apksignertool. It is located at
jarsigner. Note that the Common Name (CN) attribute is set to "Android Debug" in the debug certificate.
jarsigner, you can rely on the
apksignerto verify the certificate chain.
build.gradle. To activate both the v1 and v2 schemes, the following values must be set:
AndroidManifest.xmlto determine whether the
android:debuggableattribute has been set and to find the attribute's value:
aapttool from the Android SDK with the following command line to quickly check if the
android:debuggable="true"directive is present:
"false"(the default value).
adbcan be used to determine whether an application is debuggable.
run-asby appending the package name and application command to the binary name:
jdbto the running process. If this is successful, debugging will be activated.
jdwp, identify the PID of the active application that you want to debug:
adbbetween the application process (with the PID) and your host computer by using a specific local port:
jdb, attach the debugger to the local communication channel port and start a debug session:
jdbis being bound to the local communication channel port, kill all adb sessions and start a single new session.
objdumpto examine the symbol table. A release build should generally not contain any debugging symbols. If the goal is to obfuscate the library, removing unnecessary dynamic symbols is also recommended.
nmbinary in your Android NDK and export it (or create an alias).
visibilitycompiler flag. Adding this flag causes gcc to discard the function names while preserving the names of functions declared as
ifstatement with the
DEVELOPER_MODEcondition is recommended. To disable
DEVELOPER_MODEmust be disabled for the release build.
StrictModeis enabled, you can look for the
StrictMode.setVmPolicymethods. Most likely, they will be in the
StrictMode; the best choice depends on how the policies' roles are implemented. They include
Mockitoused for testing and libraries like
JavaAssistused to compile certain other libraries.
OKHTTPprior to 2.7.5 in which TLS chain pollution was possible to bypass SSL pinning.
dependency-check-gradle. In order to use the plugin, the following steps need to be applied: Install the plugin from the Maven central repository by adding the following script to your build.gradle:
build/reportsunless otherwise configured. Use the report in order to analyze the vulnerabilities found. See remediation on what to do given the vulnerabilities found with the libraries.
License Gradle Plugin. This plugin can be used by taking the following steps.
Note: If in doubt about the implications of a license model used by a third party library, then consult with a legal specialist.
EULAsection in which the copy-right statements are noted as required by the license of the third party library.
SQLException) by creating proper null checks, bound checks, and the like. An overview of the available subclasses of
RuntimeExceptioncan be found in the Android developer documentation. A child of
RuntimeExceptionshould be thrown intentionally, and the intent should be handled by the calling method.
Throwablethere's a proper catch handler, which ends up handling the actual exception properly.
Applicationclass (e.g., the class that extends
Contextobject is passed around to non-
Activityclasses, or when you pass references to
Activityclasses to your helper classes.
Viewclasses, Singleton classes that have references to
Context, Inner Class references, Anonymous Class references, AsyncTask references, Handler references, Threading done wrong, TimerTask references. For more details, please check:
proguardFilesare set. Creating exceptions to protect some classes from obfuscation (with
-keep class) is common. Therefore, auditing the ProGuard configuration file to see what classes are exempted is important. The
getDefaultProguardFile('proguard-android.txt')method gets the default ProGuard settings from the
When you build you project using Android Studio 3.4 or Android Gradle plugin 3.4.0 or higher, the plugin no longer uses ProGuard to perform compile-time code optimization. Instead, the plugin works with the R8 compiler. R8 works with all of your existing ProGuard rules files, so updating the Android Gradle plugin to use R8 should not require you to change your existing rules.
proguard-rules.prois where you define custom ProGuard rules. With the flag
-keepyou can keep certain code that is not being removed by R8, which might otherwise produce errors. For example to keep common Android classes, as in our sample configuration