StevenArzt
commented
2 months ago FlowDroid is a pure binary scanner. For analyzing source code, I recommend compiling the source to binary and then applying FlowDroid on the binary.
Open bay0max opened 2 months ago
StevenArzt
commented
2 months ago FlowDroid is a pure binary scanner. For analyzing source code, I recommend compiling the source to binary and then applying FlowDroid on the binary.
bay0max
commented
2 months ago yeah,it works.I'm just wondering if source code analysis would be more efficient?Have you guys ever tried taint analysis of source code?
StevenArzt
commented
2 months ago We have chosen bytecode analysis, because the bytecode format remains fairly constant over time. There are hardly ever any new bytecode instructions.
In source code, on the other hand, you need to integrate support for all new language features (lambdas, "var" parameter types, etc.). These features are "compiler magic", so with bytecode analysis, we can leave all the work of mapping these features to the bytecode to the compiler.
Lastly, we do a lot of research on Android apps crawled from stores. We simply don't have the source code. The same applies to some of the commercial Java programs we get for commercial penetration testing and analysis projects.
Is there a taint analysis tool for open-source application which can analyze source code of application