[Soot-list] FlowDroid's handling on dynamically-registered broadcast receivers

Roy Liu royliudev at gmail.com
Thu Oct 9 03:38:17 EDT 2014 

Hi Eric,

Actually I put my code snippet in the FlowDroid's
soot/jimple/infoflow/android/TestApps/Test.java file,
within its "private static InfoflowResults runAnalysis(final String
fileName, final String androidJar)" class method,
right after the following statement:
final InfoflowResults res = app.runInfoflow(new
MyResultsAvailableHandler());

That is, the code snippet gets executed only after the FlowDroid has
completed all its taint analysis
and printed all the found paths connecting the defined source-sink pairs.
By this point, I assume that
all the FlowDroid's iterative call-graph generation process has completed
as well.

The issue, I guess, is not about the iterative call-graph generation
process. But rather whether any dynamically/
programatically registered broadcast receiver components within an Android
app are, at some point, also added
into the app's entry point classes. If not, can you give a kind pointer on
how I may add this into the app's entry point classes.

Thanks a lot!

Cheers,
Roy

On Wed, Oct 8, 2014 at 3:43 PM, Bodden, Eric <eric.bodden at sit.fraunhofer.de>
wrote:

> Hi Roy.
>
> Please have a look at our paper. As we explain there, FlowDroid implements
> an iterative process. It produces an initial call graph, discovers
> callbacks, inserts them into the dummy-main method and then computes a new
> call graph, etc.
>
> Cheers,
> Eric
>
>
> On 08.10.2014, at 05:55, Roy Liu <royliudev at gmail.com> wrote:
>
> > Hi All,
> >
> > I'm experimenting with FlowDroid by extending it a little bit to print
> more information on the input APK.
> > One issue that I noticed is FlowDroid's handling on
> dynamically-registered broadcast receiver(s) within an app.
> >
> > On an iBanking malware sample that I observed, I notice that there
> exists a dynamic registration operation
> > of a broadcast receiver due to the following statement:
> >
> >     "virtualinvoke $r0.<com.soft360.iService.AService:
> android.content.Intent
> >
> registerReceiver(android.content.BroadcastReceiver,android.content.IntentFilter)>($r8,
> $r7)",
> >
> > where $r8 is defined in an earlier operation: $r8 = new
> com.soft360.iService.SmsReceiver.
> > The issue is that, when I print all methods that are reachable from the
> entry-point classes' methods
> > (derived from SetupApplication app.getEntrypointClasses()) using the
> following code snippet,
> > the broadcast receiver's declared callback method (e.g. onReceive()) is
> still not listed, thus making it
> > practically unreachable within the app.
> >
> >               appStartingMethods = new LinkedHashSet<SootMethod>();
> >               for (SootClass aClass: appEntryPointClasses.values()) {
> >                       for (SootMethod aMethod: aClass.getMethods())
> >                               appStartingMethods.add(aMethod);
> >               }
> >
> >               List<MethodOrMethodContext> startingMethodList = new
> ArrayList<MethodOrMethodContext>();
> >               startingMethodList.addAll(appStartingMethods);
> >
> >                 ReachableMethods rm = new
> ReachableMethods(Scene.v().getCallGraph(), startingMethodList);
> >               rm.update();
> >               Iterator<MethodOrMethodContext> allReachableMethods =
> rm.listener();
> >               while (allReachableMethods.hasNext()) {
> >                       SootMethod method =
> allReachableMethods.next().method();
> >                         System.out.println(method.getSignature());
> >               }
> >
> > Hence, my question is whether such handling of a dynamically-registered
> broadcast receiver is currently
> > omitted within FlowDroid. And if so, how can the receiver somehow be
> added into the app's entry points.
> >
> > Many thanks for any helps on this!
> >
> > Thanks and regards,
> > Roy Liu
> > _______________________________________________
> > Soot-list mailing list
> > Soot-list at CS.McGill.CA
> > https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>
> --
> Prof. Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
> Head of Secure Software Engineering at Fraunhofer SIT, TU Darmstadt and EC
> SPRIDE
> Tel: +49 6151 16-75422    Fax: +49 6151 869-127
> Room B5.11, Fraunhofer SIT, Rheinstraße 75, 64295 Darmstadt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20141009/b25bbc82/attachment-0001.html

More information about the Soot-list mailing list