[Soot-list] FlowDroid's handling on dynamically-registered broadcast receivers
Roy Liu
royliudev at gmail.com
Thu Oct 9 03:38:17 EDT 2014
Hi Eric,
Actually I put my code snippet in the FlowDroid's
soot/jimple/infoflow/android/TestApps/Test.java file,
within its "private static InfoflowResults runAnalysis(final String
fileName, final String androidJar)" class method,
right after the following statement:
final InfoflowResults res = app.runInfoflow(new
MyResultsAvailableHandler());
That is, the code snippet gets executed only after the FlowDroid has
completed all its taint analysis
and printed all the found paths connecting the defined source-sink pairs.
By this point, I assume that
all the FlowDroid's iterative call-graph generation process has completed
as well.
The issue, I guess, is not about the iterative call-graph generation
process. But rather whether any dynamically/
programatically registered broadcast receiver components within an Android
app are, at some point, also added
into the app's entry point classes. If not, can you give a kind pointer on
how I may add this into the app's entry point classes.
Thanks a lot!
Cheers,
Roy
On Wed, Oct 8, 2014 at 3:43 PM, Bodden, Eric <eric.bodden at sit.fraunhofer.de>
wrote:
> Hi Roy.
>
> Please have a look at our paper. As we explain there, FlowDroid implements
> an iterative process. It produces an initial call graph, discovers
> callbacks, inserts them into the dummy-main method and then computes a new
> call graph, etc.
>
> Cheers,
> Eric
>
>
> On 08.10.2014, at 05:55, Roy Liu <royliudev at gmail.com> wrote:
>
> > Hi All,
> >
> > I'm experimenting with FlowDroid by extending it a little bit to print
> more information on the input APK.
> > One issue that I noticed is FlowDroid's handling on
> dynamically-registered broadcast receiver(s) within an app.
> >
> > On an iBanking malware sample that I observed, I notice that there
> exists a dynamic registration operation
> > of a broadcast receiver due to the following statement:
> >
> > "virtualinvoke $r0.<com.soft360.iService.AService:
> android.content.Intent
> >
> registerReceiver(android.content.BroadcastReceiver,android.content.IntentFilter)>($r8,
> $r7)",
> >
> > where $r8 is defined in an earlier operation: $r8 = new
> com.soft360.iService.SmsReceiver.
> > The issue is that, when I print all methods that are reachable from the
> entry-point classes' methods
> > (derived from SetupApplication app.getEntrypointClasses()) using the
> following code snippet,
> > the broadcast receiver's declared callback method (e.g. onReceive()) is
> still not listed, thus making it
> > practically unreachable within the app.
> >
> > appStartingMethods = new LinkedHashSet<SootMethod>();
> > for (SootClass aClass: appEntryPointClasses.values()) {
> > for (SootMethod aMethod: aClass.getMethods())
> > appStartingMethods.add(aMethod);
> > }
> >
> > List<MethodOrMethodContext> startingMethodList = new
> ArrayList<MethodOrMethodContext>();
> > startingMethodList.addAll(appStartingMethods);
> >
> > ReachableMethods rm = new
> ReachableMethods(Scene.v().getCallGraph(), startingMethodList);
> > rm.update();
> > Iterator<MethodOrMethodContext> allReachableMethods =
> rm.listener();
> > while (allReachableMethods.hasNext()) {
> > SootMethod method =
> allReachableMethods.next().method();
> > System.out.println(method.getSignature());
> > }
> >
> > Hence, my question is whether such handling of a dynamically-registered
> broadcast receiver is currently
> > omitted within FlowDroid. And if so, how can the receiver somehow be
> added into the app's entry points.
> >
> > Many thanks for any helps on this!
> >
> > Thanks and regards,
> > Roy Liu
> > _______________________________________________
> > Soot-list mailing list
> > Soot-list at CS.McGill.CA
> > https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>
> --
> Prof. Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
> Head of Secure Software Engineering at Fraunhofer SIT, TU Darmstadt and EC
> SPRIDE
> Tel: +49 6151 16-75422 Fax: +49 6151 869-127
> Room B5.11, Fraunhofer SIT, Rheinstraße 75, 64295 Darmstadt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141009/b25bbc82/attachment-0001.html
More information about the Soot-list
mailing list