How to scan Android for Vulnerabilities?

Nexus IQ Server does not support scanning an .apk file directly due to the minification performed via the dalvik byte code process. For this reason, scanning prior to the assembling of the .apk is required.

Check out this article for more information on How Your Android Code Compiles to Deliver .APK Package File.

As an example, in Gradle you could add to your build.gradle a small of amount of additional code that essentially would perform 2 main actions during the build:

  1. Execute the copyCompileDependencies Gradle task, which would copy all compile dependencies into the build/lib directory under the individual project.

  2. Utilize the JavaExec Gradle task to invoke a Sonatype scan via the CLI to scan the build/lib directory containing the dependencies.

This can be invoked locally by executing “gradleiqScan” or via a Jenkins job, by adding “iqScan” to the goals and options config. So, this can be automated, but still does require some additional config in the build.gradlefile.

A sample build.gradle file containing these additional tasks is attached: Sample-Android-build.gradle (1.8 KB)


Unfortunately since Android Gradle plugin 3.0 it’s not that straightforward. I have made a guide on how to implement the Gradle task to copy dependencies to support Nexus IQ CLI here Integrating Sonatype Nexus IQ vulnerabilities scan with Android build

1 Like