Closed NicolasFNino closed 1 year ago
You can declare any method as source or sink, regardless of the class in which it is defined. If your method signature is correct in the source/sink definition file, that should work.
App-specific sources or sinks are rather uncommon, though. Most people declare Android API methods as sources or sinks.
Thank you so much for your response.
My follow-up question now is, how would I define the source signature definition of a constructor, when i am interested in one of the parameters used, as an example:
public class Test { public Test(int, String) { .... } }
The value I'm interested in is the second parameter of type String. This is what I am thinking:
<method signature="<com.test.Test: void <init>(int, java.lang.String)>">
<param index="1" type="java.lang.String">
<accessPath isSource="true" isSink="false"/>
</param>
</method>
But it does not seem to work.
Thank you so much for taking the time to look at this.
Also, can you please help me understand what is wrong with these signatures? Flowdroid cannot recognize the methods as source or sink.
The code:
SinksAndSources.txt:
Thanks a lot!
I wanted to ask if the methods inside the MainActivity class of an apk are not supposed to be defined as a source or a sink. This is because during the taint analysis these types of methods are never recognized as such, despite being declared in the sourcessinks.xml file. Meanwhile, a method in any other class is correctly identified as a source or a sink depending on the xml file definition.
Thank you.