firmianay
commented
9 months ago I understand, so I need to compare the API versions because the default values are different. Is it okay to do this like now?
Closed firmianay closed 9 months ago
firmianay
commented
9 months ago I understand, so I need to compare the API versions because the default values are different. Is it okay to do this like now?
firmianay
commented
9 months ago btw, for allowBackup, its default value is true, but the current code will return false
StevenArzt
commented
9 months ago You can fix "allowBackup", that's easy.
For the cleartext traffic, the logic is fairly complex. Keep in mind that Android also supports a network security configuration, which is another file in the app in which you make similar settings. That's why we chose to give the user the "raw" data, which may be null, and have the user deal with it.
Our commercial code scanner (which is built on top of Soot and FlowDroid) checks for the null value and then does the more complex reasoning including the other relevant files depending on the target SDK version.
firmianay
commented
9 months ago OK, I've fixed the allowBackup error.
I used to think that this value was only for usesCleartextTraffic, but if you want to consider network security configuration at the same time, it is indeed more complicated. It will take some effort to parse this file.
This PR changes the semantics of the parser. Currently, we let the user decide how to handle apps that don't specify the attribute. Keep in mind that the app behavior depends on the target SDK version in that case, so even if you wanted to handle it in FlowDroid, it would be much more complex.