[Soot-list] Can FlowDroid recognize source and sink in a worker thread?

Jin Li lijin1988 at gmail.com
Tue Aug 26 09:59:08 EDT 2014 

Hi Eric,

I printed the call-graph. However, It does not containted a call to doPost.
My code snippets as follows:

SetupApplication app = new
SetupApplication("D:\\Android\\adt-bundle-windows-x86_64-20131030\\sdk\\platforms",
"D:\\Android\\TestApk\\schgg.apk");
        try {

app.calculateSourcesSinksEntrypoints("D:\\Android\\Soot\\FlowDroid\\SourcesAndSinks.txt");
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (XmlPullParserException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

        soot.G.reset();
        Options.v().set_src_prec(Options.src_prec_apk);

Options.v().set_process_dir(Collections.singletonList("D:\\Android\\TestApk\\schgg.apk"));

Options.v().set_android_jars("D:\\Android\\adt-bundle-windows-x86_64-20131030\\sdk\\platforms");
        Options.v().setPhaseOption("cg.spark", "on");

        Options.v().set_allow_phantom_refs(true);
        Options.v().set_whole_program(true);

        Options.v().set_output_format(Options.output_format_none);

        Scene.v().loadNecessaryClasses();
        SootMethod entryPoint =
app.getEntryPointCreator().createDummyMain();
        Options.v().set_main_class(entryPoint.getSignature());
        Scene.v().setEntryPoints(Collections.singletonList(entryPoint));

        PackManager.v().runPacks();

        System.out.println(Scene.v().getCallGraph().size());

        CallGraph cg = Scene.v().getCallGraph();

Best Regards,
Jin



2014-08-26 17:02 GMT+08:00 Bodden, Eric <eric.bodden at sit.fraunhofer.de>:

> Hi Jin.
>
> Hmm, this looks odd.  Normally, appropriate call-graph edges should be
> present. Did you have a look to see if the call graph is complete, i.e.,
> whether it contains a call to doPost?
>
> Cheers,
> Eric
>
> On 26.08.2014, at 09:37, Jin Li <lijin1988 at gmail.com> wrote:
>
> > Hi Eric,
> >
> > A worker thread, I mean, a thread which is created in the UI thread and
> do the time-consuming work.
> >
> > A code snippet:
> >
> > public void onCreate(Bundle paramBundle)
> >   {
> >     super.onCreate(paramBundle);
> >     setContentView(2130903040);
> >     this.dummyBtn = ((Button)findViewById(2131034120));
> >     this.dummyBtn.setOnClickListener(this);
> >
> >     this.myid = getMyNumber(); //sources
> >     this.frdata = getContacts();  // sources
> >
> >
> >     this.dialog = new ProgressDialog(this);
> >     this.dialog.setMessage("しばらくお待ちください...");
> >     this.dialog.setProgressStyle(0);
> >     this.dialog.show();
> >     if ((this.myid != null) && (this.frdata != ""))
> >     {
> >       new Thread(new Progress(null)).start();
> >       return;
> >     }
> >     this.dialog.dismiss();
> >     IntentFilter localIntentFilter = new IntentFilter();
> >     localIntentFilter.addAction("android.intent.action.BATTERY_CHANGED");
> >     registerReceiver(this.mBroadcastReceiver, localIntentFilter);
> >   }
> >
> > private class Progress implements Runnable
> >   {
> >     private Progress() {}
> >     public void run()
> >     {
> >       AppActivity.this.doPost();
> >
> >     }
> >   }
> > void doPost(){
> > //sinks malicious actions
> > }
> >
> > The new Thread would call doPost() which contains the sinks that send
> sensitive data out of the device.
> >
> > The results produced by FlowDroid omit these sinks. However, it regards
> the registerReceiver as a sink and produces a path from the source to this
> sink.
> >
> > I am confused by that results.
> >
> > Thanks
> >
> > Best Regards,
> > Jin
> >
> >
> >
> >
> >
> >
> >
> > 2014-08-26 14:51 GMT+08:00 Bodden, Eric <eric.bodden at sit.fraunhofer.de>:
> > Hi Jin.
> >
> > What exactly do you mean by a worker thread?
> >
> > Eric
> >
> > --
> > Sent from my mobile
> >
> > On Aug 25, 2014 2:46 PM, Jin Li <lijin1988 at gmail.com> wrote:
> > Hi All,
> >
> > I use FlowDroid to analysis my apk files and then manually check the
> results it produced.
> >
> > It seemed when the source or sink appeared in a worker thread, FlowDroid
> would omit this source or sink. The paths reported by FlowDroid would be
> less than it supposed.
> >
> > I attached the apk.
> >
> > Can anybody shed light on the reason? or  Did I use a wrong
> configuration?
> >
> > I really need your help, Thanks
> >
> > Best Regards,
> > Jin
> >
>
> --
> Prof. Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
> Head of Secure Software Engineering  at Fraunhofer SIT, TU Darmstadt and
> EC SPRIDE
> Tel: +49 6151 16-75422    Fax: +49 6151 16-72051
> Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140826/6203532a/attachment.html

More information about the Soot-list mailing list