search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.06k stars 298 forks source link

Specific Method between source and sink matters in detecting leak? #193

Open whavey opened 5 years ago

whavey commented 5 years ago

With sendTextMessage defined as a sink and getIpAddress defined as a source flowdroid reports a leak when converting the IP address to a string using Integer.toString but not when using android.text.format.Formatter even though the source data flows through the same way. Does the specific method matter between a source and a sink when source data is flowing through the same way?

Jimple when using formatter (no leak reported):

$r5 = staticinvoke <android.telephony.SmsManager: android.telephony.SmsManager getDefault()>();
$r6 = virtualinvoke $r4.<android.net.wifi.WifiManager: android.net.wifi.WifiInfo getConnectionInfo()>();
$i0 = virtualinvoke $r6.<android.net.wifi.WifiInfo: int getIpAddress()>();
$r7 = staticinvoke <android.text.format.Formatter: java.lang.String formatIpAddress(int)>($i0);
virtualinvoke $r5.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)    >("8885551234", null, $r7, null, null);

Jimple when using toString (leak reported):

$r5 = virtualinvoke $r4.<android.net.wifi.WifiManager: android.net.wifi.WifiInfo getConnectionInfo()>();
$i0 = virtualinvoke $r5.<android.net.wifi.WifiInfo: int getIpAddress()>();
$r6 = staticinvoke <java.lang.Integer: java.lang.String toString(int)>($i0);
$r7 = staticinvoke <android.telephony.SmsManager: android.telephony.SmsManager getDefault()>();
virtualinvoke $r7.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)>("8885551234", null, $r6, null, null);
StevenArzt commented 5 years ago

The formatter method is a library method. For performance reasons, library methods are not analyzed together with each app. Instead, FlowDroid relies on external data flow summaries to know how a call to such a method influences the taint. For this class, we did not have a suitable summary. Consequently, the taint was lost. I have added a summary in the commit referenced above. Can you please try again with the new version?