameter to start scanning on the files obtained during the Translation process.
• -f : We want an FPR file to be produced for the vulnerabilities detected after the scan. Here we specify the name of the FPR file to be produced.

“-f “ In scans where we forget the f parameter, the vulnerabilities will be written on the terminal.

When the scanning operation is finished, the screen will be as follows. You can see that the FPR file is created when the folder where the application is located is checked.

Scan with Gradlew

Scanning steps with gradlew are almost the same as with gradle. In order not to prolong the article, I will not repeat the explanations I made above.

We open a terminal that looks at the location of the project to be scanned.

Before scanning, we build the relevant application with gradlew and check whether it gives success or not.

In this step, we will need to enter a command like the one below.

./gradlew clean assemble

We ran the Gradle command and got the Build Success output. Now we move on to code scanning using Fortify Sourceanaylze.

In this step, we will need to enter a command like the one below.

sourceanalyzer -b build-id -clean

After the clean process, Translation (the process of making the scanned codes understandable by Fortify) needs to be done. For this we enter the following command.

sourceanalyzer -b build-id ./gradlew clean assemble

After the process using Gradlew, the screen will be as follows. What we need to pay attention to here is whether there is a “Build success” text.

If we see the build fail, it means that the project encountered an error while building it with gradlew. It is necessary to resolve the relevant error and start scanning again. Since we see success, we can continue.

This step is the part where the codes built with gradlew will be scanned with Fortify and the outputs will be produced. For this, you will need to enter a command like the following

sourceanalyzer -b build-id -scan -f output.fpr

When the scanning operation is finished, the screen will be as follows. When we look at the folder where the application is located, you can see that the FPR file has been created.

Thank you for reading my post.

You can go to the link I shared to see how applications in different languages other than Android are scanned. Link

I have articles describing how web vulnerabilities are detected on Saka. You can view it via the link I shared. Link