search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.02k stars 292 forks source link

Why can't FlowDroid detect leakage in InsecureBank.apk? #641

Closed dabeiz closed 9 months ago

dabeiz commented 10 months ago

Hi there,

I am new to android static analysis and currently learning how to use FlowDroid for detecting personal information leakage in android applications. I have downloaded the necessary jar dependencies and ran a test on InsecureBank.apk using the following command. However, no leakage was detected and it appears that FlowDroid did not find any sources in this apk ([main] ERROR soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No sources found, aborting analysis). I'm wondering why this happened. Could it be due to a setting that I mistakenly configured incorrectly?

java -jar soot-infoflow-cmd-jar-with-dependencies.jar -a G:\JavaProjects\FlowDroid-2.10\soot-infoflow-an
droid\insecureBank\InsecureBank.apk -s G:\JavaProjects\FlowDroid-2.10\soot-infoflow-android\SourcesAndSinks.txt -p G:\Ja
vaProjects\android-platforms-master

version of FlowDroid: 2.10 platform: I used the Android platform jars from Susi (https://github.com/Sable/android-platforms) source and sink file: I used the file in soot-infoflow-android/SourcesAndSinks.txt apk file: I used the file in soot-infoflow-android/insecureBank

And here is what I got:

[main] INFO soot.jimple.infoflow.cmd.MainClass - Analyzing app G:\JavaProjects\FlowDroid-2.10\soot-infoflow-android\inse cureBank\InsecureBank.apk (1 of 1)... [main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot... [main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files... [main] INFO soot.jimple.infoflow.android.SetupApplication - ARSC file parsing took 0.0072418 seconds [main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 4,891.5 MiB [main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 6 components... [main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph... [main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Collecting callbacks in DEFAULT mode... [main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Callback analysis done. [main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 6 components... [main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph... [main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 0 components... [main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system... [main] INFO soot.jimple.infoflow.android.SetupApplication - Callback analysis terminated normally [main] INFO soot.jimple.infoflow.android.SetupApplication - Entry point calculation done. [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .web.servlet.tags.UrlTag: java.lang.String createUrl)> -> SINK [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .orm.hibernate3.support.ClobStringType: int[] sqlTypes)> -> SINK [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .security.config.http.CsrfBeanDefinitionParser: org.springframework.beans.factory.config.BeanDefinition getCsrfLogoutHan dler)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <java.io.File: java. io.File getAbsoluteFile)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .security.config.http.FormLoginBeanDefinitionParser: java.lang.String getLoginPage)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <com.google.auth.oau th2.UserCredentials: java.lang.String getClientSecret)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .web.servlet.tags.UrlTag: java.lang.String createUrl)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <java.io.File: java. io.File getCanonicalFile)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.apache.xmlrpc.w ebserver.RequestData: java.lang.String getMethod)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.dmfs.oauth2.cli ent.http.requests.ResourceOwnerPasswordTokenRequest: org.dmfs.httpclient.HttpRequestEntity requestEntity)> -> SOURCE
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .security.concurrent.DelegatingSecurityContextExecutorService: java.util.concurrent.ExecutorService getDelegate)> -> SO URCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .security.config.annotation.web.builders.HttpSecurity: org.springframework.security.config.'annotation'.web.configurers. HeadersConfigurer headers)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .web.servlet.tags.EscapeBodyTag: java.lang.String readBodyContent)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .security.config.http.FormLoginBeanDefinitionParser: java.lang.String getLoginProcessingUrl)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework .security.config.annotation.web.configurers.LogoutConfigurer: java.util.List getLogoutHandlers)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.apache.xmlrpc.w ebserver.RequestData: java.lang.String getHttpVersion)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <com.google.auth.oau th2.DefaultCredentialsProvider: java.io.File getWellKnownCredentialsFile)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.apache.xmlrpc.w ebserver.HttpServletRequestImpl: void parseParameters)> -> SOURCE [main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: [main] INFO soot.jimple.infoflow.android.source.AccessPathBasedSourceSinkManager - Created a SourceSinkManager with 68 s ources, 194 sinks, and 0 callback methods. [main] INFO soot.jimple.infoflow.android.SetupApplication - Collecting callbacks and building a callgraph took 0 seconds [main] INFO soot.jimple.infoflow.android.SetupApplication - Running data flow analysis on G:\JavaProjects\FlowDroid-2.10 \soot-infoflow-android\insecureBank\InsecureBank.apk with 68 sources and 194 sinks... [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Implicit flow tracking is NOT enabled [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Exceptional flow tracking is enabled [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Running with a maximum access path length of 5 [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using path-agnostic result collection [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Recursive access path shortening is enabled [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Taint analysis enabled: true [main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using alias algorithm FlowSensitive [main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 4,891.5 MiB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph construction took 0 seconds
[main] INFO soot.jimple.infoflow.codeOptimization.InterproceduralConstantValuePropagator - Removing side-effect free met [main] ERROR soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No sources found, aborting analysis
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system... [main] WARN soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No results found. [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Data flow solver took 0 seconds. Maximum mem ory consumption: 99 MB [main] INFO soot.jimple.infoflow.android.SetupApplication - Found 0 leaks

