[Soot-list] Missing call edges(For Spark, not CHA) while invoking Android APIs in FlowDroid
Yu Feng
fengyu8299 at gmail.com
Mon Feb 9 13:04:47 EST 2015
Hi,
I have a quick question regarding FlowDroid:
Suppose 'foo' is reachable from the "dummyMain" in FlowDroid,
foo() {
$r3 = virtualinvoke $r0.<com.GoldDream.zj.zjService:
java.lang.Object getSystemService(java.lang.String)>($r2);
$r1 = $r3;
$r4 = (android.telephony.TelephonyManager) $r1;
$r5 = virtualinvoke $r4.<android.telephony.TelephonyManager:
java.lang.String getDeviceId()>();
}
If I build the call graph for this code snippet, it should have at least
two edges:
1. foo -> getSystemService
2. foo-> getDeviceId
For CHA it looks correct, but for Spark, the second edge is missing because
the points-to set of $r3 is empty.
I thought most of the Android APIs(like getSystemService) are handled
properly in FlowDroid and why it still returns an empty set regarding this
case.
What should I do if I need to get a sound call graph(based on Spark, not
CHA) from FlowDroid?
Thanks so much,
Yu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20150209/253ca118/attachment.html
More information about the Soot-list
mailing list