[Soot-list] Stmts from FlowDroid are not found in Soot units.snapshotIterator()
Steven Arzt
Steven.Arzt at cased.de
Mon Aug 25 05:06:32 EDT 2014
Hi Modhi,
Your code looks correct. The exception you are getting is an AbstractMethodError from the JVM which means that some code is apparently trying to call an abstract method. Can you please double-check that are indeed using the newest versions of Soot, soot-infoflow, and soot-infoflow-android? If you are using our pre-built JARs, please download the newest files from our nightly build server. The URLs are in the wiki: https://github.com/secure-software-engineering/soot-infoflow-android/wiki. If you are building FlowDroid on your own, please clean and re-build heros, soot, soot-infoflow, and soot-infoflow-android. I guess there are some incompatible class files lurking around.
Best regards,
Steven
Von: Modhi Alsobiehy [mailto:m99m20 at hotmail.com]
Gesendet: Samstag, 23. August 2014 10:31
An: Steven Arzt
Cc: soot-list at CS.McGill.CA; soot-list at sable.mcgill.ca
Betreff: Re: AW: [Soot-list] Stmts from FlowDroid are not found in Soot units.snapshotIterator()
Hi Steven,
Thanx a lot for responding!
to begin with, I did not find computeInfoflow() method so I assumed that runInfoflow() is the method you mean, right?!
secondly, would you please clarify with an example!
I passed an object( of type ResHandler implementing ResultsAvailableHandler) to runInfoflow(),but it does not seem correct! I am also getting an exception by just calling app.runInfoflow()!
your quick response is deeply appreciated!
thanx,
Modhi,
this is exactly the code I used:
ResHandler.java:
import soot.jimple.infoflow.InfoflowResults;
import soot.jimple.infoflow.handlers.ResultsAvailableHandler;
import soot.jimple.infoflow.solver.IInfoflowCFG;
public class ResAvailable implements ResultsAvailableHandler {
public ResAvailable() {
// TODO Auto-generated constructor stub
}
@Override
public void onResultsAvailable(IInfoflowCFG arg0, InfoflowResults arg1) {
// TODO Auto-generated method stub
}
}
in CFG.java
public static void main(String[] args) throws IOException {
// TODO Auto-generated method stub
SetupApplication app = new SetupApplication("D:/AndroidADT/adt-bundle-windows-x86_64-20131030/sdk/platforms","D:/APKs/location.apk");
try {
app.calculateSourcesSinksEntrypoints("D:/FlowDroid/SourcesAndSinks.txt");
ResultsAvailableHandler rah = new ResAvailable();
//rah.onResultsAvailable(arg0, arg1);
InfoflowResults ir = new InfoflowResults();
ir = app.runInfoflow(rah);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (XmlPullParserException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
soot.G.reset();
Options.v().set_src_prec(Options.src_prec_apk);
Options.v().set_process_dir(Collections.singletonList("D:/APKs/location.apk"));
Options.v().set_android_jars("D:/AndroidADT/adt-bundle-windows-x86_64-20131030/sdk/platforms");
Options.v().set_whole_program(true);
Options.v().set_allow_phantom_refs(true);
Options.v().set_output_format(Options.output_format_none);
Options.v().setPhaseOption("cg.spark", "on");
Scene.v().loadNecessaryClasses();
SootMethod entryPoint = app.getEntryPointCreator().createDummyMain();
Options.v().set_main_class(entryPoint.getSignature());
Scene.v().setEntryPoints(Collections.singletonList(entryPoint));
System.out.println(entryPoint.getActiveBody());
PackManager.v().runPacks();
}
the exception:
[main] INFO soot.jimple.infoflow.Infoflow - Callgraph has 1416 edges
[main] INFO soot.jimple.infoflow.Infoflow - Looking for sources and sinks...
[main] INFO soot.jimple.infoflow.Infoflow - Source lookup done, found 14 sources and 17 sinks.
