[Soot-list] Missing call edges(For Spark, not CHA) while invoking Android APIs in FlowDroid

[Wei Yang]

Hi! Yu,
     I met the same issue before. I think it is because in " $r3 =
virtualinvoke $r0.<com.GoldDream.zj.zjService: java.lang.Object
getSystemService(java.lang.String)>($r2);", getSystemService is a factory
method belonging to Android SDK, so Spark cannot know where "r3" is
constructed and the actual type of it.
    One solution is to add a entry in the taint wrapper where flowdroid
will perform a lookup when it encounters a library method.

Best wishes,
David

2015-02-09 12:04 GMT-06:00 Yu Feng <fengyu8299 at gmail.com>:

> Hi,
>
> I have a quick question regarding FlowDroid:
>
> Suppose 'foo' is reachable from the "dummyMain" in FlowDroid,
>
> foo() {
>
>         $r3 = virtualinvoke $r0.<com.GoldDream.zj.zjService:
> java.lang.Object getSystemService(java.lang.String)>($r2);
>         $r1 = $r3;
>         $r4 = (android.telephony.TelephonyManager) $r1;
>         $r5 = virtualinvoke $r4.<android.telephony.TelephonyManager:
> java.lang.String getDeviceId()>();
>
> }
>
> If I build the call graph for this code snippet, it should have at least
> two edges:
> 1. foo -> getSystemService
> 2. foo-> getDeviceId
>
> For CHA it looks correct, but for Spark, the second edge is missing
> because the points-to set of $r3 is empty.
> I thought most of the Android APIs(like getSystemService) are handled
> properly in FlowDroid and why it still returns an empty set regarding this
> case.
> What should I do if I need to get a sound call graph(based on Spark, not
> CHA) from FlowDroid?
>
> Thanks so much,
> Yu
>
>
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20150209/ae2a4bf4/attachment.html