Applications (Android or otherwise) are susceptible to security vulnerabilities. Hence it is important to stay on top of the latest security updates and configure apps for the same. The usual approach for scanning mobile applications and finding security reports involves a series of painstaking steps from the development of the application, scanning, and static analysis of the code, to remediation and rescan.
BeVigil's Jenkins plugin simplifies this task by identifying security vulnerabilities during the application development phase itself. By utilizing this plugin, developers and security teams can easily detect and address any issues that arise during development and streamline the remediation process.
What Mistakes are Made by the Developer?
One of the biggest mistakes made by a Developer is that they usually hardcode the API keys, secrets, and assets in the source code while pushing the build APK to the PlayStore. As shown in the image below, the developer has hard-coded the Razorapay key and secret in the application. Hardcoding these keys can lead to the leak of user’s PII.
Types of Keys/URLs Leaked by the Developers & Their Impact
How Does BeVigil’s Jenkins Plugin Help?
Let's understand what Jenkins is. Jenkins is an open-source automation server widely used for continuous integration and continuous delivery (CI/CD) of software projects. Jenkins provides many plugins to extend its functionality and supports various types of build, deployment, and testing tasks.
Jenkins works by triggering automated builds and tests whenever changes are made to the source code repository. It integrates with version control systems such as Git, SVN, and Mercurial, and can be configured to run automated tests, code analysis, and packaging of the application.
Jenkins is a powerful automation tool that helps software teams to improve their software development processes by automating repetitive tasks and enabling faster feedback cycles. Its popularity is due to its flexibility, scalability, and ease of use, making it a preferred choice for many development teams around the world.
Working of BeVigil’s Jenkins Plugin
BeVigil Jenkins plugin will help app developers remediate issues at the time of development. As soon as a developer commits a code, they will receive a detailed security report from the BeVigil Jenkins plugin for APK or IPA files. This report would include information such as:
- What is the issue?
- What is the impact?
- What are the remediation steps?
- Which file issue was found?
- What was the exact match in the source code which led to our scanner detecting it as a threat?
How can a Developer Use the BeVigil Plugin?
In order for a developer to utilize the Jenkins plugin (offered by BeVigil), they must have the following installed in their system:
- Android SDK tools
Steps for Installing the Plugin
BeVigil’s Jenkins plugin can be installed in any system by following the series of steps stated below:
- Open Jenkins and click on Manage Jenkins.
- Now, select Manage Plugins.
- Navigate to the Available plugins tab, and search for the "BeVigil VI" plugin. Click the checkbox next to the plugin, and then click on "Install without restart" to install the plugin.
- The plugin installation is successful, as seen in the Download progress tab.
Setting up Environment Variables for Jenkins
- To set environment variables for Jenkins, open the Jenkins dashboard and navigate to Manage Jenkins -> Configure System. Find the Global Settings section and tick the Environment variables checkbox to enable it.
- After JDK is installed, we need to set environment variables for JAVA_HOME in Jenkins which would be the JDK path.
- Once the Android SDK Tools is installed, we need to set the environment variable ANDROID_HOME pointing to our Android SDK location.
- After putting both values, users need to click on the Save button to apply changes.
Configure Pipeline Settings
- Go to the Jenkins dashboard, click on the new item, select freestyle project, add the item name, and click on OK to set up the project.
- After the project setup is done, go to source code management, select GIT, add the repo URL, and select the branch which you want Jenkins to run.
- Select Add to build steps and select Invoke Gradle Script. Select the Use Gradle Wrapper, check the Make gradlew executable checkbox, and add the wrapper location. Now add assembleDebug in the tasks to be invoked box. When you run the assembleDebug task, Gradle compiles the source code of your application, processes resources, and generates an APK.
- Click on the build button and select Scan your app with BeVigil CI option. Now add the following details in the form:
- API KEY: Your BeVigil API Key
- App Type: Select Android/ioS
- App Path: This is the path to your built app relative to the root of your Jenkins workspace. This path would be generated using the assembleDebug task command.
- Package Name: Enter the package name for your application
- Scan Timeout: This is the time (in minutes) after which the scan will timeout on the plugin.
- Severity Threshold: This tells BeVigil to set a threshold for the vulnerabilities:
- Low: The security report will include low, medium, and high vulnerabilities
- Medium: The security report will include includes medium and high vulnerabilities
- High: The security report will include includes only high vulnerabilities
- After everything is done, click on the Save button.
- We need to click on Build Now to build the project.
- You can now go to the console output to see the security report of the app, if a successful build has happened.
- The report can be downloaded to see the security issues present in the mobile application and resolve them proactively.
What’s coming next?
In the next phase, developers will be able to add one more step to the build steps, i.e., if at the time of build if some high-security issues are found in the mobile application then the build will fail at this stage. It cannot go to the next stage of the pipeline. The image below shows the working of the CI/CD pipeline in a software development life cycle.
Configuration changes can be made in the build steps, at the third step of the pipeline, which will make sure that if any high-security issues arise in the build stage, then it would not proceed to the further stages. Our plan is to incorporate the BeVigil plugin into various CI tools, such as Travis, Circle CI, Bamboo, GitLab CI/CD, Azure Pipelines, and CodeShip. If you're utilizing a different CI tool to test your app builds apart from Jenkins, kindly click on this link to make your selection.
Video Demonstration of the Plugin Setup
- Free Vector | Modern infographic template with five steps or points
- Icon for infographic
- Icon for infographic
- Pair programming Customizable Semi Flat Illustrations | Pana Style