[pool-1-thread-2] ERROR heros.solver.IDESolver - Worker thread execution failed: soot.jimple.toolkits.ide.icfg.JimpleBasedInterproceduralCFG.getCalleesOfCallAt(Ljava/lang/Object;)Ljava/util/Collection;
[pool-1-thread-1] ERROR heros.solver.IDESolver - Worker thread execution failed: soot.jimple.toolkits.ide.icfg.JimpleBasedInterproceduralCFG.getCalleesOfCallAt(Ljava/lang/Object;)Ljava/util/Collection;
java.lang.AbstractMethodError: soot.jimple.toolkits.ide.icfg.JimpleBasedInterproceduralCFG.getCalleesOfCallAt(Ljava/lang/Object;)Ljava/util/Collection;
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:172)
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:42)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.processCall(IFDSSolver.java:243)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.access$000(IFDSSolver.java:61)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.run(IFDSSolver.java:561)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.lang.AbstractMethodError: soot.jimple.toolkits.ide.icfg.JimpleBasedInterproceduralCFG.getCalleesOfCallAt(Ljava/lang/Object;)Ljava/util/Collection;
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:172)
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:42)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.processCall(IFDSSolver.java:243)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.access$000(IFDSSolver.java:61)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.run(IFDSSolver.java:561)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Exception in thread "pool-1-thread-1" java.lang.AbstractMethodError: soot.jimple.toolkits.ide.icfg.JimpleBasedInterproceduralCFG.getCalleesOfCallAt(Ljava/lang/Object;)Ljava/util/Collection;
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:172)
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:42)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.processCall(IFDSSolver.java:243)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.access$000(IFDSSolver.java:61)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.run(IFDSSolver.java:561)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.lang.InterruptedException
at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireSharedInterruptibly(Unknown Source)
at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireSharedInterruptibly(Unknown Source)
at heros.solver.CountLatch.awaitZero(CountLatch.java:75)
at heros.solver.CountingThreadPoolExecutor.awaitCompletion(CountingThreadPoolExecutor.java:67)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.runExecutorAndAwaitCompletion(IFDSSolver.java:201)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.awaitCompletionComputeValuesAndShutdown(IFDSSolver.java:182)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.solve(IFDSSolver.java:158)
at soot.jimple.infoflow.solver.fastSolver.InfoflowSolver.solve(InfoflowSolver.java:108)
at soot.jimple.infoflow.Infoflow.runAnalysis(Infoflow.java:438)
at soot.jimple.infoflow.Infoflow.computeInfoflow(Infoflow.java:285)
at soot.jimple.infoflow.android.SetupApplication.runInfoflow(Unknown Source)
at apkCFG.CFG.main(CFG.java:36)
Exception in thread "main" java.lang.RuntimeException: There were exceptions during IDE analysis. Exiting.
