If you’d like to generate an Android SBOM every time you build your app, you can combine previous techniques discussed on this blog to achieve this with GitHub Actions + NowSecure. If you’re not a NowSecure customer, first sign up for 10 free SBOMs so you can follow along in the tutorial. To brush up on the previous techniques, check out my blog+video on how to generate an Android SBOM in CycloneDX format.
Let’s walk through the steps on how to generate a mobile SBOM for an Android app and compare the results from a source code vs. binary analysis. So that everyone can follow along, I decided to use the excellent open source note-taking app Joplin. The source code is available of GitHub and there are multiple flavors of the app including Android and iOS apps. The project also has a great article on building the Joplin applications which you can follow instead of the below directions if you prefer.
Generating a SBOM can sometimes be very simple and other times a royal pain. For this first SBOM tutorial, I’m going down the very simple path! :-) Using the open source ios-triage app, the following steps will build a CycloneDX SBOM in json format. As I’m hoping this blog is useful for folks new to security and/or programming, I’m going to provide a step-by-step approach. Note: these commands were run on macOS but can be easily adapted for Linux or Windows