[Soot-list] A question about dummyMain of FlowDroid

ll lljjkkzz001 at 126.com
Tue May 23 09:13:36 EDT 2017 

Hi all,


I tried to use the flowdroid to detect an apk, there is  a class extends AppWidgetProvider in the apk  and I found no any edge in the class found in call graph. 
I made some try but did not work, here is the detailed information that I really expect to get your help: 


the subClass is :
public class WidgetProvider extends BaseWidgetProvider{
       ....
       ....
       onReceive() ...
}


the parentClass is :
public abstract class BaseWidgetProvider extends AppWidgetProvider{
     ...
     @overide
     public void onUpdate(Context context,AppWidgetManager appWidgetManager,int[] appWidegtIds){
                ...
                new BulkUpdateAsyncTask(....).execute((Void[]) null);
     }
}


I want to find the implicit call chain : WidgetProvider::onUpdate()--> BulkUpdateAsyncTask::execute --> BulkUpdateAsyncTask::doInbackground, but I could not find the call chain, so I try to look at the source code of flowDroid , the following is my analysis of the possible reasons:  
           "when FlowDroid constructed the dummyMain ,  The WidgetProvider is only considered to be the normal BroadcastReceiver ,  only invoked 'onReceive()' in the dummyMain.  "


So I try to add the stmt in generateBroadcastReceiverLifecycle() at AndroidEntryPointCreator.java:
|
| Stmt onReceiveStmt = searchAndBuildMethod(AndroidEntryPointConstants.BROADCAST_ONRECEIVE, currentClass, entryPoints, classLocal); |
  +Stmt onUpdateStmt = searchAndBuildMethod(AndroidEntryPointConstants.AppWIDGETPROVIDER_ONUPDATE,currentClass, entryPoints) 


AndroidEntryPointConstants.AppWIDGETPROVIDER_ONUPDATE is "void onUpdate(android.content.Context,android.appwidget.AppWidgetManager,int[])"


Unfortunately, The above changes have no other effect 。I still did not find  any edge about the update() through the code :calligraph.edgesInto(m)  、calligraph.edgesOutOf(m)
More perplexing ,I also did not find any edge about the BaseWidgetProvider::onReceive() through calligraph Whether or not I added the above onUpdateStmt.
Finally,I tried to look the dummymain , and find an important fact:
In the previous constructs, there are widgetProvider local value. but in the last construct dummymain, no the local value.  


What is the reason for this?  Could you give me some advice about solving the problem?


I am looking forward to your reply! 


ps: the option is below:
------------------------------------------------------------------------------------------------------------------------------------------------------
soot.G.reset();
Options.v().set_keep_line_number(true);
SetupApplication app = new SetupApplication(androidJar, fileName);
try{
   app.calculateSourcesSinksEntrypoints(.\\SourcesAndSinks.txt);
}catch(Exception e){
  e.printStackTrace();
}
Options.v().set_src_prec(Options.src_prec_apk);
Options.v().set_process_dir(Collections.singletonList(fileName));
Options.v().set_force_android_jar("D:\\SDK\\Android\\android-sdk\\platforms\\android-24");
Options.v().set_whole_program(true);
Options.v().set_allow_phantom_refs(true);
Options.v().set_output_format(Options.output_format_none);
Options.v().setPhaseOption("cg.spark verbose:true","on");
Options.v().setPhaseOption("cg.spark","vta:true");


List<String> excludeList = new LinkedList<String>();
excludeList.add("java.*");
excludeList.add("sun.*");
excludeList.add("android.*");
excludeList.add("org.apache.*");
excludeList.add("soot.*");
excludeList.add("javax.servlet.*");
Options.v().set_exclude(excludeList);
Options.v().set_no_bodies_for_excluded(true);
app.getConfig().setEnableImplicitFlows(false);


Scene.v().loadNecessaryClasses();
SootMethod entryPoint = app.getEntryPointCreator().createDummyMain();
Options.v().set_main_class(entryPoint.getSignature());
Scene.v().setEntryPoints(Collections.singletonList(entryPoint));
PackManager.v().runPacks(
------------------------------------------------------------------------------------------------------------------------------------------------------


thanks,
Jia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20170523/e6547d51/attachment.html>

More information about the Soot-list mailing list