Hey everyone, I’m currently doing a strict security audit on some third-party software our junior dev team wants to introduce into our testing workflow. Some of the guys were talking about a mobile tool they casually refer to as vng roblox for running test scripts, so I grabbed the APK, decompiled it back to Java, and pushed it through our local SonarQube instance to check for red flags before allowing it anywhere near our network.
The main issue I’m running into is that SonarQube is giving it a completely clean bill of health on the security hotspot and vulnerability front, despite the code being visibly suspicious. I can clearly see heavy string obfuscation and reflection calls when I manually dig into the decompiled smali-to-Java classes, but the scanner is totally blind to it.
This brings up a few related issues that are making me second-guess our setup. First, it seems the default Java rules aren’t catching the reflection-based dynamic execution happening here, which makes me wonder if our SonarQube instance is actually capable of catching modern obfuscation techniques in third-party libraries. Second, I’m struggling to figure out if I just need to increase the severity threshold on existing rules, or if I have to write a completely custom Java rule using the analyzer API just to flag this specific pattern of hidden class loading.
Has anyone here dealt with running security scans on decompiled, obfuscated mobile binaries? How do you tune SonarQube to actually catch these hidden reflection calls instead of letting them slip through as false negatives?