search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.02k stars 292 forks source link

No sources found, aborting analysis #720

Open tiash-roy opened 3 months ago

tiash-roy commented 3 months ago

Hi,

I am trying to run Flowdroid for various apps from playstore. I defined my own sources for each of the apps. But flowdrid could not detect any of the sources. For example, for the app Lazada my source was

<com.lazada.android.checkout.core.mode.biz.OrderTotalComponent: java.lang.String getTotalAmount()> -> _SOURCE_

But I am getting the message "No sources found, aborting analysis". Is there anything that I am missing? Your response would be very much appreciated. Thank you.

timll commented 3 months ago

FlowDroid only looks for sources in the reachable methods. Either the method isn't reachable or Soot incorrectly thinks the method is unreachable. As a first try, you could use CHA instead of SPARK (note that SPARK might be unsound when the Points-To information is incomplete. CHA is fully sound but a severe overapproximation, so only toggle this setting for testing). Otherwise, reflections might also cause the same behavior.

tiash-roy commented 3 months ago

Thank you. May I please know how to understand if a method is reachable in the context of flowdroid?

StevenArzt commented 3 months ago

In general, a method is reachable if it is transitively called from the entry point. In an Android app, this entry point is the dummy main method that simulates the interactions between the Android OS and the app.

If we assume that our dummy main method is perfect (which it isn't), a method is reachable when it can be execued at runtime.

The easiest way to find out where your method is lost is to incrementally work your way backwards from the unreachable method. Is the method that contains the call to getTotalAmount reachable? If not, is the method that calls this method reachable? You repeat this approach until you find a method that is reachable, but its callee is not. You then need to find out why.

Another possibility is that your backward analysis will end in som callback that FlowDroid doesn't support. We can add that support once we know what is missing.

The easiest way to check a method is to look into method runTaintAnalysis in the AbstractInfoflowProblem. After the calls to scanMethodForSourcesSinks (outside the loop), query Scene.v().getReachableMethods() for the method you want to check.

tiash-roy commented 3 months ago

I have analyzed the callgraph of the apk. The method is reachable. Here's the metod signature from the callgraph.

 node [
    id 106153
    label "Lcom/lazada/android/checkout/core/mode/biz/OrderTotalComponent;->getTotalAmount()Ljava/lang/String; [access_flags=public] @ 0x2a2570"
    external 0
    entrypoint 0
    methodname "getTotalAmount"
    descriptor "()Ljava/lang/String;"
    accessflags "public"
    classname "Lcom/lazada/android/checkout/core/mode/biz/OrderTotalComponent;"
  ]
StevenArzt commented 3 months ago

If the method that conains the call to your source is reachable, the source should be found. If it isn't, you can debug into scanMethodForSourcesSinks . this method loops over all statements in a given Jimple method and for each statement checks whether this statement invokes a source.