Hi @StevenArzt May I ask does FlowDroid distinguish intent extras put by different keys when propagating taints (thus "intent-extra-sensitive")? From some related discussions (e.g., #273), it seems FlowDroid can do so. I create a simple test app but it seems FlowDroid is "intent-extra-insensitive".
In the example, getTitle() is set as the source, whose return will be sent to another activity where the sink loadUrl() can receive the title.
However, if I change line 2 to intent.putExtra("b", wv.getTitle()); (replace the extra key "a" by "b"), FlowDroid can still report the leak, which is, however, a false positive.
From the output by notifyFlowOut, it seems the entire extraValues array is tainted (r7(android.content.Intent) <android.content.Intent: java.lang.Object[] extraValues> * <+length>) when a tainted variable is put into the intent extra (virtualinvoke r7.<android.content.Intent: android.content.Intent putExtra(java.lang.String,java.lang.String)>("b", $r8)).
May I ask can FlowDroid distinguish different extras in an intent by their keys (assume keys are constant)? If yes, could you tell me how to config FlowDroid to do so?
I attach my current configuration for your references:
final InfoflowAndroidConfiguration config = new InfoflowAndroidConfiguration();
config.getAnalysisFileConfig().setTargetAPKFile(apkPath);
config.getAnalysisFileConfig().setAndroidPlatformDir(ANDROID_PATH);
config.getAnalysisFileConfig().setSourceSinkFile(sourcesinkFilePath);
config.getCallbackConfig().setEnableCallbacks(true);
config.getIccConfig().setIccModel(iccModel);
config.setCallgraphAlgorithm(InfoflowConfiguration.CallgraphAlgorithm.CHA);
Hi @StevenArzt May I ask does FlowDroid distinguish intent extras put by different keys when propagating taints (thus
"intent-extra-sensitive"
)? From some related discussions (e.g., #273), it seems FlowDroid can do so. I create a simple test app but it seems FlowDroid is "intent-extra-insensitive".In the example,
getTitle()
is set as the source, whose return will be sent to another activity where the sinkloadUrl()
can receive the title.FlowDroid can correctly report the leak.
However, if I change line 2 to
intent.putExtra("b", wv.getTitle());
(replace the extra key"a"
by"b"
), FlowDroid can still report the leak, which is, however, a false positive.From the output by
notifyFlowOut
, it seems the entire extraValues array is tainted (r7(android.content.Intent) <android.content.Intent: java.lang.Object[] extraValues> * <+length>
) when a tainted variable is put into the intent extra (virtualinvoke r7.<android.content.Intent: android.content.Intent putExtra(java.lang.String,java.lang.String)>("b", $r8)
).May I ask can FlowDroid distinguish different extras in an intent by their keys (assume keys are constant)? If yes, could you tell me how to config FlowDroid to do so?
I attach my current configuration for your references: