Giter Site home page Giter Site logo

flowdroid's Introduction

FlowDroid Data Flow Analysis Tool

This repository hosts the FlowDroid data flow analysis tool. FlowDroid statically computes data flows in Android apps and Java programs. Its goal is to provide researchers and practitioners with a tool and library on which they can base their own research projects and product implementations. We are happy to see that FlowDroid is now widely used in academia as well as industry.

Obtaining The Tool

You can either build FlowDroid on your own using Maven, or you can download a release from here on Github.

Downloading The Release Via Maven

FlowDroid can now be found on Maven Central. In order to use FlowDroid in your Maven build, include the following in your pom.xml file. We recommend using the latest and greatest version unless you have a specific issue that prevents you from doing so. In that case, please let us know (see contact below).

    <dependencies>
        <dependency>
            <groupId>de.fraunhofer.sit.sse.flowdroid</groupId>
            <artifactId>soot-infoflow</artifactId>
            <version>2.12.0</version>
        </dependency>
        <dependency>
            <groupId>de.fraunhofer.sit.sse.flowdroid</groupId>
            <artifactId>soot-infoflow-summaries</artifactId>
            <version>2.12.0</version>
        </dependency>
        <dependency>
            <groupId>de.fraunhofer.sit.sse.flowdroid</groupId>
            <artifactId>soot-infoflow-android</artifactId>
            <version>2.12.0</version>
        </dependency>
    </dependencies>

For a quick start with FlowDroid, look at "Using The Data Flow Tracker" below. If you only want to use the command-line tool, all you need is the "soot-infoflow-cmd-jar-with-dependencies.jar" file.

Downloading The Release Via GitHub

The Release Page contains all pre-built JAR files for each release that we officially publish. We recommend using the latest and greatest version unless you have a specific issue that prevents you from doing so. In that case, please let us know (see contact below).

For a quick start with FlowDroid, look at "Using The Data Flow Tracker" below. If you only want to use the command-line tool, all you need is the "soot-infoflow-cmd-jar-with-dependencies.jar" file.

Building The Tool With Maven

Requirements:

  • JDK 11 or above
  • Maven
  • The current snapshot of Soot installed

At the first time, FlowDroid needs to be built from the parent module, i.e. the project's root folder. The full test suite takes around 30 minutes, so we recommend to disable the tests when building:

mvn install -DskipTests

To run the build with tests enabled, some additional steps are needed:

  • JDK 8 must be installed
  • The rt.jar must be at the default location (alternatively, place the rt.jar inside $JAVA_HOME/lib/)
  • The DroidBench submodule must be initialized (clone with --recursive)
  • ANDROID_JARS environment variable must be set to the android platforms directory (typically $HOME/Android/Sdk/platforms/)

Building The Tool With Eclipse

We work on FlowDroid using the Eclipse IDE. All modules are Eclipse projects and can be imported into the Eclipse IDE. They will appear as Maven projects there and Eclipse should take care of downloading all required dependencies for you.

Using The Data Flow Tracker

You can use FlowDroid either through its command-line interface (module soot-infoflow-cmd) or as a library. In general, if you would like to implement something and need a data flow tracker as a component, you are better off by integrating the FlowDroid modules as JAR files. If you just need the results quickly, simply run the command-line interface.

FlowDroid is supported on Windows, Mac OS, and Linux.

Running The Command-Line Tool

If you want to use the command-line tool to run the data flow tracker, you can use the following command:

java -jar soot-infoflow-cmd/target/soot-infoflow-cmd-jar-with-dependencies.jar \
    -a <APK File> \
    -p <Android JAR folder> \
    -s <SourcesSinks file>

The Android JAR folder is the "platforms" directory inside your Android SDK installation folder. The definition file for sources and sinks defines what shall be treated as a source of sensitive information and what shall be treated as a sink that can possibly leak sensitive data to the outside world. These definitions are specific to your use case. However, if you are looking for privacy issues, you can use our default file "SourcesAndSinks.txt" in the "soot-infoflow-android" folder as a starting point.

For finding out about the other options of the command-line tool, you can run the tool with the "--help" option or have a look at the MainClass.initializeCommandLineOptions()" method in the source code (module soot-infoflow-cmd).

Configuring FlowDroid for Performance

For some apps, FlowDroid will take very long for large apps. There are various options with which you can configure a tradeoff between performance, precision and recall.

  • -ns Do not track taints on static fields and disregard static initializers.
  • -ne Do not track exceptional flows.

You can also define timeouts:

  • -dt N Aborts the data flow analysis after N seconds and returns the results obtained so far.
  • -ct N Aborts the callback collection during callgraph construction after N seconds and continues with the (incomplete) callgraph constructed so far.
  • -rt N Aborts the result collection after N seconds and returns the results obtained so far.

Note that timeouts are additive. All three stages must complete or run into a timeout for the tool to return and deliver results.

Using FlowDroid as a library

If you want to include FlowDroid as a library into your own solution, you can directly reference the respective JAR files. If you use Maven, you can add FlowDroid as a reference and have Maven resolve all required components. Depending on what you want to analyze (Android apps or Java programs), your dependencies may vary.

In this section, we will collect code and configuration snippets for common tasks with FlowDroid.

To run a simple data flow analysis, you can use the following code. You need to replace the placeholder androidJarFolder with the location of the platforms directory in your Android SDK installation. The placeholder apkPath refers to the full file path of the APK file. The data flow results are accessible via the InfoflowResults class.

SetupApplication app = new SetupApplication(androidJarFolder, apkPath);
app.setTaintWrapper(new SummaryTaintWrapper(new LazySummaryProvider("summariesManual")));
InfoflowResults results = app.runInfoflow();

The data flow analysis uses the default StubDroid library summaries. In the default configuration, these summaries are stored in the summariesManual folder and there is no need to change that.

Publications

If you want to read the details on how FlowDroid works, the PhD thesis of Steven Arzt is a good place to start.

Contributing to FlowDroid

Contributions are always welcome. FlowDroid is an open source project that we published in the hope that it will be useful to the research community as a whole. If you have a new feature or a bug fix that you would like to see in the official code repository, please open a merge request here on Github and contact us (see below) with a short description of what you have done.

License

FlowDroid is licensed under the LGPL license, see LICENSE file. This basically means that you are free to use the tool (even in commercial, closed-source projects). However, if you extend or modify the tool, you must make your changes available under the LGPL as well. This ensures that we can continue to improve the tool as a community effort.

Contact

If you experience any issues, you can ask for help on the Soot mailing list. You can also contact us at [email protected].

flowdroid's People

Contributors

amrashraf avatar anddann avatar borzacchiello avatar canonize avatar cuixiaoyiyi avatar dah-fari7009 avatar dependabot[bot] avatar dschm1dt avatar firmianay avatar flankerhqd avatar guiyj avatar jkluge avatar jordansamhi avatar jpstotz avatar juliusnmn avatar leadroyal avatar louison avatar marcmil avatar mariakober avatar mbenz89 avatar seanonymousreview avatar snyk-bot avatar stefanie-koss avatar stevenarzt avatar timll avatar wandsmith avatar wuxianlin avatar zacharykzhao avatar zhanghan177 avatar zjbthomas avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

lxh112224 marcmil linghuiluo omuomugin amrashraf shihyu johspaeth zhanglang001 miguelvelezmj25 vitaliiavdiienko ttinnguyen android4studies huangtao2003 lilicoding zenjian jpstotz gitqqqhs doryxin wuhonglei akaisz yuroc0598 deelmind plast-lab ikvillanes ebarsallo souling4you jygod tigerqiu712 zsm116 happycodingman csytang j3tm1r zackc pangeneral lakshmi-21 pranavgaikwad mbenz89 jpuentea empty11 3thzneiz curatorjin wahmedswl cherry-wb nanjingdaqi mj170420 juliusnmn terry2012 khaled-e-a callmebigben fredfeng tjwsoup nkllkc miy1z1ki ajgappmark vinayasathyanarayana ericchen321 young36832 diffblue-benchmarks ofskymohsen archer29m simba-brother wade1990 jordansamhi weiminn mkotyk liuancong yuknight heyzhangz markgaox misscoconut qpioneer leadroyal michmue andreascapellato bhlosh leslieducy person-j gaojun0816 shihualu mtileria noidsirius hackhao shuyu108 ababook e0hyl amordahl dimitriburve xlibrarys kevin-chihaizhang ylcangel shalekesan guitard0g zjbthomas rogerluo1995 svenpeldszus dacer250 jack9hu jimmychanii huihlei xiningtom

flowdroid's Issues

Error analysing APK

Hi,
I tried to analysze an Androdi malware sample (hash 037c4f5b2cf06c5b18d98c32744621f03e550f2a2ca6485348d188f7b7b5ee99 ) with FlowDorid.

