search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.06k stars 299 forks source link

API Call Graph Generation #490

Open mervecigdem opened 2 years ago

mervecigdem commented 2 years ago

Hello Steven,

I am trying to create the API call graph of an Android application.

I have used the code you have given in Issue #139:

package FlowDroidPackage; import soot.jimple.infoflow.android.InfoflowAndroidConfiguration; import soot.jimple.infoflow.android.SetupApplication;

public class FlowDroidClass {

public static void main(String[] args) {

    String androidJarPath = "C:\\Users\\Administrator\\AppData\\Local\\Android\\Sdk\\platforms";
    String apkPath = "D:\\FlowDroid\\APKs\\InsecureBank.apk";
    InfoflowAndroidConfiguration config = new InfoflowAndroidConfiguration();
    config.getAnalysisFileConfig().setAndroidPlatformDir(androidJarPath);
    config.getAnalysisFileConfig().setTargetAPKFile(apkPath);
    config.setMergeDexFiles(true);

    SetupApplication analyzer = new SetupApplication(config);
    analyzer.constructCallgraph();

}

}

I am getting the output below:

[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot... [main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files... [main] INFO soot.jimple.infoflow.android.SetupApplication - ARSC file parsing took 0.0164506 seconds [main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 1.818 MiB [main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 6 components... [main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph... [main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Collecting callbacks in DEFAULT mode... [main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Callback analysis done. [main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 6 components... [main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph... [main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 0 components... [main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done. [main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system... [main] INFO soot.jimple.infoflow.android.SetupApplication - Callback analysis terminated normally [main] INFO soot.jimple.infoflow.android.SetupApplication - Entry point calculation done. [main] INFO soot.jimple.infoflow.android.SetupApplication - Collecting callbacks and building a callgraph took 1 seconds [main] INFO soot.jimple.infoflow.android.SetupApplication - Running data flow analysis on D:\FlowDroid\APKs\InsecureBank.apk with 0 sources and 0 sinks... [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Implicit flow tracking is NOT enabled [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Exceptional flow tracking is enabled [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Running with a maximum access path length of 5 [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using path-agnostic result collection [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Recursive access path shortening is enabled [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Taint analysis enabled: false [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using alias algorithm FlowSensitive [main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 1.818 MiB [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph construction took 0 seconds [main] INFO soot.jimple.infoflow.codeOptimization.InterproceduralConstantValuePropagator - Removing side-effect free methods is disabled [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Dead code elimination took 0.0510089 seconds [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph has 37 edges [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Data flow solver took 0 seconds. Maximum memory consumption: 200 MB [main] INFO soot.jimple.infoflow.android.SetupApplication - Found 0 leaks

The ouput says the callgraph has 37 edges but I cannot access the callgraph nodes and edges. How can I obtain the whole API callgraph?

Thank you.

StevenArzt commented 2 years ago

After the callgraph has been constructed, you can call Scene.v().getCallGraph() to access the callgraph data structure.

mervecigdem commented 2 years ago

Hello Steven,

Firstly thank you for your answer.

I have changed the code as below and obtained the edges of the graph in a txt file:

package FlowDroidPackage;

import java.io.FileWriter; import java.io.BufferedWriter; import java.io.IOException; import soot.Scene; import soot.jimple.toolkits.callgraph.CallGraph; import soot.jimple.infoflow.android.InfoflowAndroidConfiguration; import soot.jimple.infoflow.android.SetupApplication;

public class FlowDroidClass {

public static void main(String[] args) {

    String androidJarPath = "C:\\Users\\Administrator\\AppData\\Local\\Android\\Sdk\\platforms";
    String apkPath = "D:\\FlowDroid\\APKs\\insecurebank.apk";
    InfoflowAndroidConfiguration config = new InfoflowAndroidConfiguration();
    config.getAnalysisFileConfig().setAndroidPlatformDir(androidJarPath);
    config.getAnalysisFileConfig().setTargetAPKFile(apkPath);
    config.setMergeDexFiles(true);

    SetupApplication analyzer = new SetupApplication(config);
    analyzer.constructCallgraph();
    CallGraph APIgraph = new CallGraph();
    APIgraph = Scene.v().getCallGraph();
    String APIgraphString = APIgraph.toString();

