Towards a Static Code Analysis Framework for Android Applications

Abstract

Static Code Analysis is one of the most widely used methods in the software industry to identify coding best practice violations which can potentially cause issues in software functionality, maintainability and readability of the code. This research is an attempt to come up with a tool to perform static code analysis on Android source code which is not currently being specifically supported by many available tools. For any of the two different input types supported by the proposed system, source and android application package file, the source information is extracted using source parsing technique and populating the Abstract Syntax Tree of the source. The source information is evaluated against a set of rules which are formulated based on the Android Best Practices published in Android developer’s guide to find out instance where the best practices are violated. Only a set of performance and security related best practices were focused on for this research. In the source information extraction process from Android application package files, some third party tools are used to convert dex format to java bytecode and then to generate java source by de-compiling java bytecode. For a small number of rules implemented, fairly successful analysis results were generated by the prototype for both input types. However, there were some noticeable differences between the results generated by the system for two different types of inputs. By exploring the process further was able to find out some interesting facts on how the two different types of inputs behave during the process. This ultimately helped to arrive on a conclusion of which type of input is the most suitable to analyze through the prototype and issues which can be faced using the other type as an input.