timll commented 10 months ago

https://github.com/secure-software-engineering/FlowDroid/blob/a9af729455092f8c82561b943782192444c65017/soot-infoflow/src/soot/jimple/infoflow/util/SystemClassHandler.java#L57-L69

FlowDroid does not scan system packages for sources and sinks. Coincidentally, the package name of the insecurebank app is com.android.insecurebankv2, which matches also one of the system package prefixes. You could compile the app with another package name or change the system package detection in FlowDroid.

dabeiz commented 10 months ago

Thank you for your prompt response!

Is it possible to modify this configuration using a parameter in cmd? Alternatively, can I change this configuration through a method if I use FlowDroid in Java code? Or do I need to recompile the jar dependency?

Currently, I am also able to execute the leakage detection by following steps:

public class TryDetection {
    public final static String apkFilePath = "G:\\JavaProjects\\FlowDroid-2.10\\soot-infoflow-android\\insecureBank\\InsecureBank.apk";

    public final static String androidDirPath = "G:\\JavaProjects\\android-platforms-master";

    public final static String sourceSinkFilePath = "G:\\JavaProjects\\FlowDroid-2.10\\soot-infoflow-android\\SourcesAndSinks.txt";

    public static InfoflowResults res;

    public static void main(String[] args) throws XmlPullParserException, IOException {
        InfoflowAndroidConfiguration conf = new InfoflowAndroidConfiguration();

        conf.getAnalysisFileConfig().setAndroidPlatformDir(androidDirPath);
        conf.getAnalysisFileConfig().setTargetAPKFile(apkFilePath);
        conf.getAnalysisFileConfig().setSourceSinkFile(sourceSinkFilePath);

        conf.setLogSourcesAndSinks(true);
        conf.setMergeDexFiles(true);

        SetupApplication setup = new SetupApplication(conf);

        res = setup.runInfoflow();

        System.out.print(res);
    }
}
timll commented 10 months ago

Is it possible to modify this configuration using a parameter in cmd? Alternatively, can I change this configuration through a method if I use FlowDroid in Java code? Or do I need to recompile the jar dependency?

Overload this to return true for the insecurebank package. https://github.com/secure-software-engineering/FlowDroid/blob/a9af729455092f8c82561b943782192444c65017/soot-infoflow/src/soot/jimple/infoflow/AbstractInfoflow.java#L1425-L1434

(You could also do config.setIgnoreFlowsInSystemPackages(false) but that might have severely negative impact on the scalability because FlowDroid then would also try to find leaks inside the default bundled libraries such as androidx. etc)

dabeiz commented 10 months ago

Got it! I will attempt this method tomorrow.

Additionally, I have another concern regarding the use of FlowDroid to analyze my own app. Despite having a very simple layout and function, I noticed that certain leakages are not being detected. This is contrary to my understanding of how FlowDroid should work.

Here is the layout of my app, which includes a configuration for android:onClick="showCountry".