    String fileName = "C:\\Users\\Administrator\\Desktop\\insecurebank.txt";

    BufferedWriter writer = null;
    try
    {
        writer = new BufferedWriter(new FileWriter(fileName));
        writer.write(APIgraphString);

    }
    catch ( IOException e)
    {
    }
    finally
    {
        try
        {
            if ( writer != null)
            writer.close( );
        }
        catch ( IOException e)
        {
        }
    }

}

}

The output of the code is: STATIC edge: staticinvoke <dummyMainClass: com.android.insecurebank.Preferences dummyMainMethod_com_android_insecurebank_Preferences(android.content.Intent)>(null) in <dummyMainClass: void dummyMainMethod(java.lang.String[])> ==> <dummyMainClass: com.android.insecurebank.Preferences dummyMainMethod_com_android_insecurebank_Preferences(android.content.Intent)> STATIC edge: staticinvoke <dummyMainClass: com.android.insecurebank.InsecureBankActivity dummyMainMethod_com_android_insecurebank_InsecureBankActivity(android.content.Intent)>(null) in <dummyMainClass: void dummyMainMethod(java.lang.String[])> ==> <dummyMainClass: com.android.insecurebank.InsecureBankActivity dummyMainMethod_com_android_insecurebank_InsecureBankActivity(android.content.Intent)> STATIC edge: staticinvoke <dummyMainClass: com.android.insecurebank.LoginScreen dummyMainMethod_com_android_insecurebank_LoginScreen(android.content.Intent)>(null) in <dummyMainClass: void dummyMainMethod(java.lang.String[])> ==> <dummyMainClass: com.android.insecurebank.LoginScreen dummyMainMethod_com_android_insecurebank_LoginScreen(android.content.Intent)> STATIC edge: staticinvoke <dummyMainClass: com.android.insecurebank.PostLogin dummyMainMethod_com_android_insecurebank_PostLogin(android.content.Intent)>(null) in <dummyMainClass: void dummyMainMethod(java.lang.String[])> ==> <dummyMainClass: com.android.insecurebank.PostLogin dummyMainMethod_com_android_insecurebank_PostLogin(android.content.Intent)> STATIC edge: staticinvoke <dummyMainClass: com.android.insecurebank.RawHistory dummyMainMethod_com_android_insecurebank_RawHistory(android.content.Intent)>(null) in <dummyMainClass: void dummyMainMethod(java.lang.String[])> ==> <dummyMainClass: com.android.insecurebank.RawHistory dummyMainMethod_com_android_insecurebank_RawHistory(android.content.Intent)> CLINIT edge: $r0 = new com.android.insecurebank.Preferences in <dummyMainClass: com.android.insecurebank.Preferences dummyMainMethod_com_android_insecurebank_Preferences(android.content.Intent)> ==> <android.app.Activity: void ()> CLINIT edge: $r0 = new com.android.insecurebank.InsecureBankActivity in <dummyMainClass: com.android.insecurebank.InsecureBankActivity dummyMainMethod_com_android_insecurebank_InsecureBankActivity(android.content.Intent)> ==> <android.app.Activity: void ()> CLINIT edge: $r0 = new com.android.insecurebank.LoginScreen in <dummyMainClass: com.android.insecurebank.LoginScreen dummyMainMethod_com_android_insecurebank_LoginScreen(android.content.Intent)> ==> <android.app.Activity: void ()> CLINIT edge: $r0 = new com.android.insecurebank.PostLogin in <dummyMainClass: com.android.insecurebank.PostLogin dummyMainMethod_com_android_insecurebank_PostLogin(android.content.Intent)> ==> <android.app.Activity: void ()> CLINIT edge: $r0 = new com.android.insecurebank.RawHistory in <dummyMainClass: com.android.insecurebank.RawHistory dummyMainMethod_com_android_insecurebank_RawHistory(android.content.Intent)> ==> <android.app.Activity: void ()> SPECIAL edge: specialinvoke $r0.<com.android.insecurebank.RawHistory: void ()>() in <dummyMainClass: com.android.insecurebank.RawHistory dummyMainMethod_com_android_insecurebank_RawHistory(android.content.Intent)> ==> <com.android.insecurebank.RawHistory: void ()> CLINIT edge: $r2 = staticinvoke <android.os.Environment: java.io.File getExternalStorageDirectory()>() in <com.android.insecurebank.RawHistory: void ()> ==> <android.os.Environment: void ()> STATIC edge: $r3 = staticinvoke <java.lang.String: java.lang.String valueOf(java.lang.Object)>($r3) in <com.android.insecurebank.RawHistory: void ()> ==> <java.lang.String: java.lang.String valueOf(java.lang.Object)> STATIC edge: $r2 = staticinvoke <android.os.Environment: java.io.File getExternalStorageDirectory()>() in <com.android.insecurebank.RawHistory: void ()> ==> <android.os.Environment: java.io.File getExternalStorageDirectory()> CLINIT edge: $r3 = staticinvoke <java.lang.String: java.lang.String valueOf(java.lang.Object)>($r3) in <com.android.insecurebank.RawHistory: void ()> ==> <java.lang.String: void ()> SPECIAL edge: specialinvoke $r0.