Secure coding: Integrating SonarQube in Android Studio

It is often difficult to spot the security issues in your App code while you focus more on adding features and offer exceptional user experience. Here is how you can take care of security bugs and protect your apps and users from being exposed to vulnerabilities. There are lot of opensource and free security scanners which you can integrate in your favourite IDEs and get rid of some common, basic security bugs easily. In this article, I will show how we can use the community edition of a popular code scanning tool- SonarQube- for finding bugs in Android app development by integrating it in Android Studio.

The SonarQube scanner is a popular code quality and security scanning tool available in multiple editions like Community, Developer, Enterprise and Data Center. You can read about it more, here.

Prerequisites:

• Java 11 or higher (Tested it using Java 11)
• Android Studio

Make sure your Android Studio is working properly. The JAVA_HOME variable should be pointing to Java installation root directory.

Follow the below simple steps to download and configure SonarQube in your system.

1. Visit SonarQube website download page and understand the different editions of this static code analysis tool.
2. If you prefer the Community edition, download the latest version appropriate for your machine's operating system. For this article, I will be using the Windows OS version.
3. Now simply unpack the zipped file to your directory of choice. We will call it the base directory for simplicity.
4. Browse through the directories 'sonarqube-xy.x.xx.xx\bin\windows-x86-64' to locate StartSonar bat file. Based on your version, the path might differ.
5. Add the location to your system path variable.
6. Now simply run the bat file from command-prompt.
7. If everything goes well, you will see that execution is completed. Keep the CMD running.
8. Now open http://127.0.0.1:9000 in your browser to get the tool UI.
9. Login with default credentials (admin/admin)
10. The tool installation is complete. 

Now we have to integrate the tool in Android Studio. Install the SonarQube plugin for Android Studio.

File>Settings>Plugins

Search for SonarQube Analyzer and install the same.

Fire up the IDE and open the build,gradle files.

Open the project build.gradle file . Add the below line under dependencies. 

classpath "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.6.2"

Now open the build,gradle file corresponding to the app and add the below entry at the end. Make sure you give the username/password corresponding to your installation of SonarQube.

apply plugin: 'org.sonarqube'

sonarqube
        {
            properties
                    {
                        property "sonar.projectName", "developerlibs"
                        property "sonar.projectKey", "com.devlibs.android"
                        property "sonar.language", "kotlin"
                        property "sonar.sources", "src/main/java/"
                        property "sonar.binaries", "build"
                        property "sonar.sourceEncoding", "UTF-8"
                        property "sonar.login", "admin"
                        property "sonar.password", "admin"
                    }
        }

Finally, execute Gradle Wrapper command to complete the process.

 

You are all set to go, Just refresh your SonarQube homepage opened at http://127.0.0.1:9000 and you can see scan results appearing in your dashboard. Simple, right?

Android app development: Implementing a broadcast receiver

Android broadcast message system works in a publish-subscribe manner. A broadcast message is sent when there is something to announce. For example, if the system wanted to announce an event such as the boot-up process completed or an incoming SMS, all the apps subscribed to such events will be notified. It is also possible for an app to send a custom broadcast to another app to communicate with it. The Android system broadcasts are often sent wrapped in Intents. So, we need to implement an Intent filter to receive an Intent of interest. This article will show you how to implement a simple broadcast receiver and perform some action based on the result. 

From your MainActivity, register the receiver as shown below.

public class MainActivity extends AppCompatActivity {
    BroadcastReceiver receiver;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        configReceiver();
    }

The configReceiver() will have our code to filter the Intent and register the receiver. As an example, I will make an intent filter that will listen for a broadcast when the system detects a power disconnection.

private void configReceiver() {
    IntentFilter filter = new IntentFilter();
    filter.addAction("android.intent.action.ACTION_POWER_DISCONNECTED");
    receiver = new MyReceiver();
    registerReceiver(receiver, filter);
}

Now lets see the broadcast receiver class. You need to extend the Android BroadcastReceiver.
public class MyReceiver extends BroadcastReceiver {
    public MyReceiver() {
    }
    @Override
    public void onReceive(Context context, Intent intent) {
       String message = "Power disconnected!!";

       Toast.makeText(context, message,
                Toast.LENGTH_LONG).show();
       someaction_goes_here ..
    }
}

Now, unregister upon destroy.
@Override
protected void onDestroy() {
    super.onDestroy();
    unregisterReceiver(receiver);
}

You need to include your Receiver in Android Manifest.

<application
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:roundIcon="@mipmap/ic_launcher_round"
    android:supportsRtl="true"
    android:theme="@style/Theme.myproject">
    <receiver
        android:name="com.myproject.MyReceiver"
        android:enabled="true"
        android:exported="true">
    </receiver>

    <activity android:name="com.myproject.MainActivity">
    ......remaining things go here

We will see another way of implementing the receiver in my next post. Keep subscribed.

Python script for recursively executing a tool/command on each file in a directory

While using some of the pentesting tools in Kali Linux, I could observe that some of the tools/commands are designed to work on a single target file. What if we have a lot of samples to analyze and need to save the whole output in a text file? Here is a simple Python script to automate such tasks. Replace the parameter 'Your_tool_command_here' with the command and corresponding arguments you wanted to execute.

Example: 'file' command to find file type of each file in a directory and sub-directories.

import os
import sys
import time
print "Opening a file 'results' for storing data"
f=open("results.txt","w+")    #open a file for saving output
for root, subFolder, files in os.walk("."):
  for item in files:
    if not item.endswith("results.txt"):
      fileNamePath = str(os.path.join(root,item))    #recursively find each file
      f.write(fileNamePath+'\n')
      f.write("...................................................."+'\n')
      stream = os.popen('<Your_tool_command_here>'+" "+fileNamePath)
      time.sleep(3)
      output = stream.read()  #command output
      f.write(output+'\n')     #write command output to file
      f.write("...................................................."+'\n')
f.close()
print "Process completed !"

The code is self-explanatory. But here is a simple description. The script recursively collects each and every file under a root directory and executes the tool or command on each file and the final output is saved in a text file. The output will contain filename and tool execution result. 

Enjoy automating things!!