<Button
    android:id="@+id/buttonCountry"
    android:layout_width="wrap_content"
    android:layout_height="wrap_content"
    android:text="Click to country"
    android:layout_gravity="center"
    android:onClick="showCountry" />

<TextView
    android:id="@+id/tvTimezone"
    android:layout_width="wrap_content"
    android:layout_height="wrap_content"
    android:layout_marginTop="16dp"
    android:text="TimeZone == " />

Here is the main activity. Please note that I have configured two different sources and four different sets of sinks based on the definition provided in SourcesAndSinks.txt. This configuration allows for easy detection of these sources and sinks.

package com.example.testsourceandsinkdave;

import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import androidx.appcompat.app.AppCompatActivity;

import java.util.Locale;
import java.util.TimeZone;
import java.util.Calendar;
import android.util.Log;

public class MainActivity extends AppCompatActivity {

    private String secreteCountry = "";
    private String secreteTimeZone = "";

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        // source: <java.util.Locale: java.lang.String getCountry()> -> _SOURCE_
        Locale usLocale = new Locale("en", "US");
        secreteCountry = usLocale.getCountry();

        // sink: <android.util.Log: int i(java.lang.String,java.lang.String)> -> _SINK_
        Log.i("Sink C.1: Country", secreteCountry);
        Log.i("Sink C.2: Country", "hello" + secreteCountry);

        Button button = findViewById(R.id.buttonCountry);
        button.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                // sink: <android.util.Log: int i(java.lang.String,java.lang.String)> -> _SINK_
                Log.i("Sink C.3: Country", secreteCountry);
                Log.i("Sink C.4: Country", "hello" + secreteCountry);
            }
        });

        // source: <java.util.Calendar: java.util.TimeZone getTimeZone()> -> _SOURCE_
        Calendar calendar = Calendar.getInstance();
        TimeZone timeZone = calendar.getTimeZone();
        secreteTimeZone = timeZone.getID();

        // sink: <android.util.Log: int i(java.lang.String,java.lang.String)> -> _SINK_
        Log.i("Sink T.1: TimeZone", secreteTimeZone);
        Log.i("Sink T.2: TimeZone", "hello" + secreteTimeZone);
    }

    public void showCountry(View view) {
        // sink: <android.util.Log: int i(java.lang.String,java.lang.String)> -> _SINK_
        Log.i("Sink C.5: Country", secreteCountry);
        Log.i("Sink C.6: Country", "hello" + secreteCountry);
    }
}

However, I got this.

