[Soot-list] Flowdroid cannot identify simple password text flow

Steven Arzt Steven.Arzt at cased.de
Mon Dec 15 11:09:24 EST 2014 

Hi,

 

This one of the loose ends we still have. Anonymous inner classes are supposed not to access any final fields of their enclosing methods. This is on the long list of possible enhancements we can still do at some point. It has nothing to do with password fields or UI elements in general – that could also be a getDeviceId() or anything else.

 

By the way, I am currently looking for a student who wants to work on integrating a more precise sink model into FlowDroid; I’m sure you remember the conversation we had on this. Hopefully, I’ll find someone decent and we can make progress on that.

 

Best regards,

  Steven

 

Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von flanker017
Gesendet: Montag, 15. Dezember 2014 15:16
An: soot-list at cs.mcgill.ca
Betreff: [Soot-list] Flowdroid cannot identify simple password text flow

 

Hi:

 

For the following code snippets:

 

                    final EditText passview = (EditText) findViewById(R.id.editText1); //password view
                    Button button = (Button) findViewById(R.id.button1);
                    button.setOnClickListener(new OnClickListener() {
                                           
                    @Override
                    public void onClick(View v) {
                                           Log.d("log", passview.getText().toString());
                    }
                    });

 

FlowDroid cannot identify the flow. DroidBench also doesn't cover this indirect case. If I move Log.d outside the onClick directly after passview assignment, FlowDroid would find the flow.

 

Command line options are: java -cp soot-trunk.jar:soot-infoflow.jar:soot-infoflow-android.jar:slf4j-api-1.7.5.jar:slf4j-simple-1.7.5.jar:axml-2.0.jar soot.jimple.infoflow.android.TestApps.Test sample.apk PLATFORM_DIR 

 

No optimization options enabled.

 

 Would someone kindly look into this? Test apk attached at   <http://box.myqsc.com/-16232127> http://box.myqsc.com/-16232127


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141215/20b80479/attachment-0001.html

More information about the Soot-list mailing list