[Soot-list] -allow-phantom-refs necessary for Android decompilation
Jan Peter Stotz
jan-peter.stotz at sit.fraunhofer.de
Sat Nov 3 08:11:21 EDT 2018
Hi Gregor,
you are right, a lot of Android apps require phantom refs enabled.
Your app uses android.app.ActivityThread which is AFAIK not part of of
the official API. As Soot by default only uses the android.jar libraries
the the Android SDK it only knows about the public API. I assume that
this is the reason for the phantom ref enabled requirement in your case.
But there is a second reason which can require phantom refs:
The Android API changes from Android version to Android version, classes
and methods are added but sometimes also removed. Soot uses the
android.jar that belongs to the API version the app defines in it's
manifest. However it is possible to add code to an Android app that uses
code from a different API (e.g. method annotated with @RequiresApi).
Therefore no matter which API version of android.jar you use you can end
up in class or method references that don't exist in the android.jar
currently used by Soot. Hence you need phantom refs enabled.
Jan
> I've just been trying to get Soot set up in a simple program to take in
> an Android APK and decompile it. I started off by following this tutorial:
> https://github.com/Sable/soot/wiki/Instrumenting-Android-Apps-with-Soot
>
> To get it working however, I had to use the -allow-phantom-refs flag --
> otherwise I'd always receive things like:
> "soot.SootResolver$SootClassNotFoundException: couldn't find class:
> android.app.ActivityThread (is your soot-class-path set properly?)"
> (The actual class not found varies depending on the APK)
>
> I've tried going through the source code for FlowDroid and a couple of
> other static analysis tools to see if they use this flag too, and found
> a lot of "Options.v().set_allow_phantom_refs(true);", but since it
> defaults to false, perhaps there are a lot of occasions when it doesn't
> use this flag.
>
> My question is, in the context of APK static analysis, is it
> recommended/required to use this flag? From my understanding, these
> class references are coming from the APK code itself, so perhaps it
> really isn't necessary to go to the extra effort of including these in
> my soot-class-path? Any help would be greatly appreciated.
More information about the Soot-list
mailing list