[Soot-list] Flowdroid cannot identify simple password text flow

Johannes Lerch lerch at st.informatik.tu-darmstadt.de
Mon Dec 15 12:13:01 EST 2014 

Hi Steven,

can you write some more words why "Anonymous inner classes are supposed 
not to access any final fields of their enclosing methods"? This is not 
apparent to me.
Maybe you can as well elaborate why this is a challenge for FlowDroid. 
What is different to other fields? Is it because of the representation 
in byte code or Jimple?

Regards,
Johannes


Am 15.12.14 17:09, schrieb Steven Arzt:
>
> Hi,
>
> This one of the loose ends we still have. Anonymous inner classes are 
> supposed not to access any final fields of their enclosing methods. 
> This is on the long list of possible enhancements we can still do at 
> some point. It has nothing to do with password fields or UI elements 
> in general -- that could also be a getDeviceId() or anything else.
>
> By the way, I am currently looking for a student who wants to work on 
> integrating a more precise sink model into FlowDroid; I'm sure you 
> remember the conversation we had on this. Hopefully, I'll find someone 
> decent and we can make progress on that.
>
> Best regards,
>
>   Steven
>
> *Von:*soot-list-bounces at CS.McGill.CA 
> [mailto:soot-list-bounces at CS.McGill.CA] *Im Auftrag von *flanker017
> *Gesendet:* Montag, 15. Dezember 2014 15:16
> *An:* soot-list at cs.mcgill.ca
> *Betreff:* [Soot-list] Flowdroid cannot identify simple password text flow
>
> Hi:
>
> For the following code snippets:
>
>                         final EditText passview = (EditText)
>     findViewById(R.id.editText1); //password view
>                         Button button = (Button)
>     findViewById(R.id.button1);
>                         button.setOnClickListener(new OnClickListener() {
>
>                         @Override
>                         public void onClick(View v) {
>                                                Log.d("log",
>     passview.getText().toString());
>                         }
>                         });
>
> FlowDroid cannot identify the flow. DroidBench also doesn't cover this 
> indirect case. If I move Log.d outside the onClick directly after 
> passview assignment, FlowDroid would find the flow.
>
> Command line options are: java -cp 
> soot-trunk.jar:soot-infoflow.jar:soot-infoflow-android.jar:slf4j-api-1.7.5.jar:slf4j-simple-1.7.5.jar:axml-2.0.jar 
> soot.jimple.infoflow.android.TestApps.Test sample.apk PLATFORM_DIR
>
> No optimization options enabled.
>
>  Would someone kindly look into this? Test apk attached at 
> http://box.myqsc.com/-16232127
>
>
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141215/1f7cd1d7/attachment.html

More information about the Soot-list mailing list