[Soot-list] Doubts about flowdroid

Arzt, Steven steven.arzt at sit.fraunhofer.de
Fri Feb 9 11:10:53 EST 2018 

Hi Shaila,

Can you double-check your list of sources and sinks to make sure that getDeviceId() and Log.d() are actually marked a source or sink respectively? Furthermore, where did you put your test code? The code must be reachable inside the app. In other words, you cannot place your code, e.g., into a function that is never called. Lastly, to make sure that your local FlowDroid installation works, you can try to analyze apps from the DroidBench benchmark suite. Those example apps contain descriptions of the leaks that shall be found in their source code. We regularly test DroidBench with FlowDroid as part of our regular build and test cycle.,

Concerning the exit statement: The behavior of FlowDroid is correct. Note that FlowDroid runs two instances of the IFDS solver. One instance performs the forward taint propagation. The second one performs a backwards alias propagation. For this backwards alias propagation, the interprocedural control flow graph is reversed, i.e., an exit statement becomes an entry statement and vice versa.

Best regards,
  Steven

From: Soot-list [mailto:soot-list-bounces at cs.mcgill.ca] On Behalf Of Sri Shaila G
Sent: Friday, February 9, 2018 5:00 PM
To: soot-list at cs.mcgill.ca
Subject: [Soot-list] Doubts about flowdroid

Hi Steven,
I have 2 doubts regarding how flowdroid works.
Firstly, I created a simple android application that makes a function call to get the deviceID from the phone and passes the value as a string to another function which will write the value into a logfile. The code snippet is as follows

TelephonyManager manager = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
String deviceid = manager.getDeviceId();
//Device Id is IMEI number
Log.d("msg", "Device id" + deviceid);
System.out.println("msg Device id" + deviceid);
//callFunc
myFunc(deviceid);

public boolean myFunc(String info) {
    Log.d("msg", "Device id" + info);
    System.out.println("msg Device id++++" );
    return true;
}

However, it looks like flowdroid is not able to find the flow from the source function,

getDeviceId() to the sink function, d("msg", "Device id" + info). I am wondering why this might be the reason.


Secondly, I had inserted some print statements under the run function in the IFDSSolver.java file as shown below.

if(icfg.isExitStmt(edge.getTarget())
{
                    System.out.println("run(): ExitStmt: "+"edge: factAtSrc: " + edge.factAtSource()+" getTgt: "+edge.getTarget()+" factAtTgt: "+edge.factAtTarget());
        processExit(edge);
}

When I look at the output, I saw some statements like the following statements.

run(): ExitStmt: edge: factAtSrc: zero(null_type) <+length> | >> getTgt: $r0 := @this: com.android.tools.fd.runtime.BootstrapApplication      factAtTgt: _$r1(android.app.Application$OnProvideAssistDataListener) * <+length> | $r1 := @parameter0: android.app.Application$OnProvideAssistDataListener>>

This statement  does not look like an exit statement. I am wondering why it is considered as an exit statement. An exit statement is usually a return statement right?

Thank you so much for any clarifications.

Regards
Shaila

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20180209/ec9630d9/attachment.html>

More information about the Soot-list mailing list