[Soot-list] Stmts from FlowDroid are not found in Soot units.snapshotIterator()
Modhi Alsobiehy
m99m20 at hotmail.com
Tue Aug 12 00:56:13 EDT 2014
Hi all,
I am having the following problem and couldn’t figure out how to fix it or reason about it!!
in my project, the goal is to log any possible leak, so my plan is to run FlowDroid on an apk, get the results, follow the android instrumentation tutorial to find the statements involved in the leaks and insert some stmts to log them . However, things did not go as planned because I could not find the sources and the sinks found by flowdroid when I iterated over the apk units!
to begin with, is there something wrong with my approach??
how should I refer to the results of flowdroid in the apk and insert logging statements after their call ?
I truly appreciate your quick help in this regard!
Thanx!
-Modhi
the following are the materials I am using:
------------------------------------------------
apk: send my location found on googleplay
********************
flow droid results:
Found a flow to sink staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0), from the following sources:
- virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("c"), $r10 = (java.lang.String) $r5, $r14 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r10), $r10 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void e(java.lang.String)>($r10), staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("c"), $r10 = (java.lang.String) $r5, $r14 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r10), $r10 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void e(java.lang.String)>($r10), staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0)]
Found a flow to sink staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), from the following sources:
- @parameter0: java.lang.String (in <com.google.ads.internal.AdWebView$1: void onDownloadStart(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long)>)
on Path [$r1 := @parameter0: java.lang.String, $r10 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r1), $r4 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void b(java.lang.String,java.lang.Throwable)>($r4, $r11), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0)]
- @parameter3: java.lang.String (in <com.google.ads.internal.AdWebView$1: void onDownloadStart(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long)>)
on Path [$r4 := @parameter3: java.lang.String, $r10 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r4), $r4 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void b(java.lang.String,java.lang.Throwable)>($r4, $r11), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0)]
Found a flow to sink staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), from the following sources:
- virtualinvoke $r1.<android.os.Bundle: java.lang.String getString(java.lang.String)>("action") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r2 = virtualinvoke $r1.<android.os.Bundle: java.lang.String getString(java.lang.String)>("action"), $r0.<com.google.ads.internal.e: java.lang.String a> = $r2, return, $r15 = virtualinvoke $r17.<com.google.ads.internal.e: java.lang.String b()>(), $r1 = $r0.<com.google.ads.internal.e: java.lang.String a>, return $r1, $r26 = virtualinvoke $r26.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r15), $r25 = virtualinvoke $r26.<java.lang.StringBuilder: java.lang.String toString()>(), specialinvoke $r0.<com.google.ads.AdActivity: void a(java.lang.String)>($r25), staticinvoke <com.google.ads.util.b: void b(java.lang.String)>($r1), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r2 = virtualinvoke $r1.<android.os.Bundle: java.lang.String getString(java.lang.String)>("action"), $r0.<com.google.ads.internal.e: java.lang.String a> = $r2, return, $r15 = virtualinvoke $r17.<com.google.ads.internal.e: java.lang.String b()>(), $r1 = $r0.<com.google.ads.internal.e: java.lang.String a>, return $r1, $r26 = virtualinvoke $r26.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r15), $r25 = virtualinvoke $r26.<java.lang.StringBuilder: java.lang.String toString()>(), specialinvoke $r0.<com.google.ads.AdActivity: void a(java.lang.String)>($r25), staticinvoke <com.google.ads.util.b: void b(java.lang.String)>($r1), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0)]
Found a flow to sink virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8) on line 400, from the following sources:
- virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("i"), $r8 = (java.lang.String) $r5, virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8), virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("i"), $r8 = (java.lang.String) $r5, virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8), virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8)]
Found a flow to sink virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4) on line 482, from the following sources:
- virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("f"), $r11 = (java.lang.String) $r5, $i3 = staticinvoke <java.lang.Integer: int parseInt(java.lang.String)>($r11), virtualinvoke $r4.<android.content.Intent: android.content.Intent addFlags(int)>($i3), virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4), virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("f"), $r11 = (java.lang.String) $r5, $i3 = staticinvoke <java.lang.Integer: int parseInt(java.lang.String)>($r11), virtualinvoke $r4.<android.content.Intent: android.content.Intent addFlags(int)>($i3), virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4), virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4)]
Found a flow to sink staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), from the following sources:
- @parameter0: java.lang.String (in <com.google.ads.internal.AdWebView$1: void onDownloadStart(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long)>)
on Path [$r1 := @parameter0: java.lang.String, $r10 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r1), $r4 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void a(java.lang.String)>($r4), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0)]
- virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("f"), $r11 = (java.lang.String) $r5, $i3 = staticinvoke <java.lang.Integer: int parseInt(java.lang.String)>($r11), virtualinvoke $r4.<android.content.Intent: android.content.Intent addFlags(int)>($i3), $r14 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.Object)>($r4), $r11 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void a(java.lang.String)>($r11), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0)]
- @parameter3: java.lang.String (in <com.google.ads.internal.AdWebView$1: void onDownloadStart(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long)>)
on Path [$r4 := @parameter3: java.lang.String, $r10 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r4), $r4 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void a(java.lang.String)>($r4), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("e"), $r3 = (java.lang.String) $r5, $r14 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r3), $r11 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void a(java.lang.String)>($r11), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0)]
******************************
Soot instrumenting code:
package androidInstrument;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import soot.Body;
import soot.G;
import soot.PackManager;
import soot.PatchingChain;
import soot.Scene;
import soot.SootClass;
import soot.Transform;
import soot.Unit;
import soot.jimple.AbstractStmtSwitch;
import soot.jimple.InvokeStmt;
import soot.options.Options;
public class AndroidInstrument {
public static void main(String[] args) {
G.reset();
final String androidJar = "D:/AndroidADT/adt-bundle-windows-x86_64-20131030/sdk/platforms/";
List<String> argsList = new ArrayList<String>(Arrays.asList(args));
Scene.v().addBasicClass("java.io.PrintStream",SootClass.SIGNATURES);
Scene.v().addBasicClass("java.lang.System",SootClass.SIGNATURES);
PackManager.v().getPack("jtp").add(new Transform("jtp.myInstrumenter", new MyBodyTransformer()
{
@Override
protected void internalTransform(final Body b, String phaseName, Map options)
{
final PatchingChain<Unit> units = b.getUnits();
//important to use snapshotIterator here
for(Iterator<Unit> iter = units.snapshotIterator(); iter.hasNext();)
{
final Unit u = iter.next();
System.out.println("Unit is: " +u);
u.apply(new AbstractStmtSwitch()
{
public void caseInvokeStmt(InvokeStmt stmt)
{
String method = stmt.getInvokeExpr().getMethod().toString();
System.out.println("Method: "+method+"\n-- [ Statment: "+stmt+"]");
// automating the search for flowdroid results goes here!
}//caseInvokeStmt
} // anbstractStmtSwitch
);// apply
} // for iterator
}// internalTransformer closed
}));
argsList.addAll(Arrays.asList(new String[] {
"-w", "-process-dir", "D:/APKs/location.apk",
}));
//apkPath.add("D:/APKs/Hello.apk");
Options.v().set_allow_phantom_refs(true);
Options.v().set_android_jars(androidJar);
//Options.v().set_process_dir(apkPath);
Options.v().set_src_prec(Options.src_prec_apk);
Options.v().set_output_format(Options.output_format_none);
args = argsList.toArray(new String[0]);
soot.Main.main(args);
}
// ===============================================================
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140812/b4c75321/attachment-0003.html
More information about the Soot-list
mailing list