Closed NicolasFNino closed 1 year ago
StevenArzt
commented
1 year ago You can declare any method as source or sink, regardless of the class in which it is defined. If your method signature is correct in the source/sink definition file, that should work.
App-specific sources or sinks are rather uncommon, though. Most people declare Android API methods as sources or sinks.
NicolasFNino
commented
1 year ago Thank you so much for your response.
My follow-up question now is, how would I define the source signature definition of a constructor, when i am interested in one of the parameters used, as an example:
public class Test { public Test(int, String) { .... } }
The value I'm interested in is the second parameter of type String. This is what I am thinking:
<method signature="<com.test.Test: void <init>(int, java.lang.String)>">
<param index="1" type="java.lang.String">
<accessPath isSource="true" isSink="false"/>
</param>
</method>
But it does not seem to work.
Thank you so much for taking the time to look at this.
NicolasFNino
commented
1 year ago Also, can you please help me understand what is wrong with these signatures? Flowdroid cannot recognize the methods as source or sink.
The code:
SinksAndSources.txt:
Thanks a lot!
I wanted to ask if the methods inside the MainActivity class of an apk are not supposed to be defined as a source or a sink. This is because during the taint analysis these types of methods are never recognized as such, despite being declared in the sourcessinks.xml file. Meanwhile, a method in any other class is correctly identified as a source or a sink depending on the xml file definition.
Thank you.