<java.lang.RuntimeException: void (java.lang.String)>("Stub!") in <java.lang.String: java.lang.String valueOf(java.lang.Object)> ==> <java.lang.RuntimeException: void (java.lang.String)> SPECIAL edge: specialinvoke $r1.<java.lang.RuntimeException: void (java.lang.String)>("Stub!") in <java.lang.RuntimeException: void (java.lang.String)> ==> <java.lang.RuntimeException: void (java.lang.String)> SPECIAL edge: specialinvoke r0.<java.lang.Exception: void ()>() in <java.lang.RuntimeException: void (java.lang.String)> ==> <java.lang.Exception: void ()> SPECIAL edge: specialinvoke $r1.<java.lang.RuntimeException: void (java.lang.String)>("Stub!") in <java.lang.Exception: void ()> ==> <java.lang.RuntimeException: void (java.lang.String)> SPECIAL edge: specialinvoke r0.<java.lang.Throwable: void ()>() in <java.lang.Exception: void ()> ==> <java.lang.Throwable: void ()> SPECIAL edge: specialinvoke $r1.<java.lang.RuntimeException: void (java.lang.String)>("Stub!") in <java.lang.Throwable: void ()> ==> <java.lang.RuntimeException: void (java.lang.String)> SPECIAL edge: specialinvoke r0.<java.lang.Object: void ()>() in <java.lang.Throwable: void ()> ==> <java.lang.Object: void ()> FINALIZE edge: null in <java.lang.Object: void ()> ==> <java.lang.Object: void finalize()> SPECIAL edge: specialinvoke $r0.<java.lang.RuntimeException: void (java.lang.String)>("Stub!") in <java.lang.Object: void finalize()> ==> <java.lang.RuntimeException: void (java.lang.String)> SPECIAL edge: specialinvoke $r0.<java.lang.RuntimeException: void (java.lang.String)>("Stub!") in <java.lang.Object: void ()> ==> <java.lang.RuntimeException: void (java.lang.String)> SPECIAL edge: specialinvoke $r1.<java.lang.StringBuilder: void (java.lang.String)>($r3) in <com.android.insecurebank.RawHistory: void ()> ==> <java.lang.StringBuilder: void (java.lang.String)> VIRTUAL edge: $r1 = virtualinvoke $r1.<java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)>("/statements/") in <com.android.insecurebank.RawHistory: void ()> ==> <java.lang.StringBuilder: java.lang.StringBuilder append(java.lang.String)> VIRTUAL edge: $r3 = virtualinvoke $r1.<java.lang.StringBuilder: java.lang.String toString()>() in <com.android.insecurebank.RawHistory: void ()> ==> <java.lang.StringBuilder: java.lang.String toString()> SPECIAL edge: specialinvoke r0.<android.app.Activity: void ()>() in <com.android.insecurebank.RawHistory: void ()> ==> <android.app.Activity: void ()> SPECIAL edge: specialinvoke $r0.<com.android.insecurebank.PostLogin: void ()>() in <dummyMainClass: com.android.insecurebank.PostLogin dummyMainMethod_com_android_insecurebank_PostLogin(android.content.Intent)> ==> <com.android.insecurebank.PostLogin: void ()> SPECIAL edge: specialinvoke r0.<android.app.Activity: void ()>() in <com.android.insecurebank.PostLogin: void ()> ==> <android.app.Activity: void ()> SPECIAL edge: specialinvoke $r0.<com.android.insecurebank.LoginScreen: void ()>() in <dummyMainClass: com.android.insecurebank.LoginScreen dummyMainMethod_com_android_insecurebank_LoginScreen(android.content.Intent)> ==> <com.android.insecurebank.LoginScreen: void ()> SPECIAL edge: specialinvoke r0.<android.app.Activity: void ()>() in <com.android.insecurebank.LoginScreen: void ()> ==> <android.app.Activity: void ()> SPECIAL edge: specialinvoke $r0.<com.android.insecurebank.InsecureBankActivity: void ()>() in <dummyMainClass: com.android.insecurebank.InsecureBankActivity dummyMainMethod_com_android_insecurebank_InsecureBankActivity(android.content.Intent)> ==> <com.android.insecurebank.InsecureBankActivity: void ()> SPECIAL edge: specialinvoke r0.<android.app.Activity: void ()>() in <com.android.insecurebank.InsecureBankActivity: void ()> ==> <android.app.Activity: void ()> SPECIAL edge: specialinvoke $r0.<com.android.insecurebank.Preferences: void ()>() in <dummyMainClass: com.android.insecurebank.Preferences dummyMainMethod_com_android_insecurebank_Preferences(android.content.Intent)> ==> <com.android.insecurebank.Preferences: void ()> SPECIAL edge: specialinvoke r0.<android.preference.PreferenceActivity: void ()>() in <com.android.insecurebank.Preferences: void ()> ==> <android.preference.PreferenceActivity: void ()>