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.runExecutorAndAwaitCompletion(IFDSSolver.java:207)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.awaitCompletionComputeValuesAndShutdown(IFDSSolver.java:182)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.solve(IFDSSolver.java:158)
at soot.jimple.infoflow.solver.fastSolver.InfoflowSolver.solve(InfoflowSolver.java:108)
at soot.jimple.infoflow.Infoflow.runAnalysis(Infoflow.java:438)
at soot.jimple.infoflow.Infoflow.computeInfoflow(Infoflow.java:285)
at soot.jimple.infoflow.android.SetupApplication.runInfoflow(Unknown Source)
at apkCFG.CFG.main(CFG.java:36)
Caused by: java.lang.AbstractMethodError: soot.jimple.toolkits.ide.icfg.JimpleBasedInterproceduralCFG.getCalleesOfCallAt(Ljava/lang/Object;)Ljava/util/Collection;
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:172)
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:42)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.processCall(IFDSSolver.java:243)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.access$000(IFDSSolver.java:61)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.run(IFDSSolver.java:561)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Exception in thread "pool-1-thread-2" java.lang.AbstractMethodError: soot.jimple.toolkits.ide.icfg.JimpleBasedInterproceduralCFG.getCalleesOfCallAt(Ljava/lang/Object;)Ljava/util/Collection;
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:172)
at soot.jimple.infoflow.solver.InfoflowCFG.getCalleesOfCallAt(InfoflowCFG.java:42)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.processCall(IFDSSolver.java:243)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.access$000(IFDSSolver.java:61)
at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.run(IFDSSolver.java:561)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
------------------------------------------------
Sent from Windows Mail
From: Steven Arzt <mailto:Steven.Arzt at cased.de>
Sent: Thursday, August 21, 2014 3:54 AM
To: Modhi Alsobeihy <mailto:m99m20 at hotmail.com>
Cc: soot-list at CS.McGill.CA, soot-list at sable.mcgill.ca
Hi Modhi,
There are two ways to obtain the FlowDroid results. You can either use the return value of computeInfoflow() or you can pass an object implementing the ResultsAvailableHandler to computeInfoflow(). In the onResultsAvailable() method of that handler, you are free to work with the Soot objects (units, locals, etc.) you get in the result object. At this point in time, Soot is still running with FlowDroid’s configuration. Most importantly, your scene has not been reset and all Soot objects are still alive.
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von Modhi Alsobiehy
Gesendet: Donnerstag, 14. August 2014 09:34
An: Steven Arzt
Cc: soot-list at CS.McGill.CA; soot-list at sable.mcgill.ca
Betreff: Re: [Soot-list] Stmts from FlowDroid are not found in Soot units.snapshotIterator()
Hi Steven,
Thanx for your quick response!
I really need more info about that! Until you get back safely I will try to figure out how to do that, thanx again!
-Best,
Modhi
On Aug 12, 2014, at 2:32 PM, "Steven Arzt" <Steven.Arzt at cased.de> wrote:
Hi Modhi,
The best way is to use FlowDroid's onResultsAvailable handler since your code is then running in the same Soot instance, so you can directly work on the AST objects returned in the InfoflowResults object. I'm traveling at the moment, if you need more information, that's possible after my return.
Best regards,
Steven
Modhi Alsobiehy <m99m20 at hotmail.com> wrote:
Hi all,
I am having the following problem and couldn’t figure out how to fix it or reason about it!!
in my project, the goal is to log any possible leak, so my plan is to run FlowDroid on an apk, get the results, follow the android instrumentation tutorial to find the statements involved in the leaks and insert some stmts to log them . However, things did not go as planned because I could not find the sources and the sinks found by flowdroid when I iterated over the apk units!
to begin with, is there something wrong with my approach??
how should I refer to the results of flowdroid in the apk and insert logging statements after their call ?
I truly appreciate your quick help in this regard!
Thanx!