I used the newes FlowDorid version (from the relese packages).

I used the followign command to start the analysis:
java -jar soot-infoflow-cmd-jar-with-dependencies.jar -a 037c4f5b2cf06c5b18d98c32744621f03e550f2a2ca6485348d188f7b7b5ee99 -p "H:\Android\Sdk\platforms" -s sas.txt

Sadly, I get the following error: " Invalid class source type"

[main] INFO soot.jimple.infoflow.taintWrappers.EasyTaintWrapper - Loaded wrapper entries for 89 classes and 12 exclusions.
[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files...
Found dex file 'classes.dex' with 5422 classes in 'H:\037c4f5b2cf06c5b18d98c32744621f03e550f2a2ca6485348d188f7b7b5ee99'
The data flow analysis has failed. Error message: Invalid class source type
java.lang.RuntimeException: Invalid class source type
        at soot.SourceLocator.getClassesUnder(SourceLocator.java:378)
        at soot.SourceLocator.getClassesUnder(SourceLocator.java:290)
        at soot.Scene.loadNecessaryClasses(Scene.java:1602)
        at soot.jimple.infoflow.android.SetupApplication.initializeSoot(SetupApplication.java:1121)
        at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1313)
        at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1285)
        at soot.jimple.infoflow.cmd.MainClass.run(MainClass.java:236)
        at soot.jimple.infoflow.cmd.MainClass.main(MainClass.java:196)

Can't build the latest FlowDroid 2.6 SNAPSHOT

I tried to build by mvn install the latest 2.6 SNAPSHOT from both develop and master branches. They both failed.

The error message is

[INFO] Reactor Summary:
[INFO]
[INFO] soot-infoflow ...................................... FAILURE [ 20.968 s]
[INFO] soot-infoflow-android .............................. SKIPPED
[INFO] StubDroid .......................................... SKIPPED
[INFO] FlowDroid Command Line Util ........................ SKIPPED
[INFO] FlowDroid Parent Module ............................ SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 21.184 s
[INFO] Finished at: 2018-09-06T22:02:18Z
[INFO] Final Memory: 25M/267M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.2:compile (default-compile) on project soot-infoflow: Compilation failure
[ERROR] /home/hanzhang/FlowDroid/soot-infoflow/src/soot/jimple/infoflow/solver/fastSolver/InfoflowSolver.java:[117,37] cannot find symbol
[ERROR] symbol: method invalidate()
[ERROR] location: variable ffCache of type heros.FlowFunctionCache<N,D,soot.SootMethod>
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

It looks like @StevenArzt added an invalidate() method to Heros (soot-oss/heros@c740e6b) fairly recently (15 days ago).

During mvn install, it tries to retrieve Heros-1.0.1-SNAPSHOT from soot-release (https://soot-build.cs.uni-paderborn.de/nexus/repository/soot-release/heros/heros/1.0.1-SNAPSHOT) and soot-snapshot (https://soot-build.cs.uni-paderborn.de/nexus/repository/soot-snapshot/heros/heros/1.0.1-SNAPSHOT).

From soot-snapshot, the latest Heros-1.0.1-SNAPSHOT is from April (https://soot-build.cs.uni-paderborn.de/nexus/#browse/browse/components:soot-snapshot:36e3dec8de528c9b26d8dfec9104f3e7), which doesn't reflect the change. As this log message shows:

Downloading from soot-snapshot: https://soot-build.cs.uni-paderborn.de/nexus/repository/soot-snapshot/heros/heros/1.0.1-SNAPSHOT/heros-1.0.1-20180418.125229-1.pom

From soot-release, I received the error message as

[WARNING] Could not transfer metadata heros:heros:1.0.1-SNAPSHOT/maven-metadata.xml from/to soot-release (https://soot-build.cs.uni-paderborn.de/nexus/repository/soot-release/): Failed to transfer file: https://soot-build.cs.uni-paderborn.de/nexus/repository/soot-release/heros/heros/1.0.1-SNAPSHOT/maven-metadata.xml. Return code is: 400 , ReasonPhrase:Repository version policy: RELEASE does not allow metadata in path: heros/heros/1.0.1-SNAPSHOT/maven-metadata.xml.

Would there be any suggestions on how to fix this error?

Treat array declarations as sources

Hi all,

I am trying to configure FlowDroid to use variable declarations of String arrays as flow sources (e.g., newarray (java.lang.String)[3];). It appears that FlowDroid only supports specifying methods as sources and sinks. I've tried to convert variable declaration into dummy methods, but that did not work either, with errors related to IFDS solver (heros). The details are below.

  1. I created a dummy method called dummyNewArray() which returns the original String array, under class java.lang.Object. I choose this class since String array is a subclass of class Object. Please see method MyModification::createDummyNewArrayMethod() for details. Resultant Jimple looks like the following:
public java.lang.String[] dummyNewArray()
{
    java.lang.Object this;
    this := @this: java.lang.Object;
    return this;
}

MyModification.java.txt

  1. In soot.jimple.infoflow.android.SetupApplication::initializeSoot(boolean), after executing Scene.v().loadNecessaryClasses, I replace all NewArrayExprs with the call to the dummy method. One example of the final result is:
$r1 = newarray (java.lang.String)[3];
$r1 = virtualinvoke $r1.<java.lang.Object: java.lang.String[] dummyNewArray()>();
$r1[0] = "aid";
$r1[1] = "androidid";
$r1[2] = "limit_tracking";

SetupApplication.java.txt

  1. I added <java.lang.Object: java.lang.String[] dummyNewArray()> -> _SOURCE_ in SourceAndSinks.txt.

However, it doesn't work with errors related to IFDS solver (heros). I think key problems are NullPointerException (Listing 1) and the summary of the method cannot be generated (Listing 2). A full log is enclosed in the attachment.

  • Listing 1:
[Thread-6] ERROR heros.solver.CountingThreadPoolExecutor - Worker thread execution failed: null
java.lang.NullPointerException
	at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:210)
	at com.google.common.cache.LocalCache.get(LocalCache.java:3936)
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3941)
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4824)
	at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4830)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.getOrCreateUnitGraph(AbstractJimpleBasedICFG.java:104)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.getPredsOf(AbstractJimpleBasedICFG.java:206)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.getPredsOf(AbstractJimpleBasedICFG.java:1)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.getPredsOfCallAt(InfoflowCFG.java:222)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.getPredsOfCallAt(InfoflowCFG.java:1)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.getReturnSitesOfCallAt(BackwardsInterproceduralCFG.java:56)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.getReturnSitesOfCallAt(BackwardsInterproceduralCFG.java:1)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.getReturnSitesOfCallAt(InfoflowCFG.java:202)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.getReturnSitesOfCallAt(InfoflowCFG.java:1)
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.processExit(IFDSSolver.java:510)
	at soot.jimple.infoflow.solver.fastSolver.InfoflowSolver.processExit(InfoflowSolver.java:125)
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.run(IFDSSolver.java:739)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
  • Listing 2:
[Thread-2] ERROR soot.jimple.infoflow.methodSummary.data.provider.LazySummaryProvider - An error occurred while loading the summary of java.util.Arrays
[Thread-5] ERROR soot.jimple.infoflow.methodSummary.data.provider.LazySummaryProvider - An error occurred while loading the summary of java.lang.String

error.txt

I confirmed that these errors only occur when <java.lang.Object: java.lang.String[] dummyNewArray()> -> _SOURCE_ is added. Without this line, everything else works well.

