[Soot-list] Can FlowDroid recognize source and sink in a worker thread?

Bodden, Eric eric.bodden at sit.fraunhofer.de
Wed Aug 27 02:04:39 EDT 2014 

Hello.

Does the cg contain the call to Thread.start()? Normally this should then have special call edges to the right run method.

Eric

--
Sent from my mobile

On Aug 26, 2014 3:59 PM, Jin Li <lijin1988 at gmail.com> wrote:
Hi Eric,

I printed the call-graph. However, It does not containted a call to doPost.
My code snippets as follows:

SetupApplication app = new SetupApplication("D:\\Android\\adt-bundle-windows-x86_64-20131030\\sdk\\platforms", "D:\\Android\\TestApk\\schgg.apk");
        try {
            app.calculateSourcesSinksEntrypoints("D:\\Android\\Soot\\FlowDroid\\SourcesAndSinks.txt");
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (XmlPullParserException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

        soot.G.reset();
        Options.v().set_src_prec(Options.src_prec_apk);
        Options.v().set_process_dir(Collections.singletonList("D:\\Android\\TestApk\\schgg.apk"));
        Options.v().set_android_jars("D:\\Android\\adt-bundle-windows-x86_64-20131030\\sdk\\platforms");
        Options.v().setPhaseOption("cg.spark", "on");

        Options.v().set_allow_phantom_refs(true);
        Options.v().set_whole_program(true);

        Options.v().set_output_format(Options.output_format_none);

        Scene.v().loadNecessaryClasses();
        SootMethod entryPoint = app.getEntryPointCreator().createDummyMain();
        Options.v().set_main_class(entryPoint.getSignature());
        Scene.v().setEntryPoints(Collections.singletonList(entryPoint));

        PackManager.v().runPacks();

        System.out.println(Scene.v().getCallGraph().size());

        CallGraph cg = Scene.v().getCallGraph();

Best Regards,
Jin



2014-08-26 17:02 GMT+08:00 Bodden, Eric <eric.bodden at sit.fraunhofer.de<mailto:eric.bodden at sit.fraunhofer.de>>:
Hi Jin.

Hmm, this looks odd.  Normally, appropriate call-graph edges should be present. Did you have a look to see if the call graph is complete, i.e., whether it contains a call to doPost?

Cheers,
Eric

On 26.08.2014, at 09:37, Jin Li <lijin1988 at gmail.com<mailto:lijin1988 at gmail.com>> wrote:

> Hi Eric,
>
> A worker thread, I mean, a thread which is created in the UI thread and do the time-consuming work.
>
> A code snippet:
>
> public void onCreate(Bundle paramBundle)
>   {
>     super.onCreate(paramBundle);
>     setContentView(2130903040);
>     this.dummyBtn = ((Button)findViewById(2131034120));
>     this.dummyBtn.setOnClickListener(this);
>
>     this.myid = getMyNumber(); //sources
>     this.frdata = getContacts();  // sources
>
>
>     this.dialog = new ProgressDialog(this);
>     this.dialog.setMessage("しばらくお待ちください...");
>     this.dialog.setProgressStyle(0);
>     this.dialog.show();
>     if ((this.myid != null) && (this.frdata != ""))
>     {
>       new Thread(new Progress(null)).start();
>       return;
>     }
>     this.dialog.dismiss();
>     IntentFilter localIntentFilter = new IntentFilter();
>     localIntentFilter.addAction("android.intent.action.BATTERY_CHANGED");
>     registerReceiver(this.mBroadcastReceiver, localIntentFilter);
>   }
>
> private class Progress implements Runnable
>   {
>     private Progress() {}
>     public void run()
>     {
>       AppActivity.this.doPost();
>
>     }
>   }
> void doPost(){
> //sinks malicious actions
> }
>
> The new Thread would call doPost() which contains the sinks that send sensitive data out of the device.
>
> The results produced by FlowDroid omit these sinks. However, it regards the registerReceiver as a sink and produces a path from the source to this sink.
>
> I am confused by that results.
>
> Thanks
>
> Best Regards,
> Jin
>
>
>
>
>
>
>
> 2014-08-26 14:51 GMT+08:00 Bodden, Eric <eric.bodden at sit.fraunhofer.de<mailto:eric.bodden at sit.fraunhofer.de>>:
> Hi Jin.
>
> What exactly do you mean by a worker thread?
>
> Eric
>
> --
> Sent from my mobile
>
> On Aug 25, 2014 2:46 PM, Jin Li <lijin1988 at gmail.com<mailto:lijin1988 at gmail.com>> wrote:
> Hi All,
>
> I use FlowDroid to analysis my apk files and then manually check the results it produced.
>
> It seemed when the source or sink appeared in a worker thread, FlowDroid would omit this source or sink. The paths reported by FlowDroid would be less than it supposed.
>
> I attached the apk.
>
> Can anybody shed light on the reason? or  Did I use a wrong configuration?
>
> I really need your help, Thanks
>
> Best Regards,
> Jin
>

--
Prof. Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
Head of Secure Software Engineering  at Fraunhofer SIT, TU Darmstadt and EC SPRIDE
Tel: +49 6151 16-75422    Fax: +49 6151 16-72051
Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20140827/8dc4d956/attachment.html

More information about the Soot-list mailing list