-Modhi
the following are the materials I am using:
------------------------------------------------
apk: send my location found on googleplay
********************
flow droid results:
Found a flow to sink staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0), from the following sources:
- virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("c"), $r10 = (java.lang.String) $r5, $r14 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r10), $r10 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void e(java.lang.String)>($r10), staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("c"), $r10 = (java.lang.String) $r5, $r14 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r10), $r10 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void e(java.lang.String)>($r10), staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int w(java.lang.String,java.lang.String)>("Ads", $r0)]
Found a flow to sink staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), from the following sources:
- @parameter0: java.lang.String (in <com.google.ads.internal.AdWebView$1: void onDownloadStart(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long)>)
on Path [$r1 := @parameter0: java.lang.String, $r10 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r1), $r4 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void b(java.lang.String,java.lang.Throwable)>($r4, $r11), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0)]
- @parameter3: java.lang.String (in <com.google.ads.internal.AdWebView$1: void onDownloadStart(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long)>)
on Path [$r4 := @parameter3: java.lang.String, $r10 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r4), $r4 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void b(java.lang.String,java.lang.Throwable)>($r4, $r11), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0)]
Found a flow to sink staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), from the following sources:
- virtualinvoke $r1.<android.os.Bundle: java.lang.String getString(java.lang.String)>("action") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r2 = virtualinvoke $r1.<android.os.Bundle: java.lang.String getString(java.lang.String)>("action"), $r0.<com.google.ads.internal.e: java.lang.String a> = $r2, return, $r15 = virtualinvoke $r17.<com.google.ads.internal.e: java.lang.String b()>(), $r1 = $r0.<com.google.ads.internal.e: java.lang.String a>, return $r1, $r26 = virtualinvoke $r26.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r15), $r25 = virtualinvoke $r26.<java.lang.StringBuilder: java.lang.String toString()>(), specialinvoke $r0.<com.google.ads.AdActivity: void a(java.lang.String)>($r25), staticinvoke <com.google.ads.util.b: void b(java.lang.String)>($r1), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r2 = virtualinvoke $r1.<android.os.Bundle: java.lang.String getString(java.lang.String)>("action"), $r0.<com.google.ads.internal.e: java.lang.String a> = $r2, return, $r15 = virtualinvoke $r17.<com.google.ads.internal.e: java.lang.String b()>(), $r1 = $r0.<com.google.ads.internal.e: java.lang.String a>, return $r1, $r26 = virtualinvoke $r26.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r15), $r25 = virtualinvoke $r26.<java.lang.StringBuilder: java.lang.String toString()>(), specialinvoke $r0.<com.google.ads.AdActivity: void a(java.lang.String)>($r25), staticinvoke <com.google.ads.util.b: void b(java.lang.String)>($r1), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int e(java.lang.String,java.lang.String)>("Ads", $r0)]
Found a flow to sink virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8) on line 400, from the following sources:
- virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("i"), $r8 = (java.lang.String) $r5, virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8), virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("i"), $r8 = (java.lang.String) $r5, virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8), virtualinvoke $r4.<android.content.Intent: android.content.Intent setAction(java.lang.String)>($r8)]
Found a flow to sink virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4) on line 482, from the following sources:
- virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("f"), $r11 = (java.lang.String) $r5, $i3 = staticinvoke <java.lang.Integer: int parseInt(java.lang.String)>($r11), virtualinvoke $r4.<android.content.Intent: android.content.Intent addFlags(int)>($i3), virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4), virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("f"), $r11 = (java.lang.String) $r5, $i3 = staticinvoke <java.lang.Integer: int parseInt(java.lang.String)>($r11), virtualinvoke $r4.<android.content.Intent: android.content.Intent addFlags(int)>($i3), virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4), virtualinvoke $r0.<com.google.ads.AdActivity: void startActivity(android.content.Intent)>($r4)]
Found a flow to sink staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), from the following sources:
