[Soot-list] FlowDroid's handling on dynamically-registered broadcast receivers

Bodden, Eric eric.bodden at sit.fraunhofer.de
Wed Oct 8 03:43:09 EDT 2014 

Hi Roy.

Please have a look at our paper. As we explain there, FlowDroid implements an iterative process. It produces an initial call graph, discovers callbacks, inserts them into the dummy-main method and then computes a new call graph, etc.

Cheers,
Eric


On 08.10.2014, at 05:55, Roy Liu <royliudev at gmail.com> wrote:

> Hi All,
> 
> I'm experimenting with FlowDroid by extending it a little bit to print more information on the input APK.
> One issue that I noticed is FlowDroid's handling on dynamically-registered broadcast receiver(s) within an app.
> 
> On an iBanking malware sample that I observed, I notice that there exists a dynamic registration operation 
> of a broadcast receiver due to the following statement:
> 
>     "virtualinvoke $r0.<com.soft360.iService.AService: android.content.Intent 
>      registerReceiver(android.content.BroadcastReceiver,android.content.IntentFilter)>($r8, $r7)",
> 
> where $r8 is defined in an earlier operation: $r8 = new com.soft360.iService.SmsReceiver.
> The issue is that, when I print all methods that are reachable from the entry-point classes' methods
> (derived from SetupApplication app.getEntrypointClasses()) using the following code snippet, 
> the broadcast receiver's declared callback method (e.g. onReceive()) is still not listed, thus making it
> practically unreachable within the app. 
> 
> 		appStartingMethods = new LinkedHashSet<SootMethod>();
> 		for (SootClass aClass: appEntryPointClasses.values()) {
> 			for (SootMethod aMethod: aClass.getMethods())
> 				appStartingMethods.add(aMethod);
> 		}
> 		
> 		List<MethodOrMethodContext> startingMethodList = new ArrayList<MethodOrMethodContext>();
> 		startingMethodList.addAll(appStartingMethods);
>     	        
>                 ReachableMethods rm = new ReachableMethods(Scene.v().getCallGraph(), startingMethodList);
> 		rm.update();
> 		Iterator<MethodOrMethodContext> allReachableMethods = rm.listener(); 
> 		while (allReachableMethods.hasNext()) {
> 			SootMethod method = allReachableMethods.next().method();
>                         System.out.println(method.getSignature());
> 		}
> 
> Hence, my question is whether such handling of a dynamically-registered broadcast receiver is currently 
> omitted within FlowDroid. And if so, how can the receiver somehow be added into the app's entry points.
> 
> Many thanks for any helps on this!
> 
> Thanks and regards,
> Roy Liu
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

--
Prof. Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
Head of Secure Software Engineering at Fraunhofer SIT, TU Darmstadt and EC SPRIDE
Tel: +49 6151 16-75422    Fax: +49 6151 869-127
Room B5.11, Fraunhofer SIT, Rheinstraße 75, 64295 Darmstadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141008/1b031d77/attachment.bin

More information about the Soot-list mailing list