[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files...
[main] INFO soot.jimple.infoflow.android.SetupApplication - ARSC file parsing took 0.0523664 seconds
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 4,891.5 MiB
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 2 components...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Collecting callbacks in DEFAULT mode...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Callback analysis done.
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 2 components...
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.fragment.app.FragmentTransition$Callback, because it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.core.view.OnApplyWindowInsetsListener, because it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.fragment.app.FragmentManager, because it is abstract and cannot substitute with subclass
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 3 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 2 components...
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.fragment.app.FragmentTransition$Callback, because it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.appcompat.view.ActionMode, because it is abstract and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.appcompat.widget.ForwardingListener, because it is abstract and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.core.view.ViewPropertyAnimatorUpdateListener, because it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.core.view.OnApplyWindowInsetsListener, because it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.fragment.app.FragmentManager, because it is abstract and cannot substitute with subclass
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 1 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 2 components...
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.fragment.app.FragmentTransition$Callback, because it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.appcompat.view.ActionMode, because it is abstract and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.appcompat.widget.ForwardingListener, because it is abstract and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.core.view.ViewPropertyAnimatorUpdateListener, because it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.core.view.OnApplyWindowInsetsListener, because it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.android.entryPointCreators.components.ActivityEntryPointCreator - Cannot create valid constructor for androidx.fragment.app.FragmentManager, because it is abstract and cannot substitute with subclass
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 0 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Callback analysis terminated normally
[main] INFO soot.jimple.infoflow.android.SetupApplication - Entry point calculation done.
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.web.servlet.tags.UrlTag: java.lang.String createUrl)> -> _SINK_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.orm.hibernate3.support.ClobStringType: int[] sqlTypes)> -> _SINK_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.security.config.http.CsrfBeanDefinitionParser: org.springframework.beans.factory.config.BeanDefinition getCsrfLogoutHandler)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <java.io.File: java.io.File getAbsoluteFile)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.security.config.http.FormLoginBeanDefinitionParser: java.lang.String getLoginPage)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <com.google.auth.oauth2.UserCredentials: java.lang.String getClientSecret)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.web.servlet.tags.UrlTag: java.lang.String createUrl)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <java.io.File: java.io.File getCanonicalFile)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.apache.xmlrpc.webserver.RequestData: java.lang.String getMethod)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.dmfs.oauth2.client.http.requests.ResourceOwnerPasswordTokenRequest: org.dmfs.httpclient.HttpRequestEntity requestEntity)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.security.concurrent.DelegatingSecurityContextExecutorService: java.util.concurrent.ExecutorService getDelegate)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.security.config.annotation.web.builders.HttpSecurity: org.springframework.security.config.'annotation'.web.configurers.HeadersConfigurer headers)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.web.servlet.tags.EscapeBodyTag: java.lang.String readBodyContent)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.security.config.http.FormLoginBeanDefinitionParser: java.lang.String getLoginProcessingUrl)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.springframework.security.config.annotation.web.configurers.LogoutConfigurer: java.util.List getLogoutHandlers)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.apache.xmlrpc.webserver.RequestData: java.lang.String getHttpVersion)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <com.google.auth.oauth2.DefaultCredentialsProvider: java.io.File getWellKnownCredentialsFile)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match: <org.apache.xmlrpc.webserver.HttpServletRequestImpl: void parseParameters)> -> _SOURCE_
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match:     
[main] INFO soot.jimple.infoflow.android.source.AccessPathBasedSourceSinkManager - Created a SourceSinkManager with 68 sources, 194 sinks, and 60 callback methods.
[main] INFO soot.jimple.infoflow.android.SetupApplication - Collecting callbacks and building a callgraph took 12 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication - Running data flow analysis on G:\JavaProjects\test-APK\app-debug.apk with 68 sources and 194 sinks...
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Implicit flow tracking is NOT enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Exceptional flow tracking is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Running with a maximum access path length of 5
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using path-agnostic result collection
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Recursive access path shortening is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Taint analysis enabled: true
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using alias algorithm FlowSensitive
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 4,891.5 MiB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph construction took 0 seconds
[main] INFO soot.jimple.infoflow.codeOptimization.InterproceduralConstantValuePropagator - Removing side-effect free methods is disabled
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Dead code elimination took 0.4015449 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph has 6935 edges
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Starting Taint Analysis
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Using context- and flow-sensitive solver
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Using context- and flow-sensitive solver
[main] WARN soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Running with limited join point abstractions can break context-sensitive path builders
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Looking for sources and sinks...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Source lookup done, found 9 sources and 117 sinks.
[Low memory monitor] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Triggering memory warning at 5889 MB (5699 MB max, 5173 in watched memory pool)...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - IFDS problem with 28781113 forward and 12894998 backward edges solved in 168 seconds, processing 4 results...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Current memory consumption: 5909 MB
[Low memory monitor] WARN soot.jimple.infoflow.memory.FlowDroidMemoryWatcher - Running out of memory, solvers terminated
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Memory consumption after cleanup: 256 MB
[main] INFO soot.jimple.infoflow.data.pathBuilders.BatchPathBuilder - Running path reconstruction batch 1 with 4 elements
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Obtainted 4 connections between sources and sinks
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Building path 1...
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Building path 2...
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Building path 3...
[main] INFO soot.jimple.infoflow.data.pathBuilders.ContextSensitivePathBuilder - Building path 4...
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Memory consumption after path building: 394 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Path reconstruction took 2 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.1: Country", $r3) in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink virtualinvoke r2.<android.os.Bundle: void putAll(android.os.Bundle)>(r3) in method <androidx.savedstate.SavedStateRegistry: void performSave(android.os.Bundle)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink virtualinvoke $r0.<android.content.Context: void startActivities(android.content.Intent[],android.os.Bundle)>($r1, null) in method <androidx.core.content.ContextCompat$Api16Impl: void startActivities(android.content.Context,android.content.Intent[],android.os.Bundle)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.3: Country", $r3) in method <com.example.testsourceandsinkdave.MainActivity$1: void onClick(android.view.View)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Data flow solver took 171 seconds. Maximum memory consumption: 5909 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication - Found 4 leaks
$r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.1: Country", $r3), $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> virtualinvoke r2.<android.os.Bundle: void putAll(android.os.Bundle)>(r3), $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> virtualinvoke $r0.<android.content.Context: void startActivities(android.content.Intent[],android.os.Bundle)>($r1, null), $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.3: Country", $r3)

Only 2 sinks (two leaks) are found. For C.2 and C.4: Is the reason for the sink C.2 and C.4 that I added something before the source message? Can't this also be detected? For C.5 and C.6: Is it because the callback android:onClick="showCountry" is defined in the layout? Why can't it be detected? For T.1 and T.2: what I have done is not directly putting the source timeZone into the sink, but first fetching a string type using secreteTimeZone = timeZone.getID(); and then putting it into the sink. Why can't this be detected?

