[Soot-list] Flowdroid cannot identify simple password text flow

Steven Arzt Steven.Arzt at cased.de
Mon Dec 15 12:20:31 EST 2014 

Hi Johannes,

 

I was imprecise in my last e-mail: The inner class as such is not the
problem, but the fact that the inner class is being used as a callback. If
the enclosing method would directly call a method on the inner class, we
wouldn't be in an any trouble at all. So we do support inner classes, but
not inner classes as callbacks that access stuff from the enclosing method.
Here's why:

 

This happens because we treat onClick like all other callbacks that can
happen in the Android operating system. To us, there is (almost) no
difference between a callback that notifies us of an incoming text message
and a callback that notifies us of a button click. Therefore, we assume that
such events can happen at every time.

 

When generating the dummy main method, we exploit this assumption. The dummy
main method emulates every possible order of callback method invocations:

 

lbl: If (opaque) a.onClick();

If (Opaque) goto lbl;

 

This however means that there is one big list of callbacks to be triggered
at every possible point in time. There is no more mapping between the
callback and its context - the dummy main method simply does not express any
relationship between the inner class implementing the onClick and its
enclosing method any more. For the dummy main method, this is just some
random class implementing some random callback.

 

To treat such accesses properly, we would have to somehow ensure a correct
taint propagation between the enclosing method and the callback in the inner
class which might run at a totally different position in the hosting
component's lifecycle. We would then need to model that the enclosing method
runs only once at a very precise point in time, but the contents of some
variable live longer and may be accessed at any arbitrary point in time.

 

Best regards,

  Steven

 

Von: Johannes Lerch [mailto:lerch at st.informatik.tu-darmstadt.de] 
Gesendet: Montag, 15. Dezember 2014 18:13
An: Steven Arzt
Cc: 'flanker017'; soot-list at CS.McGill.CA
Betreff: Re: [Soot-list] Flowdroid cannot identify simple password text flow

 

Hi Steven,

can you write some more words why "Anonymous inner classes are supposed not
to access any final fields of their enclosing methods"? This is not apparent
to me. 
Maybe you can as well elaborate why this is a challenge for FlowDroid. What
is different to other fields? Is it because of the representation in byte
code or Jimple?

Regards,
Johannes



Am 15.12.14 17:09, schrieb Steven Arzt:

Hi,

 

This one of the loose ends we still have. Anonymous inner classes are
supposed not to access any final fields of their enclosing methods. This is
on the long list of possible enhancements we can still do at some point. It
has nothing to do with password fields or UI elements in general - that
could also be a getDeviceId() or anything else.

 

By the way, I am currently looking for a student who wants to work on
integrating a more precise sink model into FlowDroid; I'm sure you remember
the conversation we had on this. Hopefully, I'll find someone decent and we
can make progress on that.

 

Best regards,

  Steven

 

Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA]
Im Auftrag von flanker017
Gesendet: Montag, 15. Dezember 2014 15:16
An: soot-list at cs.mcgill.ca
Betreff: [Soot-list] Flowdroid cannot identify simple password text flow

 

Hi:

 

For the following code snippets:

 

                    final EditText passview = (EditText)
findViewById(R.id.editText1); //password view
                    Button button = (Button) findViewById(R.id.button1);
                    button.setOnClickListener(new OnClickListener() {
                                           
                    @Override
                    public void onClick(View v) {
                                           Log.d("log",
passview.getText().toString());
                    }
                    });

 

FlowDroid cannot identify the flow. DroidBench also doesn't cover this
indirect case. If I move Log.d outside the onClick directly after passview
assignment, FlowDroid would find the flow.

 

Command line options are: java -cp
soot-trunk.jar:soot-infoflow.jar:soot-infoflow-android.jar:slf4j-api-1.7.5.j
ar:slf4j-simple-1.7.5.jar:axml-2.0.jar
soot.jimple.infoflow.android.TestApps.Test sample.apk PLATFORM_DIR 

 

No optimization options enabled.

 

 Would someone kindly look into this? Test apk attached at
<http://box.myqsc.com/-16232127> http://box.myqsc.com/-16232127







_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141215/9762255e/attachment-0001.html

More information about the Soot-list mailing list