search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.07k stars 300 forks source link

callgraph incomplete? #473

Open pH-T opened 2 years ago

pH-T commented 2 years ago

Hi! Im trying to get a CFG/callgraph for an android app. It seems that Flowdroid is not able to "find" all methods inside the apk... The following code is used:

public static void main(String[] args) {
        //InfoflowConfiguration.CallgraphAlgorithm cgAlgorithm = InfoflowConfiguration.CallgraphAlgorithm.SPARK;
        InfoflowConfiguration.CallgraphAlgorithm cgAlgorithm = InfoflowConfiguration.CallgraphAlgorithm.CHA;

        final InfoflowAndroidConfiguration config = new InfoflowAndroidConfiguration();
        config.getAnalysisFileConfig().setTargetAPKFile(apkPath);
        config.getAnalysisFileConfig().setAndroidPlatformDir(androidJar);
        config.setCodeEliminationMode(InfoflowConfiguration.CodeEliminationMode.NoCodeElimination);
        config.setCallgraphAlgorithm(cgAlgorithm);
        config.setMergeDexFiles(true);
        config.setImplicitFlowMode(InfoflowConfiguration.ImplicitFlowMode.AllImplicitFlows);

        SetupApplication app = new SetupApplication(config);
        app.constructCallgraph();

        for (Iterator<Edge> edgeIt = Scene.v().getCallGraph().iterator(); edgeIt.hasNext(); ) {
          Edge edge = edgeIt.next();

          SootMethod smSrc = edge.src();
          Unit uSrc = edge.srcStmt();
          SootMethod smDest = edge.tgt();

          String out = "Edge from " + uSrc + " in " + smSrc + " to " + smDest;
          System.out.println(out);
        }
    }

If i decompile the app with jadx or if i use the following script ... im able to find all methods.

java -Xss50m \
    -Xmx1500m \
    -cp soot_4.1.0.jar soot.tools.CFGViewer \
    -android-jars ${ANDROID_JARS_PATH} \
    --graph=ExceptionalUnitGraph \
    -allow-phantom-refs -ire -src-prec apk -process-dir ${APK_FILE}

Am i missing something? it feels like Flowdroid is not going "deep enough"... maybe a config issue? Am i missing something else?

StevenArzt commented 2 years ago

The two implementation are fundamentally different. The CFGViewer simply interate over all classes in the app and prints out the intra-procedural control flow for each method. Your sample program with FlowDroid iterates over all reachable methods and prints out the edges between these methods. It will therefore miss all methods that are unreachable from an entry point - either because it's dead code (apps usually only use a small fraction of the library code they contain) or because you ran into a FlowDroid limitation (feel free to open a merge request in that case).

pH-T commented 2 years ago

hi @StevenArzt , thanks for the fast reply! i just tracked the callgraph myself via jadx and it seems that the following is the problem:

    public void f() {
        synchronized (this.f14630f) {
            if (this.f14627c == 1) {
                Log.d("fing:inet-finder", "Starting INET address finder...");
                this.f14627c = 2;
                Thread thread = new Thread(new Runnable() { // from class: com.overlook.android.fing.engine.j.f.a
                    @Override // java.lang.Runnable
                    public final void run() {
                        c.c(c.this);
                    }
                });
                this.f14628d = thread;
                thread.start();
            }
        }
    }

the methods in question is called via this thread... maybe any hints on this case? :) or is this a limitation?