Keep your App secure with dependencyCheck

A tool to verify third-party libraries doesn’t have security holes

Introduction

When developing Android Apps, we rely on many third-party libraries. It could be for networking, image processing, charting… As we like to say, ‘why should we re-invent the wheel?’. While this holds true, it is also important to be conscious that those libraries are built by passionate people and follow the general industry standards (code coverage, testing…), but they aren’t exempt from bugs or security holes.

dependencyCheck to the rescue

Thankfully, we have security researchers on one-end that help finding vulnerabilities, and dependencyCheck, a tool that scans your app dependencies and alerts you when a library is compromised. The tool is running through a Gradle task and can be easily integrated to your CI/CD system (such as Jenkins).

Setup your Android project

Thanks to Gradle, it is pretty straight forward to setup your Android project with dependencyCheck. So let’s head to gradle.build and add the dependency, you can check for the latest version here:

# ./build.gradle
dependencies {
     classpath 'org.owasp:dependency-check-gradle:6.5.0.1'
}