terry2012
commented
5 years ago Let me also attach a sample log of the current API misuse checker. Only dedexing bytecode, no call graph and no DDG.
$ time java -jar argus-saf_2.12-3.1.1-assembly.jar a -f -c CRYPTO_MISUSE com.qiyi.video.apk
Total apks: 1
Analyzing #1:file:/home/dao/software/amanDroid/com.qiyi.video.apk
Dedexing... Total: 5874
[==================================================] 100.00% 14s556ms ETA: 0ms
Dedexing... Total: 7932
[==================================================] 100.00% 18s673ms ETA: 0ms
Dedexing... Total: 8146
[==================================================] 100.00% 18s712ms ETA: 0ms
Dedexing... Total: 8912
[==================================================] 100.00% 16s380ms ETA: 0ms
Dedexing... Total: 7473
[==================================================] 100.00% 6s477ms ETA: 0ms
CryptographicMisuse:
Lorg/qiyi/basecore/algorithm/AESAlgorithm;.encrypt:(Ljava/lang/String;)Ljava/lang/String; L1d2f02 : Use non-random IV!
Lcom/coloros/mcssdk/c/c;.b:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; L30b506 : Use ECB mode! Lcom/qiyi/qyreact/modules/CryptoModule;.AES128Decrypt:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Lcom/facebook/react/bridge/Promise;)V L52c52c : Use non-random IV!
Lcom/iqiyi/hcim/utils/encode/EncryptAES128Utils;.decrypt:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; L41ce54 : Use ECB mode!
Lcom/iqiyi/paopao/a/aux;.eV:(Landroid/content/Context;)Ljava/io/InputStream; L474ab6 : Use ECB mode!
Lcom/coloros/mcssdk/c/c;.a:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; L30b460 : Use ECB mode!
Lorg/qiyi/video/o/aux;.decrypt:(Ljava/lang/String;Ljava/lang/String;[B)[B L3287fa : Use non-random IV!
Lcom/iqiyi/passportsdk/interflow/c/aux;.o:(Ljava/lang/String;J)Ljava/lang/String; L5b474e : Use non-random IV!
Lorg/qiyi/context/b/con;.init:(Landroid/content/Context;)V L28b5a4 : Use ECB mode!
Lcom/hmt/analytics/a/nul;.encode:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; L2c0082 : Use non-random IV!
Lorg/qiyi/basecore/algorithm/AESAlgorithm;.decrypt:(Ljava/lang/String;)Ljava/lang/String; L1d2e76 : Use non-random IV!
Lcom/hmt/analytics/a/nul;.decode:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; L2bffda : Use non-random IV!
Lcom/iqiyi/passportsdk/interflow/c/aux;.n:(Ljava/lang/String;J)Ljava/lang/String; L5b46b6 : Use non-random IV! Lcom/qiyi/qyreact/modules/CryptoModule;.AES128Encrypt:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Lcom/facebook/react/bridge/Promise;)V L52c5d0 : Use non-random IV!
Lorg/qiyi/video/o/aux;.encrypt:(Ljava/lang/String;Ljava/lang/String;[B)[B L328856 : Use non-random IV!
Lcom/iqiyi/hcim/utils/encode/EncryptAES128Utils;.encrypt:(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; L41ceca : Use ECB mode!
real 1m46.750s
user 2m8.072s
sys 0m4.904s
Hi, thanks for the nice tool.
In your Amandroid paper, you said that API misuse checker will be done as a plugin after generating inter-procedural data dependency graph (DDG). The older versions of Amandroid did do this.
However, I found that the current API misuse checker only does very simple analysis. Basically, just retrieve each class, obtain each method, and do intra-procedural dataflow analysis (via ExplicitValueFinder) if the method contains a targeted API call. Let alone no DDG is generated, the call graph is also not produced during its analysis.
I verified this by reading source code. For example, https://github.com/arguslab/Argus-SAF/blob/df2557a9654260d5dd933a15f52143bbd6da1f6d/amandroid/src/main/scala/org/argus/amandroid/plugin/apiMisuse/CryptographicMisuse.scala
So how to enable the accurate detection of API misuse? Or do you plan to re-add it in the recent versions of Amandroid? Thanks.
Btw, a related question is https://github.com/arguslab/Argus-SAF/issues/12.