Could you please look into my issue and provide me some suggestions to handle this case? Thank you in advance.

Using FlowDroid to detect sources and sinks leaks with its categories

Hello there,

I am looking forward to using FlowDroid to detect sources and sinks with its categories (from SuSi).
By running FlowDroid from CMD with/without specifying configuration file, it requires a single file which is SourcesAndSinks.txt and this file doesn't have the category in side it .
Could you provide me any resources or details to help me.

Thank you in advance.

how to track a specific variable?

Hi,

Can I know how to track an arbitrary variable, rather than a function's return value?
for example, there is a function f(a, b, c). Is there a way to only track "b"?

Best wishes

Analysis was aborted & not sure if callgraph was generated

Hi,

I am trying to use the command line tool to run the data flow tracker. I used the following command:
java -jar soot-infoflow-cmd/target/soot-infoflow-cmd-jar-with-dependencies.jar -a Google_Duo_v24.0.178310191.DR24.0_RC13_apkpure.com.apk -p /home/choco/Android/Sdk/platforms -s /home/choco/Desktop/FlowDroid/FlowDroid-2.5.1/soot-infoflow-android/SourcesAndSinks.txt -o /home/choco/Desktop/FlowDroid/FlowDroid-2.5.1/analysis_output/output2.xml

However, I received a message saying that " For information on where the call graph may be incomplete, use the verbose option to the cg phase " and that an error stating that " [main] ERROR soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No sources found, aborting analysis"

The attachment below is the full output when I executed the command:
output.docx

I am currently using this APK as a test. In my Android Platforms directory, it has android-23 and android-27 folders. I have also used the default "SourcesAndSinks.txt" file that can be found in the "soot-infoflow-android" folder.
I'm not sure if the callgraph was generated but since the analysis was aborted, I presume the callgraph was not generated and the XML file that contains the DataFlowResults is empty too.

Really appreciate any feedback that I can get :)

questions about Thread.<init> and Handler.post

Hi @StevenArzt ,

May I know where Thread.init(Runnable) and Handler.post(Runnable) are handled? it seems they mess the call graph.

For example, a generated call path may be A-> Thread.int -> B, but a better way may be A-> B. In my test, Thread. and Handler.post both appear in CG as a common node, which generates some wrong paths.

Regards

[Question] AndroidCallbacks.txt was not found

Hi Steven,

First of all, thank you very much for the quick reply on #56 . As I'm trying to run the code you gave, an error occurred with the error message
[main] ERROR soot.jimple.infoflow.android.SetupApplication - Callgraph construction failed: Resource /AndroidCallbacks.txt was not found.
I thought it's not really related to the original question so I started a new thread.

Here's what I've done:

  1. I built FlowDroid v.2.5.1 from source with Intellij.
  2. I created a new java class CFG.java inside package soot.jimple.infoflow.android and in that class I have the main function exactly as given in #56 (only changed paths to sdk and apk).

When I run the CFG class, the error mentioned above occurred; however, the resource AndroidCallbacks.txt is present the root directory of soot-infoflow-android.

Did I do anything wrong in the process and what should I do to eliminate this error?

@StevenArzt

Kind regards,
Zhijun

Result Serialization ICFG always null

Hi, I noticed that when reporting FlowDroid results in SetupApplication.java in runInfoflow() method (towards the end), the ICFG gets always set to null by resultAggregator.clearLastResults() before calling serializeResults(resultAggregator.getAggregatedResults(), resultAggregator.getLastICFG()).

It results in an xml output with less information (for example you can't get the method attribute)

Call graph for unreachable methods

Hey, Im trying to build a call graph for all the methods of an apk. More precisely I would like to know for each methods all the methods that it calls.
When using:
SetupApplication app = new SetupApplication(androidJarPath, apkPath); app.constructCallgraph();
It works great but the methods who are unreachable(unused) do not seem to appear in the call graph.
I have tried to use the soot options "all-reachable" but this did not help.

What am I doing wrong?
Thanks in advanced!

Lost taint label after constructor call

Hi Steven,

Recently I ran into some issue with taint propagation with URL class constructor call. Assume we have the following code

String urlString = "tainted string";
URL url = new URL(urlString);

// Log.d(tag_1, urlString);
Log.d(tag_2, url.toString());

I'm running FlowDroid in develop branch.

Running with default dataflow solver, FlowDroid couldn't find the path from taint source to Log.d(tag_2, url.toString());. If we comment out the first log, we will get a path from taint source to Log.d(tag_1, urlString);. Therefore I suspect there is some issue with taint propagation with URL constructor.

I tried adding either <java.net.URL: java.lang.String toString()> or ^<java.net.URL: java.lang.String toString()> to the soot-infoflow/EasyTaintWrapper.txt and recompile project. It didn't work.

Is the EasyTaintWrapper.txt right file to look at? If so, what would you suggest to be the best way to fix the taint propagation issue on URL constructor? Ideally, I would like to taint the whole object with the same taint label as the urlString.

Thanks!

Analysis time between the old version and 2.5.1

Hi,
Currently, I'm trying to switch using the previous versions of FlowDroid to the current version (2.5.1).
As I can see, the current version never finish its job, it exceeded more than 12 hours, but the previous one has used only 28-29 seconds for the same APK file.

Here is the command for 2.5.1 which I use:
java -Xmx60g -jar soot-infoflow-cmd-jar-with-dependencies.jar -a app_test1.apk -p /FlowDroid/android-platforms/platforms -s SourcesAndSinks.txt -o flowdroid/test.xml --nostatic --aliasflowins --aplength 1 --noexceptions

The previous version:
java -Xmx60g -cp soot-trunk.jar:soot-infoflow.jar:soot-infoflow-android.jar:slf4j-api-1.7.5.jar:slf4j-simple-1.7.5.jar:axml-2.0.jar soot.jimple.infoflow.android.TestApps.Test ../source/app_test1.apk /FlowDroid/android-platforms/platforms
...
Maximum memory consumption: 1535.117312 MB
Analysis has run for 28.42890296 seconds

Please give me advice to optimise this.

Cheers

Error on some apks when running FlowDroid either from command line and programmatically

Hi there,

I'm experiencing a new error on multiples when running FlowDroid on it :

[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 9 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
The data flow analysis has failed. Error message: not declared: dummyMainMethod_m
java.lang.RuntimeException: not declared: dummyMainMethod_m
	at soot.SootMethod.getDeclaringClass(SootMethod.java:220)
	at soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator.removeGeneratedMethods(AndroidEntryPointCreator.java:551)
	at soot.jimple.infoflow.android.SetupApplication.createEntryPointCreator(SetupApplication.java:1553)
	at soot.jimple.infoflow.android.SetupApplication.createMainMethod(SetupApplication.java:1034)
	at soot.jimple.infoflow.android.SetupApplication.calculateCallbackMethods(SetupApplication.java:685)
	at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:494)
	at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:462)
	at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1385)
	at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1318)
	at soot.jimple.infoflow.cmd.MainClass.run(MainClass.java:236)
	at soot.jimple.infoflow.cmd.MainClass.main(MainClass.java:196)

No idea from where the error comes from.
Here is the apk on which I have the error :
https://transfer.sh/Mqolf/test.apk

Thank you in advance !

Convert Jimple files to dex (The file "parser.dat" is either missing or corrupted)

Hi,
I'm using FlowDroid for static analysis on android and I'm trying to parse a Jimple file for getting back a Soot class but I get this :
Exception in thread "main" java.lang.ExceptionInInitializerError
at Jimple_parser.parse(Jimple_parser.java:23)
at Instrumenter.main(Instrumenter.java:43)
Caused by: java.lang.RuntimeException: The file "parser.dat" is either missing or corrupted.
at soot.jimple.parser.parser.Parser.(Parser.java:7588)
... 2 more

This is probably referred to this Soot issue : soot-oss/soot#726 .
I tried to download the nightybuild but the server seems down.
How can I fix this ?
Thanks

Any way to update AndroidManifest file with a new permission ?