Also, I have noticed that my output shows a warning about running out of memory (~6000MB), even though my toy apk is only <4MB. Is it normal for FlowDroid analysis to encounter this issue?

I have uploaded this toy app to Google Drive. You can access it at the following link: https://drive.google.com/file/d/1YYzW6am3fmF6AmEdwRqsMwmMOL32nXaM/view?usp=sharing Please feel free to use it to reproduce this process.

Thanks in advance!

timll commented 10 months ago

Only 2 sinks (two leaks) are found. For C.2 and C.4: Is the reason for the sink C.2 and C.4 that I added something before the source message? Can't this also be detected? For C.5 and C.6: Is it because the callback android:onClick="showCountry" is defined in the layout? Why can't it be detected? For T.1 and T.2: what I have done is not directly putting the source timeZone into the sink, but first fetching a string type using secreteTimeZone = timeZone.getID(); and then putting it into the sink. Why can't this be detected?

We do not support old versions. FlowDroid is a moving target, and we generally work with the HEAD. Please check if you can reproduce the problem in a minimal manner on the current SNAPSHOT.

Assuming you still use the same code as posted before, for C.2, C.4, T.1 and T.2, you are missing summary models. The Android.jar shipped with Android Studio only contains stubs (i.e. signatures but no method bodies). FlowDroid has no way to know that there is a transfer on secreteTimeZone = timeZone.getID(); (or on StringBuilder.append(String) for C.2/C.4). You need to provide a TaintWrapper, which can summarize calls for the taint analysis and apply either heuristics, precomputed results or handwritten summaries. Take a look at the PhD thesis linked in the README to find out more about all this.

Also, I have noticed that my output shows a warning about running out of memory (~6000MB), even though my toy apk is only <4MB. Is it normal for FlowDroid analysis to encounter this issue?

IFDS with precise domains can be quite memory intensive. Even with taint wrappers in use, FlowDroid might need 100GB to finish a real-world app from the Google Play Store. Note that the app size has no impact on the runtime and memory consumption. It rather depends on the "denseness" of the exploded super graph. Seeing 9 sources detected but only 2 sources inside your app, I assume there is some library packed with your app that is analyzed as well.

dabeiz commented 9 months ago

100GB memory or 100GB space ?

timll commented 9 months ago

100GB memory or 100GB space ?

100 GB memory. You can disable some features such as exceptional flow tracking and static field tracking to decrease the memory needed to analyze an app.

dabeiz commented 9 months ago

Got it. Thanks a lot!

dabeiz commented 9 months ago

Hello there.

I attempted to download this repository and import it into IDEA as a Maven project (using the latest version 2.13.0-SNAPSHOT).

1694594370155

This way I can easily modify the isUserCodeClass and make it always return true.

1694594427089

Additionally, I included a setting to configure the TaintWrapper and re-ran the Infoflow detect.

1694594481208

However, no leaks have been detected.


[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files...
[main] INFO soot.jimple.infoflow.android.SetupApplication - ARSC file parsing took 0.0665149 seconds
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 7,336.8 MiB
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 6 components...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Collecting callbacks in DEFAULT mode...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Callback analysis done.
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 6 components...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 0 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Callback analysis terminated normally
[main] INFO soot.jimple.infoflow.android.SetupApplication - Entry point calculation done.
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match:     
[main] INFO soot.jimple.infoflow.android.source.AccessPathBasedSourceSinkManager - Created a SourceSinkManager with 84 sources, 193 sinks, and 0 callback methods.
[main] INFO soot.jimple.infoflow.android.SetupApplication - Collecting callbacks and building a callgraph took 1 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication - Running data flow analysis on G:\JavaProjects\FlowDroid-2.10\soot-infoflow-android\insecureBank\InsecureBank.apk with 84 sources and 193 sinks...
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Implicit flow tracking is NOT enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Exceptional flow tracking is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Running with a maximum access path length of 5
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using path-agnostic result collection
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Recursive access path shortening is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Taint analysis enabled: true
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using alias algorithm FlowSensitive
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 7,336.8 MiB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph construction took 0 seconds
[main] INFO soot.jimple.infoflow.codeOptimization.InterproceduralConstantValuePropagator - Removing side-effect free methods is disabled
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Dead code elimination took 0.0251022 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph has 36 edges
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Starting Taint Analysis
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Using context- and flow-sensitive solver
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Using context- and flow-sensitive solver
[main] WARN soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Running with limited join point abstractions can break context-sensitive path builders
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Looking for sources and sinks...
[main] ERROR soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No sources found, aborting analysis
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] WARN soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No results found.
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Data flow solver took 0 seconds. Maximum memory consumption: 34 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication - Found 0 leaks
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
<no results>
Process finished with exit code 0```
dabeiz commented 9 months ago

