search

bytedance / appshark

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.
Apache License 2.0
1.49k stars 165 forks source link

扫描时如何筛选函数的参数 #43

Closed a363211861 closed 1 year ago

a363211861 commented 1 year ago

我想要扫描工程中获取Android ID的代码,代码如下:

    public static String getAndroidID(Context context) {
        try {
            if (CommonsConfig.getInstance().isAgreePrivacy()) {
                if (TextUtils.isEmpty(ANDROID_ID)) {
                    if (CommonsConfig.getInstance().getPreferenceCallback() != null) {
                        ANDROID_ID = CommonsConfig.getInstance().getPreferenceCallback().getPreference(AID_ANDROIDID);
                    }
                    if (TextUtils.isEmpty(ANDROID_ID)) {
                        ANDROID_ID = Settings.Secure.getString(context.getContentResolver(), Settings.Secure.ANDROID_ID);
                        MyLog.info(AID_TAG, "getAndroidID = " + ANDROID_ID);

                        if (CommonsConfig.getInstance().getPreferenceCallback() != null) {
                            CommonsConfig.getInstance().getPreferenceCallback().setPreference(AID_ANDROIDID, ANDROID_ID);
                        }
                    }
                }
                return ANDROID_ID;
            }
        } catch (Exception e) {
        }
        return "";
    }

因为Settings.Secure.getString()是个通用的方法,我想通过限制第二个参数为android.provider.Settings.Secure.ANDROID_ID来找出获取ANDROID_ID的代码,我写的rule如下:

{
  "ANDROIDID": {
    "SliceMode": true,
    "traceDepth": 30,
    "desc": {
      "name": "ANDROID_ID",
      "detail": "call get ANDROID_ID",
      "category": "ComplianceInfo",
      "complianceCategory": "ANDROID_ID",
      "complianceCategoryDetail": "ANDROID_ID",
      "level": "3"
    },
    "source": {
      "Field": [
        "<android.provider.Settings.System: java.lang.String ANDROID_ID>",
        "<android.provider.Settings.Secure: java.lang.String ANDROID_ID>"
      ]
    },
    "sink": {
      "<android.provider.Settings.Secure: * getString(*)>": {
        "TaintCheck": [
          "p1"
        ]
      }
    }
  }
}

我使用此rule无法扫描出获取ANDROID_ID的代码,请问我应该如何调整rule呢?

bdbubble commented 1 year ago

@a363211861 这个在编译后是字符串的形式而不是field,可以试试这么来写这个规则:

{
  "ANDROIDID": {
    "SliceMode": true,
    "traceDepth": 2,
    "desc": {
      "name": "ANDROID_ID",
      "detail": "call get ANDROID_ID",
      "category": "ComplianceInfo",
    },
    "source": {
      "ConstString": [
        "android_id"
      ]
    },
    "sink": {
      "<android.provider.Settings$System: * getString(*)>": {
        "TaintCheck": [
          "p1"
        ]
      },
      "<android.provider.Settings$Secure: * getString(*)>": {
        "TaintCheck": [
          "p1"
        ]
      }
    }
  }
}
a363211861 commented 1 year ago

非常感谢,用你修改过的规则试可以扫描出来。