Hi,

I'm currently trying to add an Android permission to a given AndroidManifest.xml file in an apk.
I'm using the ProcessManifest.addPermission method that add a xml node to the AxmlNode manifest but I don't see any way to commit this change to the actual AndroidManifest.xml file.
Is there any helper to do that in FlowDroid or I need to write all the AxmlNode into the file myself ?

Thank you for your help !

How to make FlowDroid analyze one component at a time?

Hello, Sir, I learned that FlowDroid can analyze one component at a time from the PhD thesis of Steven Arzt, but I can't get the further information about it and I don't know how to make FlowDroid work in this mode. Can you give me some guidance? I'm looking forward to your reply. Thanks for your attention!

error in target definition: _BOTH_

Hi Steven,
I just tried FlowDroid-2.6. In SourcesAndSinks.txt file there is a new notation BOTH introduced, however, the parser doesn't recognize it.

[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files...
[main] INFO soot.jimple.infoflow.android.SetupApplication - ARSC file parsing took 0.040639845 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Collecting callbacks in DEFAULT mode...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Callback analysis done.
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class DateTimeView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class DateTimeView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.view.menu.ActionMenuItemView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.ActionMenuView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.ActionBarContextView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class view
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.ButtonBarLayout
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v4.widget.Space
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.AlertDialogLayout
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v4.widget.NestedScrollView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v4.widget.Space
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v4.widget.Space
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.DialogTitle
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v4.widget.Space
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.FitWindowsLinearLayout
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.view.menu.ExpandedMenuView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.view.menu.ListMenuItemView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.view.menu.ListMenuItemView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.ContentFrameLayout
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.FitWindowsLinearLayout
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.ViewStubCompat
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.FitWindowsFrameLayout
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.ViewStubCompat
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.ActionBarOverlayLayout
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.ActionBarContainer
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.Toolbar
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.v7.widget.ActionBarContextView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class view
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class view
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.constraint.ConstraintLayout
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class DateTimeView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class DateTimeView
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class DateTimeView
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 1 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Callback analysis terminated normally
[main] INFO soot.jimple.infoflow.android.SetupApplication - Entry point calculation done.
Exception in thread "main" java.lang.RuntimeException: error in target definition: _BOTH_
	at soot.jimple.infoflow.android.data.parsers.PermissionMethodParser.parseMethod(PermissionMethodParser.java:237)
	at soot.jimple.infoflow.android.data.parsers.PermissionMethodParser.createMethod(PermissionMethodParser.java:159)
	at soot.jimple.infoflow.android.data.parsers.PermissionMethodParser.parse(PermissionMethodParser.java:135)
	at soot.jimple.infoflow.android.data.parsers.PermissionMethodParser.getSources(PermissionMethodParser.java:110)
	at soot.jimple.infoflow.android.SetupApplication.createSourceSinkManager(SetupApplication.java:524)
	at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:500)
	at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:447)
	at soot.jimple.infoflow.android.SetupApplication.processEntryPoint(SetupApplication.java:1392)
	at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1361)
	at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1307)
	at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1272)
	at de.upb.swt.ConfigOp.Main.main(Main.java:16)

How to instrument a apk file with custom library in FlowDroid2.0?

`public class InstrumentListener {
public static SootField $flyTrace = new SootField("$flyTrace",
RefType.v("com.google.common.collect.LinkedHashMultimap"),
Modifier.PUBLIC | Modifier.STATIC);

public static SootField $invokeSite = new SootField("$invokeSite", IntType.v(), Modifier.PUBLIC | Modifier.STATIC);

public static void main(String[] args) throws IOException, XmlPullParserException {
	String androidPlatformPath = "G:/androidsdk/platforms";
	String appPath = "G:/Program Files (x86)/MyEclipse 2016/Workspaces/JudgeUserAnalysis2/apk/JudgeUser.apk";
	String sourceAndSinksFilePath = "G:/Program Files (x86)/MyEclipse 2016/Workspaces/JudgeUserAnalysis2/lib/SourcesAndSinks.txt";
	String callBacksFilePath = "G:/Program Files (x86)/MyEclipse 2016/Workspaces/JudgeUserAnalysis2/lib/AndroidCallbacks.txt";
	
	SetupApplication app = new SetupApplication(androidPlatformPath, appPath);
	app.setCallbackFile(callBacksFilePath);
	app.runInfoflow(sourceAndSinksFilePath);

// soot.G.reset();

// Options.v().set_app(true);
Options.v().set_java_version(Options.java_version_1_8);
Options.v().set_src_prec(Options.src_prec_apk);
Options.v().set_output_format(Options.output_format_jimple);
// Options.v().set_output_format(Options.output_format_dex);
// Options.v().set_output_dir(SourceLocator.v().getOutputDir() + "\outApk");

	Options.v().set_android_jars(androidPlatformPath);
	Options.v().set_android_api_version(19);
	Options.v().set_process_dir(Collections.singletonList(appPath));
	Options.v().set_whole_program(true);
	Options.v().set_no_bodies_for_excluded(true);
	Options.v().set_allow_phantom_refs(true);
	Options.v().setPhaseOption("cg.spark", "on");
	
	SootMethod entryPoint = app.getDummyMainMethod();
	entryPoint.setName("main");
	Options.v().set_main_class(entryPoint.getDeclaringClass().getName());
	Scene.v().setEntryPoints(Collections.singletonList(entryPoint));
	Scene.v().loadNecessaryClasses();
	Scene.v().loadBasicClasses();
	Scene.v().loadDynamicClasses();
	
	Scene.v().addBasicClass("com.google.common.collect.LinkedHashMultimap", SootClass.SIGNATURES);
	Scene.v().addBasicClass("java.util.HashMap", SootClass.SIGNATURES);
	Scene.v().addBasicClass("java.util.LinkedHashMap", SootClass.SIGNATURES);
	Scene.v().addBasicClass("java.io.FileOutputStream", SootClass.SIGNATURES);
	Scene.v().addBasicClass("java.lang.Object", SootClass.SIGNATURES);
	Scene.v().addBasicClass("java.lang.Runnable", SootClass.SIGNATURES);
	Scene.v().addBasicClass("java.io.PrintStream", SootClass.SIGNATURES);
	Scene.v().addBasicClass("java.lang.Runtime", SootClass.SIGNATURES);
	Scene.v().addBasicClass("java.lang.Thread", SootClass.SIGNATURES);
	
	PackManager.v().getPack("wjtp").add(new Transform("wjtp.AddJimpleBodyLineTag", new AddJimpleBodyLineTag()));
	PackManager.v().getPack("wjap").add(new Transform("wjap.LoopAreaAnalysis", new LoopAreaAnalysis()));
	PackManager.v().getPack("wjap").add(new Transform("wjap.ConditionAreaAnalysis", new ConditionAreaAnalysis()));
	
	PackManager.v().getPack("jtp").add(new Transform("jtp.instrument1", new InstrumentListenerWithMainClassClinit()));
	PackManager.v().getPack("jtp").add(new Transform("jtp.instrument2", new InstrumentListenerWithAllMethod2()));
	
	PackManager.v().runPacks();
	
}

}`

Like above, I instrument a apk file with $flyTrace and it's type is com.google.common.collect.LinkedHashMultimap. But report error: java.lang.RuntimeException: tried to get nonexistent method <com.google.common.collect.LinkedHashMultimap: com.google.common.collect.LinkedHashMultimap create()>

Unable to run flowdroid analysis

Hi I am trying to analyze an apk using flowdroid. however, when i try to run the command in mac i get the following error. can anyone help me with this issue please.

