t1mlange
commented
16 hours ago You can use the DebugFlowFunctionTaintPropagationHandler to print out the results of all transfer functions to the console.
Open marshalwahlexyz1 opened 2 days ago
t1mlange
commented
16 hours ago You can use the DebugFlowFunctionTaintPropagationHandler to print out the results of all transfer functions to the console.
Hi @StevenArzt , @t1mlange
I am working on analyzing Android Apps, I included API used to retrieve contact, sms and media in the source and sink file. Flowdroid does identify these sources and sinks but does not detect a leak when actually data was tainted using those methods (this was confirmed by manually inspecting the code, and when data was tainted it ends up in a network connection, it was also confirmed dynamically using Frida to hook into the methods along that path.)
All I need is to be able to see the taint path for each source flowdroid analyzes. I suppose flowdroid could not find a leak because the source and sink file are in different classes. However, the sink method was called within the source method class.
This is my source and sink file
<android.content.ContentResolver: android.database.Cursor query(android.net.Uri, java.lang.String[], java.lang.String, java.lang.String[], java.lang.String)> -> SOURCE <android.database.Cursor: java.lang.String getString(int)> -> SOURCE <android.net.Uri: android.net.Uri parse(java.lang.String)> -> SOURCE <android.media.ExifInterface: java.lang.String getAttribute(java.lang.String)> -> SOURCE
<com.lzy.okgo.OkGo: com.lzy.okgo.request.PostRequest post(java.lang.String)> -> SINK <com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest upJson(java.lang.String)> -> SINK <com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest execute()> -> SINK <okhttp3.OkHttpClient: okhttp3.Call newCall(okhttp3.Request)> -> SINK
This is the output from Flowdroid showing it finds 69 sources and 8 sinks. and it detects 0 leaks.
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Looking for sources and sinks... [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Source lookup done, found 69 sources and 8 sinks. [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Taint wrapper hits: 0 [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Taint wrapper misses: 0 [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - IFDS problem with 69 forward and 0 backward edges solved in 0 seconds, processing 0 results... [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Current memory consumption: 514 MB [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Memory consumption after cleanup: 255 MB [main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system... [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Memory consumption after path building: 255 MB [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Path reconstruction took 0 seconds [main] WARN soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No results found. [main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Data flow solver took 2 seconds. Maximum memory consumption: 514 MB [main] INFO soot.jimple.infoflow.android.SetupApplication - Found 0 leaks from 0 sources
My question is: How do I make Flowdroid produce Taint Path for all the identified sources regardless of if a leak is detected or not?