There are many Android source code scanners out there. This is mine. It more or less implements the OWASP Mobile Test Plan, and POINT's research. It's simple but you miss 100% of the balls you don't swing at.
This application requires Python 3. It accepts two optional parameters, the output file and the input directory where the Android project lives. If you are lacking the source code, you can reverse it from the APK file. I recommend JDgui to reverse from the smali to Java. It works pretty well, unless the code is obfuscated.
That isn't done, obviously. I'll get back to it.