Arabins-MacBook-Pro:FlowDroid-2.6 arabin$ java -jar soot-infoflow-cmd-jar-with-dependencies.jar /Users/arabin/Desktop/1e993b0632d5bc6f07410ee31e41dd316435d997.apk "/Users/arabin/Library/Android/sdk/platforms" /Volumes/E/Flowdroid/FlowDroid-2.6/soot-infoflow-android/SourcesAndSinks.txt
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
The data flow analysis has failed. Error message: Android platform directory not specified
java.lang.RuntimeException: Android platform directory not specified
at soot.jimple.infoflow.android.SetupApplication.(SetupApplication.java:277)
at soot.jimple.infoflow.android.SetupApplication.(SetupApplication.java:216)
at soot.jimple.infoflow.cmd.MainClass.run(MainClass.java:230)
at soot.jimple.infoflow.cmd.MainClass.main(MainClass.java:196)

Creating call graph with different SourceAndSinks.txt

Hi Steven,

I've been trying to create the call graph with a modified sourcesAndSinks file. I followed the below process. However, the generated call graph still contains the nodes from the original sourcesAndSinks file. Could you please let me know if I'm missing something?

InfoflowAndroidConfiguration config = new InfoflowAndroidConfiguration();
config.setIgnoreFlowsInSystemPackages(true);
AnalysisFileConfiguration fileConfig = new AnalysisFileConfiguration();
fileConfig.setAndroidPlatformDir("C:\Android\android-sdk\platforms");
fileConfig.setSourceSinkFile("D:\CMU\Capstone\SourcesAndSinks.txt");
fileConfig.setTargetAPKFile("D:\CMU\Capstone\*****.apk");
config.getAnalysisFileConfig().merge(fileConfig);
SetupApplication app = new SetupApplication(config);

app.constructCallgraph();
CallGraph appCallGraph = Scene.v().getCallGraph();

Thank you,
Sharada

Error instrumenting APK

Hi all,
I'm trying to instrument an APK but on certain scenarios it throws the following error :
[Thread-17] ERROR heros.solver.CountingThreadPoolExecutor - Worker thread execution failed: Dex file overflow. Splitting not support for pre Lollipop Android (Api 22).
java.lang.RuntimeException: Dex file overflow. Splitting not support for pre Lollipop Android (Api 22).
The function which generates the error is PackManager.v().writeOutput(), because if I remove this instruction the exception is not thrown.
I am mainly trying to add an activity to an APK and to regenerate the Manifest, everything goes cool on some apks, while on others I get this.
How can I fix this?
Thank in advance.

Issue with identification of sinks

Firstly, thank you for this tool. I have a feeling we may make heavy use of it in the near future.

We are using the 2.5.1 release (commandline) version of Flowdroid, and are executing it against two apks: one is a "control" apk that we have developed, and the other, a marketplace apk that we are analysing. Both apps call the setValue(byte[]) method used for Bluetooth Low Energy writes. We have specified this method as a sink in the SourcesAndSinks.txt as <android.bluetooth.BluetoothGattCharacteristic: boolean setValue(byte[])> -> _SINK_

Flowdroid identifies the setValue method as a sink in our control app, but not in the marketplace app. With the marketplace app, it says "No sinks found, aborting analysis".

Both apps definitely call the method, and have the following in their smali code:
invoke-virtual {vx, py}, Landroid/bluetooth/BluetoothGattCharacteristic;->setValue([B)Z
(where x and y are integer values depending on the register that is used).

Are there any conditions that would preclude a function (which uses a variable input) from being considered a sink?

Any insight is much appreciated!

Is there a switch that can disable all the logging outputs?

I’m using FlowDroid. And in the phase of processing an apk, a lot of logs (the dummy main method, the Spark information, the transformation information, etc. see below) are displayed. Is there a switch that can disable all these verbose information?

And in my opinion, if it isn't (I noticed in the source file, there are some System.out.println(...) codes), developers (or researchers) who are using (or have already used) soot related libraries, like me, are all in the need of using our own outputs/logs (either the stdout or the stderr). Thus it is an urgent requirement that we need a switch to enable/disable/redirect them.

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.3 seconds.
[Spark] Solution found in 0.3 seconds.
Running incremental callback analysis for 4 components...
Incremental callback analysis done.
Found 15 callback methods for 4 components
Found {res/layout-port/parcel_view.xml=[...]} layout controls
Entry point calculation done.
Created a SourceSinkManager with 46 sources, 122 sinks, and 15 callback methods.
Using 'assets/android-platforms/android-23/android.jar' as android.jar
[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Cannot create valid constructor for android.content.Context, because it is abstract and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Cannot create valid constructor for android.view.MenuItem, because it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Cannot create valid constructor for android.content.DialogInterface, because it is an interface and cannot substitute with subclass
[main] INFO soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Generated main method:
    public static void dummyMainMethod(java.lang.String[])
    {
        java.lang.String[] $r0;
       ...
    }
[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 4.4 seconds.
[Spark] Solution found in 4.4 seconds.
Transforming android.support.v4.graphics.drawable.DrawableCompat$LollipopDrawableImpl... 
Transforming android.support.v7.widget.AdapterHelper$UpdateOp... 
Transforming android.support.v4.view.ViewPropertyAnimatorCompat$JBViewPropertyAnimatorCompatImpl... 
Transforming android.support.v4.widget.SlidingPaneLayout$LayoutParams... 
...

Error 400 on Nexus repo when trying to build FlowDroid with maven

Hi again,

I'm trying to build FlowDroid from scratch with maven following instructions from the REAMDE.
It seems that something goes wrong when Maven tries to download some dependencies, it throws an Error 400 :

Return code is: 400 , ReasonPhrase:Repository version policy: RELEASE does not allow metadata in path: heros/heros/0.0.1-SNAPSHOT/maven-metadata.xml.

Something wring on Nexus side ?

call graph and entry points are empty

Hi,

I am trying to run Flowdroid, but I always get empty callgraph and entry points. Could you help me check the reason? The following is my main code.

SetupApplication setup_app = new SetupApplication(android_jars, apk_path);
File taintWrapperFile = new File(TAINT_WRAPPER);
setup_app.setTaintWrapper(new EasyTaintWrapper(taintWrapperFile));

InfoflowAndroidConfiguration config = setup_app.getConfig();
config.getAnalysisFileConfig().setSourceSinkFile(SOURCE_SINK_FILE);

setup_app.constructCallgraph();
setup_app.printEntrypoints();

The test app can be accessed using the link: https://www.dropbox.com/s/o70aqlftdyk2a2s/google_ads_banner_example.apk

Best wishes

[Question] Creating CFGs from Android APKs

Dear Developers,

I'm aware that this question has been asked before and I've read through #129 and #155 of soot-infoflow-android but there are still some problems that I encountered while trying to replicate what they did:

  1. In @StevenArzt 's answer to #129 as shown below:
public static void main(String[] args) throws IOException, XmlPullParserException {
		// Initialize Soot
		SetupApplication analyzer = new SetupApplication("C:\\Program Files (x86)\\Android\\android-sdk\\platforms",
				"D:/org.fdroid.k9_17046.apk");
		analyzer.getConfig().setTaintAnalysisEnabled(false);
		analyzer.calculateSourcesSinksEntrypoints(Collections.emptySet(), Collections.emptySet());
		analyzer.runInfoflow();
		
		// Iterate over the callgraph
		for (Iterator<Edge> edgeIt = Scene.v().getCallGraph().iterator(); edgeIt.hasNext(); ) {
			Edge edge = edgeIt.next();
			
			SootMethod smSrc = edge.src();
			Unit uSrc = edge.srcStmt();
			SootMethod smDest = edge.tgt();
			
			System.out.println("Edge from " + uSrc + " in " + smSrc + " to " + smDest);
		}
	}

The api call to analyzer.calculateSourcesSinksEntrypoints has been removed from the current version (I couldn't find any method that has this name in the source apart from it being mentioned in a comment in SetupApplication.java, line 1022)

  1. Similarly, in the code above, the api call to analyzer.runInfoflow() no longer works because in the current version this method has at least one parameter.

