Missed flows due to Kotlin methods

[dschm1dt]

I noticed while running FlowDroid that it loses or drops the taint if some Kotlin methods are encountered. Below I provided a simplified example with comments from which sources to which sinks it finds flows. In the example, it seems that <kotlin.io.TextStreamsKt: java.util.List readLines(java.io.Reader)> or <kotlin.collections.CollectionsKt: java.lang.String joinToString$default(java.lang.Iterable,java.lang.CharSequence,java.lang.CharSequence,java.lang.CharSequence,int,java.lang.CharSequence,kotlin.jvm.functions.Function1,int,java.lang.Object)> lead to false negatives.

Are there any taint wrapper summaries for Kotlin that could fix the issue?

    var file = File("...")  //source
    var lines = file
        .bufferedReader()
        .readLines() //if considered as sink, flow from File(...) is found

    var lineString = lines.joinToString() 
    Log.d("onCreate", lineString) // sink - finds flow only if: joinToString() is considered as a source, not if .readLines() or File() is

    //Log.d("onCreate", lines.toString()) // if instead of joinToString(), toString() is used, it finds the flow from readLines to the log. But does not find the flow from File(...)

[StevenArzt]

@timll Could you have a look at this? I guess it's really just missing summaries.

[t1mlange]

A Kotlin app contains the code of the standard library and at least for the reproducer, it uses internally the Java Standard Library. Thus, you shouldn't need extra summaries for it to work. In this case, we actually had a small bug in one summary such that in some cases the access path didn't get shortened, which then prevented other summaries from being applied. I've pushed a fix, should land soon in the develop branch (after the CI gives green light).

But it might be still a good idea to write some summaries for the Kotlin methods to scale better. As far as I know, we do not have Kotlin summaries yet.