MASTG-TECH-0129: Verifying Android Dependencies at Runtime

The preferred techniques for analyzing dependencies are Software Composition Analysis (SCA) of Android Dependencies at Build Time and Software Composition Analysis (SCA) of Android Dependencies by Creating a SBOM. This technique, which is described here, should only be used in a black-box environment because it is manual and cannot easily be automated.

When analyzing an application, it's important to analyze its dependencies, which are usually in the form of libraries, and ensure that they don't contain any known vulnerabilities. If the source code is unavailable, you can decompile the application and check the JAR files. If Proguard or other obfuscation tools are used properly, the version information about the library is often obfuscated. Otherwise, this information may still be found in the comments of the Java files of the given libraries. Tools such as blint can help analyze the possible libraries packaged with the application. If you can determine the library's version, either from the comments or from specific methods used in certain versions, you can manually search for CVEs.