I'm doing a static analysis on Android APKs which involves creating a CFG of the application (or individual classes). What I would like to get is a directed unit graph representing the CFG. Could you tell me what I should do, using the current version of FlowDroid (v.2.5.1)? If possible, could you kindly put some code sample as well or point me to the sections in the source code where I should be looking at to find my answers?

@StevenArzt

Best regards,
Zhijun

Analysis does not finish

Hello!

The attached InterAppStart1.zip file contains one app. The source code of this app can be found here: https://pastebin.com/JRFZ6iwu

By launching the following command
java -Xmx4g -jar soot-infoflow-cmd-jar-with-dependencies.jar -a /path/to/InterAppStart1.apk -p /path/to/platforms/ -s SourcesAndSinks.txt
this output is produced:

[main] INFO soot.jimple.infoflow.taintWrappers.EasyTaintWrapper - Loaded wrapper entries for 89 classes and 12 exclusions.
[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files...
Found dex file 'classes.dex' with 52 classes in '/media/sf_share/fix/InterAppStart1.apk'
[main] INFO soot.jimple.infoflow.android.SetupApplication - ARSC file parsing took 0.015791144 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.2 seconds.
[Spark] Solution found in 0.2 seconds.
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Collecting callbacks in DEFAULT mode...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Callback analysis done.
[main] WARN soot.jimple.infoflow.android.resources.LayoutFileParser - Could not find layout class android.support.constraint.ConstraintLayout
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 1 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Callback analysis terminated normally
[main] INFO soot.jimple.infoflow.android.SetupApplication - Entry point calculation done.
[main] INFO soot.jimple.infoflow.android.source.AccessPathBasedSourceSinkManager - Created a SourceSinkManager with 46 sources, 122 sinks, and 2 callback methods.
[main] INFO soot.jimple.infoflow.android.SetupApplication - Running data flow analysis on /media/sf_share/fix/InterAppStart1.apk with 46 sources and 122 sinks...
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Implicit flow tracking is NOT enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Exceptional flow tracking is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Running with a maximum access path length of 5
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using path-agnostic result collection
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Recursive access path shortening is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Taint analysis enabled: true
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using alias algorithm FlowSensitive
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph construction took 6.3222E-4 seconds
[main] INFO soot.jimple.infoflow.codeOptimization.InterproceduralConstantValuePropagator - Removing side-effect free methods is disabled
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Dead code elimination took 0.044792138 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph has 18 edges
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Starting Taint Analysis
[main] INFO soot.jimple.infoflow.android.data.AndroidMemoryManager - Initializing FlowDroid memory manager...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Using context- and flow-sensitive solver
[main] WARN soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Running with limited join point abstractions can break context-sensitive path builders
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Looking for sources and sinks...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Source lookup done, found 1 sources and 5 sinks.

No matter how long i wait, it does not proceed. For most other apps it works perfectly fine. Any idea what i could do differently in this specific case?

Regards,
FoelliX

Error when using FlowDroid as a library

I use FlowDroid as a library to obtain the call graphs of some APKs (about 50,000), but when I run my program for a moment , I get the following exception after obtaining about 2000 results and then all of the rest APKs will have this exception. However, I can get the correct call graphs of some APKs (not all, the exception will appear again) when I rerun my program. In the exception, I find that the thread number of heros.solver is so large, I do not know the reason for this, maybe it is a bug.
[Thread-112006] ERROR heros.solver.CountingThreadPoolExecutor - Worker thread execution failed: null
java.lang.NullPointerException
at soot.dexpler.DexBody.jimplify(DexBody.java:526)
at soot.dexpler.DexMethod$1.getBody(DexMethod.java:116)
at soot.SootMethod.getBodyFromMethodSource(SootMethod.java:126)
at soot.SootMethod.retrieveActiveBody(SootMethod.java:385)
at soot.PackManager$3.run(PackManager.java:1244)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Exception in thread "Thread-112006" java.lang.NullPointerException
at soot.dexpler.DexBody.jimplify(DexBody.java:526)
at soot.dexpler.DexMethod$1.getBody(DexMethod.java:116)
at soot.SootMethod.getBodyFromMethodSource(SootMethod.java:126)
at soot.SootMethod.retrieveActiveBody(SootMethod.java:385)
at soot.PackManager$3.run(PackManager.java:1244)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
java.lang.NullPointerException
at soot.dexpler.DexBody.jimplify(DexBody.java:526)
at soot.dexpler.DexMethod$1.getBody(DexMethod.java:116)
at soot.SootMethod.getBodyFromMethodSource(SootMethod.java:126)
at soot.SootMethod.retrieveActiveBody(SootMethod.java:385)
at soot.PackManager$3.run(PackManager.java:1244)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

Is it possible to generate an icc model?

Is it possible to generate an ICC model with FlowDroid? Without knowledge of the app so only using the APK? Currently, I have a call graph but I also want to model the communication between activities. Is that possible with FlowDroid?

I saw the option Iccconfiguration which is disabled. What exactly is the IccModel?

My code:

val app = SetupApplication(androidPlatformPath, appPath)
    app.config.isTaintAnalysisEnabled = false
    app.config.mergeDexFiles = true
    app.config.iccConfig = InfoflowAndroidConfiguration.IccConfiguration() <-- this does not work
    app.constructCallgraph()

infoflow constructor's first parameter

In SetupApplication.java (Line: 1447):

final String androidJar = config.getAnalysisFileConfig().getTargetAPKFile();
InPlaceInfoflow info = new InPlaceInfoflow(androidJar, forceAndroidJar, cfgFactory);

Infoflow constructor's first parameter should be android.jar, right?
But in the code, the apk path, which is provided by "getTargetAPKFile()", is imported.
Is the code right?

Taint Analysis in BackwardsInfoflowSolver

Hi Steven,

Issue

I have an issue regarding the computeAliases() function in BackwardsInfoflowSolver.java file. I made a toy application and ran that example on FlowDroid, but it was not producing the expected leaks. We are working on the develop branch of FlowDroid. The snippet of code which has the issue is

protected String doInBackground(String... params) {
            String taintedUrl = params[0];
            ....
            try {
                URL myUrl = new URL(taintedUrl);
                Log.i("tag_url", String.valueOf(myUrl));

The jimple code for the above snippet in FlowDroid (After analyzing through a debugger) is

java.net.URL $r3, r11;
...
$r1 := @parameter0: java.lang.String[];
$r7 = $r1[0];
r11 = new java.net.URL;
$r3 = r11;

label01:
specialinvoke r11.<java.net.URL: void <init>(java.lang.String)>($r7);
$r7 = staticinvoke <java.lang.String: java.lang.String valueOf(java.lang.Object)>($r3);
staticinvoke <android.util.Log: int i(java.lang.String, java.lang.String)>("tag_url", $r7);

I would like to bring to your attention that the jimple file produced here is different from what we directly obtain after running soot. The jimple code snippet produced after running soot is

java.net.URL $r3;                                                                                                   
...
$r1 := @parameter0: java.lang.String[];                                 
$r7 = $r1[0];                                                           
$r3 = new java.net.URL;                                                 

label01:                                                                   
specialinvoke $r3.<java.net.URL: void <init>(java.lang.String)>($r7);   
$r7 = staticinvoke <java.lang.String: java.lang.String valueOf(java.lang.Object)>($r3);
staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("tag_url", $r7);

I have also added java.net.URL: void <init>(java.lang.String) in the EasyTaintWrapperSource.txt so that when $r7 is tainted r11 will also get tainted.

When r11 is tainted, it propagates upwards using the backward instance of IFDS solver where it calls processNormalFlow(edge) after which it eventually ends up in computeAliases function in BackwardsInfoflowProblem.java file. When it reaches the statement $r3 = r11, the incoming taint is r11, but the outgoing taint is only r11. Is this the expected behavior? In my opinion, the outgoing taint should be $r3 and r11.

Cause of the issue

I think the problem lies in these lines.

