Hi @StevenArzt, following the discussion in #471, I am trying the backward taint propagation of FlowDroid (config.setDataFlowDirection(DataFlowDirection.Backwards)). I found the order of some statements may affect the taint propagation results. In the following example, I set wv.loadUrl (line 6) as the sink and tv.getText (line 3) as the source. Then I register a TaintPropagationHandler to understand the backward propagation process.
// MainActivity.java
1: protected void onCreate(Bundle savedInstanceState) {
2: tv = (TextView) findViewById(R.id.textView); // tv is a field
3: String str = tv.getText().toString();
4: wv = (WebView) findViewById(R.id.webview); // wv is a field
5: btn = (Button) findViewById(R.id.button); // btn is a field
6: wv.loadUrl(str + str);
7: }
It turns out not only the arguments (str + str) but also the receiver object (wv) of the sink are tainted. This is fine, but the problem in the above example is that btn is also tainted.
If I switch the order of line 4 and 5 (i.e., put btn = ... before wv = ...), btn is not tainted.
One more interesting thing is that if I change line 6 to wv.loadUrl(str);, btn is not tainted no matter how I order line 4 and 5.
May I ask why does the order of line 4 and 5 affect the tainting of btn in this example? Is it an expected behavior or do I misconfig something?
Hi @StevenArzt, following the discussion in #471, I am trying the backward taint propagation of FlowDroid (
config.setDataFlowDirection(DataFlowDirection.Backwards)
). I found the order of some statements may affect the taint propagation results. In the following example, I setwv.loadUrl
(line 6) as the sink andtv.getText
(line 3) as the source. Then I register aTaintPropagationHandler
to understand the backward propagation process.It turns out not only the arguments (
str + str
) but also the receiver object (wv
) of the sink are tainted. This is fine, but the problem in the above example is thatbtn
is also tainted.If I switch the order of line 4 and 5 (i.e., put
btn = ...
beforewv = ...
),btn
is not tainted.One more interesting thing is that if I change line 6 to
wv.loadUrl(str);
,btn
is not tainted no matter how I order line 4 and 5.May I ask why does the order of line 4 and 5 affect the tainting of
btn
in this example? Is it an expected behavior or do I misconfig something?Thanks in advance!