At GitLab, everyone can contribute! GitLab 13.5 included an integration for Mobile Static Application Security Testing (SAST) from one of our customers. For their contribution, the H-E-B Digital team were October 2020's MVP.

Their contribution enables SAST for mobile applications. This includes iOS apps written in Objective-C and Swift as well as Android apps written in Java and Kotlin.

This blog post will go over how Mobile SAST works on Android.

Static Application Security Testing

Static Application Security Testing analyzes source code for known vulnerabilities. SAST is used to detect potentially dangerous attributes in a class, or unsafe code that can lead to unintended code execution, as well as other issues such as SQL Injection. More information on SAST can be seen in the OWASP Documentation.

Here is a video which goes over setting up SAST for Mobile, as well as a sample application you can use to get started:

In a nutshell, after the scanner has been configured, whenever an MR is created the scanner runs on the application source code and looks for patterns to determine if that code is vulnerable. This is covered below.

Initially this analyzer supports source code analysis but we intend to expand support for binary scanning of .ipa and .apk files in the near future.

Understanding security rules

SAST for mobile applications uses the Mobile Security Framework (MobSF) to scan source code. MobSF uses certain rules in order to determine if an application is vulnerable. The rules used to scan mobile applications can be seen in their rules file. These rules use regex in order to find vulnerabilities in the static code.

You can also contribute your own rules if you have thoghts on enhancements. I made a small change to enable a regex to work on Kotlin. Not only can everyone contribute at GitLab, we encourage team members to contribute to other open source projects.

Note: You will have to test your changes before they can be approved. In order to do this, you must install your branch as seen here.

Adding your own scanners

GitLab allows for lots of extensibility. Using our integration guidance, you can bring your own scanners into the merge request pipeline and the security dashboards. This was done for MobSF SAST, as well as the WhiteSource Dependency Scanner.

I hope you enjoyed this blog post. Now you can start making your Android applications more secure. You can reach out on Twitter and share your thoughts with us @GitLab!

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try the GitLab DevOps Platform for free for 30 days

Achieve higher productivity, faster and secure deployments

Start your free trial Maybe later