// BackwardsInfoflowProblem.java
boolean aliasOverwritten = Aliasing.baseMatchesStrict(rightValue, source)
    && rightValue.getType() instanceof RefType && !source.dependsOnCutAP();

if (!aliasOverwritten && !(rightValue.getType() instanceof PrimType)) {

If I change the boolean aliasOverwritten = Aliasing.baseMatchesStrict(rightValue, source) && !source.dependsOnCutAP() and if condition to aliasOverwritten && !(rightValue.getType() instanceof PrimType), the result is same as expected outcome. This is because the rightValue is tainted and is definitely assigned to leftValue and therefore taint propagations in the leftValue should be checked and thus it should enter the if condition. Also, I ran DroidBench testcases using this modified condition and all passed.

Can you please clarify why this is a problem?

generating call graph through command prompt

Hi,

Could you please let me know if there is any way to generate the call graph through command prompt? Or, is this only possible by adding the flowdroid packages to the existing project?

Thanks,
Sharada

Can we use this tool for analysing large apps, if so what are the system configurations required?

I am trying to use flowdroid on my system with apps like facebook, whatsapp etc. Mostly taint analysis never completes and if complete gives an error Like this:

[pool-1-thread-3] ERROR heros.solver.IDESolver - Worker thread execution failed: soot.RefType cannot be cast to soot.ArrayType java.lang.ClassCastException: soot.RefType cannot be cast to soot.ArrayType at soot.jimple.infoflow.problems.InfoflowProblem$1.addTaintViaStmt(InfoflowProblem.java:352) at soot.jimple.infoflow.problems.InfoflowProblem$1.access$600(InfoflowProblem.java:290) at soot.jimple.infoflow.problems.InfoflowProblem$1$2.computeTargetsInternal(InfoflowProblem.java:645) at soot.jimple.infoflow.problems.InfoflowProblem$1$2.computeTargets(InfoflowProblem.java:475) at soot.jimple.infoflow.solver.fastSolver.InfoflowSolver.computeNormalFlowFunction(InfoflowSolver.java:76) at soot.jimple.infoflow.solver.fastSolver.InfoflowSolver.computeNormalFlowFunction(InfoflowSolver.java:35) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.processNormalFlow(IFDSSolver.java:402) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.access$100(IFDSSolver.java:58) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.run(IFDSSolver.java:511) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) java.lang.InterruptedException at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireSharedInterruptibly(AbstractQueuedSynchronizer.java:998) at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireSharedInterruptibly(AbstractQueuedSynchronizer.java:1304) at heros.solver.CountLatch.awaitZero(CountLatch.java:75) at heros.solver.CountingThreadPoolExecutor.awaitCompletion(CountingThreadPoolExecutor.java:67) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.runExecutorAndAwaitCompletion(IFDSSolver.java:192) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.awaitCompletionComputeValuesAndShutdown(IFDSSolver.java:173) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.solve(IFDSSolver.java:149) at soot.jimple.infoflow.Infoflow.runAnalysis(Infoflow.java:407) at soot.jimple.infoflow.Infoflow.computeInfoflow(Infoflow.java:266) at soot.jimple.infoflow.android.SetupApplication.runInfoflow(Unknown Source) at soot.jimple.infoflow.android.TestApps.Test.runAnalysis(Unknown Source) at soot.jimple.infoflow.android.TestApps.Test.main(Unknown Source) Exception in thread "pool-1-thread-3" java.lang.ClassCastException: soot.RefType cannot be cast to soot.ArrayType at soot.jimple.infoflow.problems.InfoflowProblem$1.addTaintViaStmt(InfoflowProblem.java:352) at soot.jimple.infoflow.problems.InfoflowProblem$1.access$600(InfoflowProblem.java:290) at soot.jimple.infoflow.problems.InfoflowProblem$1$2.computeTargetsInternal(InfoflowProblem.java:645) at soot.jimple.infoflow.problems.InfoflowProblem$1$2.computeTargets(InfoflowProblem.java:475) at soot.jimple.infoflow.solver.fastSolver.InfoflowSolver.computeNormalFlowFunction(InfoflowSolver.java:76) at soot.jimple.infoflow.solver.fastSolver.InfoflowSolver.computeNormalFlowFunction(InfoflowSolver.java:35) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.processNormalFlow(IFDSSolver.java:402) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.access$100(IFDSSolver.java:58) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.run(IFDSSolver.java:511) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Exception in thread "main" java.lang.RuntimeException: There were exceptions during IDE analysis. Exiting. at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.runExecutorAndAwaitCompletion(IFDSSolver.java:198) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.awaitCompletionComputeValuesAndShutdown(IFDSSolver.java:173) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.solve(IFDSSolver.java:149) at soot.jimple.infoflow.Infoflow.runAnalysis(Infoflow.java:407) at soot.jimple.infoflow.Infoflow.computeInfoflow(Infoflow.java:266) at soot.jimple.infoflow.android.SetupApplication.runInfoflow(Unknown Source) at soot.jimple.infoflow.android.TestApps.Test.runAnalysis(Unknown Source) at soot.jimple.infoflow.android.TestApps.Test.main(Unknown Source) Caused by: java.lang.ClassCastException: soot.RefType cannot be cast to soot.ArrayType at soot.jimple.infoflow.problems.InfoflowProblem$1.addTaintViaStmt(InfoflowProblem.java:352) at soot.jimple.infoflow.problems.InfoflowProblem$1.access$600(InfoflowProblem.java:290) at soot.jimple.infoflow.problems.InfoflowProblem$1$2.computeTargetsInternal(InfoflowProblem.java:645) at soot.jimple.infoflow.problems.InfoflowProblem$1$2.computeTargets(InfoflowProblem.java:475) at soot.jimple.infoflow.solver.fastSolver.InfoflowSolver.computeNormalFlowFunction(InfoflowSolver.java:76) at soot.jimple.infoflow.solver.fastSolver.InfoflowSolver.computeNormalFlowFunction(InfoflowSolver.java:35) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.processNormalFlow(IFDSSolver.java:402) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.access$100(IFDSSolver.java:58) at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.run(IFDSSolver.java:511) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

i.e. IFDS solver fails

[Solved] How to get a standard output(i.e. xml or json) if I am using cmd-line tools for tracking data flow?

Hi,
I am wondering if use below command-line tools to get a data flow tracker, How could I get a standard output for the data leakage, like xml or json:
If you want to use the command-line tool to run the data flow tracker, you can use the following command:

java -jar soot-infoflow-cmd/target/soot-infoflow-cmd-jar-with-dependencies.jar \ -a <APK File> \ -p <Android JAR folder> \ -s <SourcesSinks file> \ --timeout 1000 \ --resulttimeout 1000 (Both params limits the runing of a task)

What I can get is the log output of the running programme. There might be some scan results in it. But most of them are the process log of it .
When the cmd finished, I get a directory, but without anything in it.
Could you guys please explain it a bit for me?
###Thanks.

Any configuration example for FlowDroid taint analysis on latest version (2.5) ?

Hi there,

I'm currently trying to use the latest version of FlowDroid, which looks very handy and more modular.
However, I'm a bit stuck with the new way of setting up a taint analysis programatically with sources and sinks.
I think one way to do it is to start with a InfoflowAndroidConfiguration instance, but not sure about all the options…

Do you have a working example somewhere that I could use as a starting point ?
I would like to use it as a library because i'm already using Soot in my program to instrument some methods from apks.

Thank you in advance :)

Purpose of android.jar as input

Hello There,

I am wondering why it is required to provide android plateform directory which contains android.jar, As sources and sinks are already provided by the txt, xml, or RIFL file.

Thanks.

Can't parse RIFL file

Hello there,

When i tried to put rifl.rifl (change the extinction of rifl.xml come from SuSi) instead of SourcesAndSinks.txt it throws exception in RIFLParser.java showing that :
stateStack.peek() and stateStack.pop() throws because the stack is empty.

After that i made a condition to bypass those conditions, but there aren't any sources and sinks definitions found in the RIFLDocument after parsing it with the bypass.

I am tracing it and if i found a something i will tell you, but i need only to make sure that the problem not coming from SuSi file if you tried it before.

Thanks.

