search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.02k stars 292 forks source link

Problem running the Command-Line Tool on Android App #655

Closed flotes3 closed 9 months ago

flotes3 commented 9 months ago

Hello!

I ran the FlowDroid command-line tool with the sourcesAndSinks.xml and the SourceToSink1.apk provided in the repo and it found the leaks as expected.

But when I try to run it on a self-compiled APK, I always get the error message [main] ERROR soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No sources found, aborting analysis and FlowDroid finds 0 leaks.

This is my MainActivity.java:

package com.example.testapp;

import androidx.appcompat.app.AppCompatActivity;
import android.os.Bundle;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        sink(source());
    }

    public String source(){
        return "Source";
    }

    public void sink(String param){

    }
}

And this is my sourcesAndSinks.xml

<sinkSources>
    <category id="NO_CATEGORY"> 
        <method signature="&lt;com.example.testapp.MainActivity: java.lang.String source()&gt;">
            <return type="java.lang.String">
                <accessPath isSource="true" isSink="false" />
            </return>
        </method>
        <method signature="&lt;com.example.testapp.MainActivity: void sink(java.lang.String)&gt;">
            <param index="0" type="java.lang.String">
                <accessPath isSource="false" isSink="true" />
            </param>
        </method>
    </category>
</sinkSources>

It seems my problem is somewhere in the Android code or I made mistakes during the compilation of the APK as the sourcesAndSinks file seems to be read correctly.

Do you have an idea what I could be doing wrong or could you maybe provide me with the source code of the SourceToSink APKs so that I can compare them to my code and perhaps find the problem?

Thank you very much!

timll commented 9 months ago

I can't reproduce the issue, so I'm guessing it's one of those:

  1. You compiled your app with productions settings, ProGuard renamed your activity and thus, the signatures do not match.
  2. The log also contains [main] WARN soot.dexpler.DexFileProvider - Multiple dex files detected, only processing 'classes.dex'. Use '-process-multiple-dex' option to process them all., then just add -d to the command line arguments.
flotes3 commented 9 months ago

Thank you very much, the -d solved my problem! (-process-multiple-dex wasn't necessary)