- @parameter0: java.lang.String (in <com.google.ads.internal.AdWebView$1: void onDownloadStart(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long)>)
on Path [$r1 := @parameter0: java.lang.String, $r10 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r1), $r4 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void a(java.lang.String)>($r4), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0)]
- virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params") (in <com.google.ads.internal.e: void <init>(android.os.Bundle)>)
on Path [$r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("f"), $r11 = (java.lang.String) $r5, $i3 = staticinvoke <java.lang.Integer: int parseInt(java.lang.String)>($r11), virtualinvoke $r4.<android.content.Intent: android.content.Intent addFlags(int)>($i3), $r14 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.Object)>($r4), $r11 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void a(java.lang.String)>($r11), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0)]
- @parameter3: java.lang.String (in <com.google.ads.internal.AdWebView$1: void onDownloadStart(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long)>)
on Path [$r4 := @parameter3: java.lang.String, $r10 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r4), $r4 = virtualinvoke $r10.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void a(java.lang.String)>($r4), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0)]
- virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>() (in <com.google.ads.AdActivity: void onCreate(android.os.Bundle)>)
on Path [$r14 = virtualinvoke $r0.<com.google.ads.AdActivity: android.content.Intent getIntent()>(), $r1 = virtualinvoke $r14.<android.content.Intent: android.os.Bundle getBundleExtra(java.lang.String)>("com.google.ads.AdOpener"), specialinvoke $r17.<com.google.ads.internal.e: void <init>(android.os.Bundle)>($r1), $r3 = virtualinvoke $r1.<android.os.Bundle: java.io.Serializable getSerializable(java.lang.String)>("params"), $r4 = specialinvoke $r0.<com.google.ads.internal.e: java.util.HashMap a(java.io.Serializable)>($r3), $r2 = (java.util.HashMap) $r1, return $r2, $r0.<com.google.ads.internal.e: java.util.HashMap b> = $r4, return, $r5 = virtualinvoke $r17.<com.google.ads.internal.e: java.util.HashMap c()>(), $r1 = $r0.<com.google.ads.internal.e: java.util.HashMap b>, return $r1, virtualinvoke $r0.<com.google.ads.AdActivity: void a(java.util.HashMap,com.google.ads.internal.d)>($r5, $r2), $r5 = virtualinvoke $r1.<java.util.HashMap: java.lang.Object get(java.lang.Object)>("e"), $r3 = (java.lang.String) $r5, $r14 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>($r3), $r11 = virtualinvoke $r14.<java.lang.StringBuilder: java.lang.String toString()>(), staticinvoke <com.google.ads.util.b: void a(java.lang.String)>($r11), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0), staticinvoke <android.util.Log: int d(java.lang.String,java.lang.String)>("Ads", $r0)]
******************************
Soot instrumenting code:
package androidInstrument;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import soot.Body;
import soot.G;
import soot.PackManager;
import soot.PatchingChain;
import soot.Scene;
import soot.SootClass;
import soot.Transform;
import soot.Unit;
import soot.jimple.AbstractStmtSwitch;
import soot.jimple.InvokeStmt;
import soot.options.Options;
public class AndroidInstrument {
public static void main(String[] args) {
G.reset();
final String androidJar = "D:/AndroidADT/adt-bundle-windows-x86_64-20131030/sdk/platforms/";
List<String> argsList = new ArrayList<String>(Arrays.asList(args));
Scene.v().addBasicClass("java.io.PrintStream",SootClass.SIGNATURES);
Scene.v().addBasicClass("java.lang.System",SootClass.SIGNATURES);
PackManager.v().getPack("jtp").add(new Transform("jtp.myInstrumenter", new MyBodyTransformer()
{
@Override
protected void internalTransform(final Body b, String phaseName, Map options)
{
final PatchingChain<Unit> units = b.getUnits();
//important to use snapshotIterator here
for(Iterator<Unit> iter = units.snapshotIterator(); iter.hasNext();)
{
final Unit u = iter.next();
System.out.println("Unit is: " +u);
u.apply(new AbstractStmtSwitch()
{
public void caseInvokeStmt(InvokeStmt stmt)
{
String method = stmt.getInvokeExpr().getMethod().toString();
System.out.println("Method: "+method+"\n-- [ Statment: "+stmt+"]");
// automating the search for flowdroid results goes here!
}//caseInvokeStmt
} // anbstractStmtSwitch
);// apply
} // for iterator
}// internalTransformer closed
}));
argsList.addAll(Arrays.asList(new String[] {
"-w", "-process-dir", "D:/APKs/location.apk",
}));
//apkPath.add("D:/APKs/Hello.apk");
Options.v().set_allow_phantom_refs(true);
Options.v().set_android_jars(androidJar);
//Options.v().set_process_dir(apkPath);
Options.v().set_src_prec(Options.src_prec_apk);
Options.v().set_output_format(Options.output_format_none);
args = argsList.toArray(new String[0]);
soot.Main.main(args);
}
// ===============================================================
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140825/97718f4e/attachment-0003.html
More information about the Soot-list
mailing list