Different results when upgrades to soot-infoflow-android 2.6-SNAPSHOT

Hi, I am about upgrade flowdroid to 2.6-SNAPSHOT by recently. But I've found some problems: the results of my analysis on the same apk are different.

Before upgrading, I'm using the following codes to construct the call graph,

soot.G.reset();

String[] options = {
    // general options
    "-whole-program",

    // input options
    "-process-dir", "-",
    "-src-prec", "apk",
    "-android-jars", "-",
    "-prepend-classpath",
    "-allow-phantom-refs",
    "-no-bodies-for-excluded",
    "-keep-line-number",

    // output options
    "-output-format", "none",

    // process options
    "-phase-option", "cg.spark", "enabled:true"
};

// parse options
Options.v().parse(options);

// load classes
Scene.v().loadNecessaryClasses();

// setup application
SetupApplication app = new SetupApplication(androidPlatformsPath, apkPath);

// set andoid callbacks, and use sources and sinks to calculate entry point
app.setCallbackFile(androidCallBacksFilePath);
try {
    app.calculateSourcesSinksEntrypoints(sourcesAndSinksFilePath);
} catch (Exception e) {
    throw new RuntimeException(e.getMessage());
}

// fake main created by flowdroid
SootMethod entryPoint = app.getEntryPointCreator().createDummyMain();
Options.v().set_main_class(entryPoint.getSignature());
Scene.v().setEntryPoints(Collections.singletonList(entryPoint));

// run it
PackManager.v().runPacks();

but when I upgraded to soot-infoflow-android 2.6-SNAPSHOT, I found the method getEntryPointCreator() is not supported by far. So I changed to the following code,

// setup application
SetupApplication app = new SetupApplication(androidPlatformsPath, apkPath);

// see more configurations in ``SetupApplication.initializeSoot()''
// set andoid callbacks, and use
app.setCallbackFile(androidCallBacksFilePath);
// set new instance mode
app.getConfig().setSootIntegrationMode(InfoflowAndroidConfiguration.SootIntegrationMode.CreateNewInstace);
// set sources and sinks files, which is used to calculate the call graph
app.getConfig().getAnalysisFileConfig().setSourceSinkFile(sourcesAndSinksFilePath);
// set call graph construction algorithms
app.getConfig().setCallgraphAlgorithm(InfoflowConfiguration.CallgraphAlgorithm.SPARK);

app.runInfoflow();
PackManager.runPacks();

But the result changed!!! I checked the initialization code in SetupApplication.initializeSoot(), and I found the differences between the tow are:

  1. keep_line_numbers from true to false
  2. src_prec from apk to jimple
  3. allow-phatom-refs from true to false

All the three points, in my opinion, are irrelevant to my analysis (only the call graph is what I need). Are there anything I missed, or did flowdroid changed in the 2.6-SNAPSHOT?

Seems like my FlowDroid config runs with a SINGLEFLOW option

Hi there,
[ I'm using the develop branch of FlowDroid ]

I have an apk with several sources for one sink, and it appears that when a leak is found, FlowDroid stops its work for the current processed sink.
I think I remember that there was an option like "Stop after first flow" or "SINGLEFLOW" somewhere in the FlowDroid code, but I can not find it.

Does someone can help me with that ?

Thanks !

Get view for dynamic listeners

Is it possible in Flowdroid to retrieve the view that calls a method?

So what I want to do is retrieve all onClick callbackmethods and there corresponding view(type):

public void click(View view){
}
<TextView android:onClick="click"/>

For the above code I want:
Example: Method click called by class android.widget.TextView

But also for dynamically registered (onClick)listeners

Button b = findViewById(R.id.button2);
b.setOnClickListener(new View.OnClickListener() {
       @Override
        public void onClick(View v) {
            ...
        }
})

Example: Method onClick called by class android.widget.Button

Why is a data flow missed in the test?

Hello, Sir, Recently, I used FlowDroid to obtain the data flow of a simple apk developed by myself. However, the result is out of my expectation. According to my source code, there should be two data flows in one of the components. However, it got only one data flow and I don't know why it happened.

The related source code is shown below:
TelephonyManager tm = (TelephonyManager) getSystemService(TELEPHONY_SERVICE);
Intent ib = getIntent();
ib.putExtra("normal_key", "normal_value");
ib.putExtra("sensitive_", tm.getDeviceId());
ib.setClass(this, C.class);
startActivity(ib);

And the output is shown below as well:
image

In my opinion, one of the flows is 'getIntent()->startActivity()', and the other is 'getDeviceId()->startActivity()'. However, just as the result shows, the first one is missed. I'm really looking forward to your advice.Thank you for your attention!

findViewById as source by default?

Hi Steven,
I have used FlowDroid 2.5.1 to analyze a few real apps and sampled some of the reported leaks. I found out that there are many leaks with source findViewById, even when the method findViewById is not defined as source in the configuration file SourcesAndSinks.txt.
I know that this method is used to get password from text field and FlowDroid exams the layout XML file to identify password field. Is this hardcoded default source on purpose? Is there any configuration option can be used to disable it?
@StevenArzt

Noticed that tag "activity-alias" in AndroidManifest.xml is not taken into account by ProcessManifest

Hi there,

I was trying to find launchable activities from the facebook.apk below :
https://drive.google.com/open?id=1H1A03jywwOY6B61JdUHZTh-r2MNQZ-Z8
I have been surprised that ProcessManifest.getLaunchableActivities() didn't find any launchable activity.

So I had a look in the AndroidManifest.xml of the apk and i found out that the only "launchable" activity was contained in an "activity-alias" tag.

By looking to the ProcessManifest class code, I saw that only activities with the tag "activity" are taken into account.

How could we manage to solve this ? Maybe I can make a pull request but what is the best :

  • merge alias activities with standard activities
  • have two different lists, one for standard activities and one for alias activities ?

Thank you for all you've done with FlowDroid :)

soot.SootMethodRefImpl$ClassResolutionFailedException

I am trying to build info flow graph (no tainting) with the following code:
SetupApplication analyzer = new SetupApplication(FRAMEWORK_DIR, APK_PATH);
analyzer.getConfig().setTaintAnalysisEnabled(false);
analyzer.getConfig().setMergeDexFiles(true);
analyzer.constructCallgraph();

For any apk file, i got the following exception:
soot.SootMethodRefImpl$ClassResolutionFailedException: Class android.content.ServiceConnection doesn't have method onServiceConnected([android.content.ComponentName]) : void; failed to resolve in superclasses and interfacesLooking in android.content.ServiceConnection which has methods [<android.content.ServiceConnection: void onServiceConnected(android.content.ComponentName,android.os.IBinder)>, <android.content.ServiceConnection: void onServiceDisconnected(android.content.ComponentName)>]
at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:237)
at soot.SootMethodRefImpl.resolve(SootMethodRefImpl.java:152)
at soot.jimple.internal.AbstractInvokeExpr.getMethod(AbstractInvokeExpr.java:56)
at soot.jimple.validation.InvokeArgumentValidator.validate(InvokeArgumentValidator.java:54)
at soot.jimple.JimpleBody.validate(JimpleBody.java:118)
at soot.jimple.JimpleBody.validate(JimpleBody.java:98)
at soot.jimple.infoflow.cfg.LibraryClassPatcher.patchServiceConnection(LibraryClassPatcher.java:561)
at soot.jimple.infoflow.cfg.LibraryClassPatcher.patchLibraries(LibraryClassPatcher.java:55)
at soot.jimple.infoflow.android.SetupApplication.initializeSoot(SetupApplication.java:1130)
at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1313)
at soot.jimple.infoflow.android.SetupApplication.constructCallgraph(SetupApplication.java:1182)

Looked a bit into the code and it seems that the LibraryClassPatcher.patchServiceConnection method is causing the problem:
Scene.v().makeMethodRef(sc, "onServiceConnected",
Collections.singletonList(smGetFM.getParameterType(0)), VoidType.v(), false),

The inconsistent method signature (onServiceConnected([android.content.ComponentName])) is designed here. Is there any way to avoid this issue?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.