First Look: Using Google Open-source Android Security Lint Library

From the latest Android Developers Blog post, “Making security easy: How we are helping you fix vulnerabilities in your Android apps”, we can foresee that our industry is putting more effort into addressing security issues. As the user base of mobile devices continues to grow and mobile devices handle more sensitive information and operations, it becomes increasingly important to protect both your company’s intellectual property and your users’ data.

If you are using the latest version of Android Studio (Giraffe+), there are already some existing security lint checks that can help you identify security issues in your codebase. These checks come with informative descriptions and suggestions.

However, if you would like to embed lint checks in your codebase as an essential part of development, or if you want the most recent guidance and lint checks to further protect your application, the Google Open-source Android Security Lint Library is the way to go. This library offers more advanced and up-to-date lint checks, ensuring that your application is protected against the latest security threats. Let’s dive into how you can integrate this powerful tool into your development workflow.

Integrating the library

Using the library at the moment requires a bit more effort since its binary is not yet available on Maven (it will be added soon, according to Google). Additionally, the documentation is not beginner-friendly. Here, we will show you how to integrate the library into your codebase:

1: Clone the repo to a desired location

2: Import the checks module into your codebase

• In Android Studio, click File > New > Import Module

• Select the checks folder of the Security Lint Library repo and click `Finish`

3: Set up the build.gradle

• By following the repo’s README, you will need to add the checks module to the app’s build.gradle. And the lintVersion inside ext { } section

dependencies {
  lintChecks project(':checks')
}

ext {
  ...
  lintVersion = '31.5.1'
}

• Multi-module projects are very common nowadays. You should also add the following lines to your app’s `build.gradle` under android { } section, so that the lint scan can propagate to sub-modules.

android {
    ...
    lint {
        checkDependencies true
    }
}

Running the lint

Congrats! You have successfully integrated the latest version of the Android Security Lint Library into your project. To run the lint checks, you can use the following command in your terminal:

./gradlew :{app module name}:lint

You can also run the command in the Gradle tool window. Below is an example of running the lint check with the repository’s example project using :app:lint:

You may see errors after running the lint, but no worries — search for the HTML report to see if it generated the lint report.

Open the report to see the number of lint errors and warnings in the example app module. If you see “VulnerableCryptoAlgorithm: Application uses vulnerable cryptography algorithms,” it means you have successfully used the Security Lint Library to detect vulnerabilities and you have work to do!

Conclusion

The Android Security Lints Library is still new to the community, having been created less than a year ago. The number of detectors in the library is small, roughly a dozen, which is not enough to ensure we are delivering secure applications. However, I am confident that the library will grow, and mobile application security will become more crucial in the future. We should keep an eye on this library and consider integrating it into our projects.

As the library evolves, it will likely include more comprehensive checks and improved documentation, making it easier for developers to incorporate robust security measures into their applications.