[Soot-list] FlowDroid's handling on dynamically-registered broadcast receivers
Bodden, Eric
eric.bodden at sit.fraunhofer.de
Wed Oct 8 03:43:09 EDT 2014
Hi Roy.
Please have a look at our paper. As we explain there, FlowDroid implements an iterative process. It produces an initial call graph, discovers callbacks, inserts them into the dummy-main method and then computes a new call graph, etc.
Cheers,
Eric
On 08.10.2014, at 05:55, Roy Liu <royliudev at gmail.com> wrote:
> Hi All,
>
> I'm experimenting with FlowDroid by extending it a little bit to print more information on the input APK.
> One issue that I noticed is FlowDroid's handling on dynamically-registered broadcast receiver(s) within an app.
>
> On an iBanking malware sample that I observed, I notice that there exists a dynamic registration operation
> of a broadcast receiver due to the following statement:
>
> "virtualinvoke $r0.<com.soft360.iService.AService: android.content.Intent
> registerReceiver(android.content.BroadcastReceiver,android.content.IntentFilter)>($r8, $r7)",
>
> where $r8 is defined in an earlier operation: $r8 = new com.soft360.iService.SmsReceiver.
> The issue is that, when I print all methods that are reachable from the entry-point classes' methods
> (derived from SetupApplication app.getEntrypointClasses()) using the following code snippet,
> the broadcast receiver's declared callback method (e.g. onReceive()) is still not listed, thus making it
> practically unreachable within the app.
>
> appStartingMethods = new LinkedHashSet<SootMethod>();
> for (SootClass aClass: appEntryPointClasses.values()) {
> for (SootMethod aMethod: aClass.getMethods())
> appStartingMethods.add(aMethod);
> }
>
> List<MethodOrMethodContext> startingMethodList = new ArrayList<MethodOrMethodContext>();
> startingMethodList.addAll(appStartingMethods);
>
> ReachableMethods rm = new ReachableMethods(Scene.v().getCallGraph(), startingMethodList);
> rm.update();
> Iterator<MethodOrMethodContext> allReachableMethods = rm.listener();
> while (allReachableMethods.hasNext()) {
> SootMethod method = allReachableMethods.next().method();
> System.out.println(method.getSignature());
> }
>
> Hence, my question is whether such handling of a dynamically-registered broadcast receiver is currently
> omitted within FlowDroid. And if so, how can the receiver somehow be added into the app's entry points.
>
> Many thanks for any helps on this!
>
> Thanks and regards,
> Roy Liu
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
--
Prof. Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
Head of Secure Software Engineering at Fraunhofer SIT, TU Darmstadt and EC SPRIDE
Tel: +49 6151 16-75422 Fax: +49 6151 869-127
Room B5.11, Fraunhofer SIT, Rheinstraße 75, 64295 Darmstadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141008/1b031d77/attachment.bin
More information about the Soot-list
mailing list