And yes, the TaintWrapper setting can enable detection of leakage in C.2, C.4, T.1, and T.2; however, it does not detect the leakage in C.5 and C.6 (which are within the callback function for android:onClick="showCountry").

I also noticed that when I ran the infoflow detection this time, the memory consumption (~200MB) was much lower than last time (when I directly used soot-infoflow-cmd-jar-with-dependencies.jar as a dependency and triggered a memory warning of ~6GB). What caused this difference?

[main] INFO soot.jimple.infoflow.taintWrappers.EasyTaintWrapper - Loaded wrapper entries for 90 classes and 12 exclusions.
[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files...
[main] INFO soot.jimple.infoflow.android.SetupApplication - ARSC file parsing took 0.0988661 seconds
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 7,336.8 MiB
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 2 components...
[main] WARN soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Cannot generate constructor for phantom class androidx.startup.InitializationProvider
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Collecting callbacks in DEFAULT mode...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Callback analysis done.
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 2 components...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 2 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 2 components...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 1 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 2 components...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 1 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 2 components...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 1 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Callback analysis terminated normally
[main] INFO soot.jimple.infoflow.android.SetupApplication - Entry point calculation done.
[main] WARN soot.jimple.infoflow.android.data.parsers.PermissionMethodParser - Line does not match:     
[main] INFO soot.jimple.infoflow.android.source.AccessPathBasedSourceSinkManager - Created a SourceSinkManager with 84 sources, 193 sinks, and 85 callback methods.
[main] INFO soot.jimple.infoflow.android.SetupApplication - Collecting callbacks and building a callgraph took 1 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication - Running data flow analysis on G:\JavaProjects\test-APK\app-debug.apk with 84 sources and 193 sinks...
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Implicit flow tracking is NOT enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Exceptional flow tracking is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Running with a maximum access path length of 5
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using path-agnostic result collection
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Recursive access path shortening is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Taint analysis enabled: true
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using alias algorithm FlowSensitive
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 7,336.8 MiB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph construction took 0 seconds
[main] INFO soot.jimple.infoflow.codeOptimization.InterproceduralConstantValuePropagator - Removing side-effect free methods is disabled
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Dead code elimination took 0.0240005 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph has 127 edges
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Starting Taint Analysis
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Using context- and flow-sensitive solver
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Using context- and flow-sensitive solver
[main] WARN soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Running with limited join point abstractions can break context-sensitive path builders
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Looking for sources and sinks...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Source lookup done, found 2 sources and 6 sinks.
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
Change isUserCodeClass to always return true
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Taint wrapper hits: 9
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Taint wrapper misses: 712
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - IFDS problem with 2914 forward and 1288 backward edges solved in 0 seconds, processing 10 results...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Current memory consumption: 247 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Memory consumption after cleanup: 129 MB
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$ShutdownBatchPathBuilder - Running path reconstruction batch 1 with 5 elements
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Obtainted 5 connections between sources and sinks
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 1...
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 2...
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 3...
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 4...
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 5...
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$ShutdownBatchPathBuilder - Running path reconstruction batch 2 with 5 elements
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Obtainted 5 connections between sources and sinks
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 1...
