On Mon, Jul 15, 2013 at 3:20 AM, Piren <gpi...@gmail.com> wrote: > I've played around with some tools that do static analysis, one of the > bigger developers that deal with those tools also ran some "beta" testing > with us for a toolset for Android. > Seems like this isn't even close to being a big help... a short while after > i just stopped using it. >
As an FYI, my research is (in part) driven by static analysis (for Android apps); since there's a lot of FUD surrounding it I'd like to try to dispel as much as I can. This is most people's impression about static analysis, but usually because they're using bad tools. Integrating static analysis into your production cycle is complicated (because the tools are complicated) and usually something that doesn't pay off since the need for correctness on Android is almost never life threatening. By contrast, the use of static analysis is generally involved in some very core code, and the rest is tested using a much more traditional development methodology. (E.g., you may want to verify security related parts of your app dealing with information leakage, but the UI, etc.., can be tested.) > Other than pointing out some very glaring design decisions, it wasn't really > helpful at all. This is especially true since it can only check the M and C > parts of the MVC design model and has big issues making sure they work well > with the V. This is by no means all of static analysis, but it does highlight the current scope of Android: people take production tools verbatim and apply them to the Android API. A major part of what I said applies here: static analysis isn't *meant* to test UI. There are technologies that do this, but they aren't the norm, and most suites don't focus production on those since they are hard to get right. (I.e., testing UI vs. model integration is already somewhat hard on Android to begin with, adding in the vast numbers of configuration options makes it much harder in the static case.) > I also doubt they'd be able to check the Android API without actually > attaching it's entire source (in java and c++, and in all possible > configurations and ROM variants) and compiling the whole thing. So either > way, even with these tools, the OP won't get any real answer. This isn't true either, most real static analyses rely on API summaries: doing so would include millions of lines of code. At the current state of the art, there are ways to derive API summaries in a pretty efficient and systematic manner. While it's very hard to do so (lots of manual labor involved in writing a correct API spec) it's definitely the most important part of a static analysis for real world applications. It's true that with some static analysis engines you won't get an immediate answer, but it's patently false that no tools can offer such an answer. (However, it may be true that no currently existing static analysis tool has sufficient coverage of the Android API.) Kris -- -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups "Android Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