I have some questions: • I got some edges after adding your code. Could you help me about visualization of the edges? (like graph visualization) • What is the difference between static edge, clinit edge, virtual edge, special edge and finalized edge? • I guess that both the API calls for internal methods and android methods should be given here. I understand that edges of some of the internal methods are seen at outputs. But I couldn’t find edges between android methods or permissions. For example one of the edge of my output is below;

“staticinvoke <dummyMainClass: com.android.insecurebank.Preferences dummyMainMethod_com_android_insecurebank_Preferences(android.content.Intent)>(null) in <dummyMainClass: void dummyMainMethod(java.lang.String[])> ==> <dummyMainClass: com.android.insecurebank.Preferences dummyMainMethod_com_android_insecurebank_Preferences(android.content.Intent)>”

I couldn’t make a comment about that edge. Is it related with android intent function? Could you help me please about interpreting that edge?

StevenArzt commented 2 years ago

To visualize the callgraph, you can simple iterate over the callgraph and write the edges into a dot file. There are tools for rendering dot files as images.

The different edge types represent the different call types in Java/Android. Please make yourself familiar with the Dalvik bytecode specification, these are fairly fundamental topics of program analysis. Short explanation: A static edge represents a call to a static method, virtual edge represents a call that uses virtual dispatch such as calling an instance method on a base object.

Clinit edges are Soot-specific. Normally, Java invokes the static initializer <clinit> when the class loader loads a class, which would correspond to an edge from whatever statement triggers the class loading (might not even be an invocation) to the static initializer. It's hard to precisely pinpoint the right statement, so Soot over-approximates. All of these edges are labelled as clinit. Finalizer edges have similar challenges, i.e., you never know when an object is actually being finalized. Some client analyses filter our those edges to avoid false positives.

You will not see internal calls between Android framework methods aside from the Android support library, which is compiled into the app. The Android JAR that you specify for FlowDroid is normally is from the Android SDK, and therefore only a stub. It contains the classes and methods, but no real implementation. All methods throw a "not implemented" exception. That's enough for linking apps, and thatr's enough for most program analysis tasks. However, it doesn't give you insights into calls between system methods.

I'm not sure what your question is on permissions.

You can ignore the edge from the dummy main method. FlowDroid automatically creates these dummy methods to simulate the interactions between the Android OS and the app. That is necessary for callgraph construction, but it's completely artificial, these methods don't exist in the app. There should be a simulated code tag on these methods to indicate that they are not real.