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 2...
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 3...
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 4...
[main] INFO soot.jimple.infoflow.data.pathBuilders.DefaultPathBuilderFactory$RepeatableContextSensitivePathBuilder - Building path 5...
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Memory consumption after path building: 129 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Path reconstruction took 0 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink T.2: TimeZone", $r3) in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r9 = virtualinvoke $r8.<java.util.Calendar: java.util.TimeZone getTimeZone()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.1: Country", $r3) in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink virtualinvoke $r0.<androidx.activity.ComponentActivity: void startActivityForResult(android.content.Intent,int,android.os.Bundle)>(null, 0, null) in method <dummyMainClass: com.example.testsourceandsinkdave.MainActivity dummyMainMethod_com_example_testsourceandsinkdave_MainActivity(android.content.Intent)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r9 = virtualinvoke $r8.<java.util.Calendar: java.util.TimeZone getTimeZone()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink T.1: TimeZone", $r3) in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r9 = virtualinvoke $r8.<java.util.Calendar: java.util.TimeZone getTimeZone()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.4: Country", $r3) in method <com.example.testsourceandsinkdave.MainActivity$1: void onClick(android.view.View)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.2: Country", $r3) in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.3: Country", $r3) in method <com.example.testsourceandsinkdave.MainActivity$1: void onClick(android.view.View)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink virtualinvoke $r0.<androidx.activity.ComponentActivity: void startActivityForResult(android.content.Intent,int)>(null, 0) in method <dummyMainClass: com.example.testsourceandsinkdave.MainActivity dummyMainMethod_com_example_testsourceandsinkdave_MainActivity(android.content.Intent)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r9 = virtualinvoke $r8.<java.util.Calendar: java.util.TimeZone getTimeZone()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() in method <com.example.testsourceandsinkdave.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Data flow solver took 0 seconds. Maximum memory consumption: 247 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication - Found 8 leaks
$r9 = virtualinvoke $r8.<java.util.Calendar: java.util.TimeZone getTimeZone()>() -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink T.2: TimeZone", $r3), $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.1: Country", $r3), $r9 = virtualinvoke $r8.<java.util.Calendar: java.util.TimeZone getTimeZone()>() -> virtualinvoke $r0.<androidx.activity.ComponentActivity: void startActivityForResult(android.content.Intent,int,android.os.Bundle)>(null, 0, null), $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> virtualinvoke $r0.<androidx.activity.ComponentActivity: void startActivityForResult(android.content.Intent,int,android.os.Bundle)>(null, 0, null), $r9 = virtualinvoke $r8.<java.util.Calendar: java.util.TimeZone getTimeZone()>() -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink T.1: TimeZone", $r3), $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.4: Country", $r3), $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.2: Country", $r3), $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> staticinvoke <android.util.Log: int i(java.lang.String,java.lang.String)>("Sink C.3: Country", $r3), $r9 = virtualinvoke $r8.<java.util.Calendar: java.util.TimeZone getTimeZone()>() -> virtualinvoke $r0.<androidx.activity.ComponentActivity: void startActivityForResult(android.content.Intent,int)>(null, 0), $r3 = virtualinvoke r2.<java.util.Locale: java.lang.String getCountry()>() -> virtualinvoke $r0.<androidx.activity.ComponentActivity: void startActivityForResult(android.content.Intent,int)>(null, 0)
timll commented 9 months ago

However, no leaks have been detected.

Read the logs, it says [main] ERROR soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No sources found, aborting analysis. You will only get leaks if any of the specified sources/sinks are in the app. You can look for yourself in the isValidSeed method to see that the insecurebank classes are included.

I also noticed that when I ran the infoflow detection this time, the memory consumption (~200MB) was much lower than last time (when I directly used soot-infoflow-cmd-jar-with-dependencies.jar as a dependency and triggered a memory warning of ~6GB). What caused this difference?

Again, look at your logs and my previous answer:

Seeing 9 sources detected but only 2 sources inside your app, I assume there is some library packed with your app that is analyzed as well.

Your logs now show only 2 sources, so probably the old version didn't exclude system code properly and thus, analyzed some library.

And yes, the TaintWrapper setting can enable detection of leakage in C.2, C.4, T.1, and T.2; however, it does not detect the leakage in C.5 and C.6 (which are within the callback function for android:onClick="showCountry").

When an app is compiled with a fairly recent Android API, layout IDs are constant static fields instead of constant arguments. I'll add rudimentary support for this.