search

siis / ic3

IC3: Inter-Component Communication Analysis in Android
http://siis.cse.psu.edu/ic3/
Apache License 2.0
36 stars 21 forks source link

IC3 gives me the Manifets file information only #21

Open HammadMahmoud opened 8 years ago

HammadMahmoud commented 8 years ago

Hello,

I have downloaded IC3 source code and build it successfully, I was able to retarget some apps using Date project and use them as inputs to IC3 project. IC3 only gives me information from the Manifest file such as components and Intent Filters, same information stored in the database. Tables such as Intents or ExitPoints are totally empty.

I tried IC3 on different apps: small apps that I created, apps from Google Play store, apps provided by IC3 group at http://siis.cse.psu.edu/slides/android-sec-tutorial-apk.tar.gz, in all cases I got the information stored in the Manifest file only.

For example, this is the result of analyzing FriendTracker app:

**_Manifest_** Manifest file for org.siislab.tutorial.friendtracker version 1 Activities: org.siislab.tutorial.friendtracker.FriendTrackerControl Intent filter: Actions: [android.intent.action.MAIN] Categories: [android.intent.category.LAUNCHER]

Activity Aliases: Services: org.siislab.tutorial.friendtracker.FriendTracker Receivers: org.siislab.tutorial.friendtracker.BootReceiver Intent filter: Actions: [android.intent.action.BOOT_COMPLETED] Providers: org.siislab.tutorial.friendtracker.FriendProvider authority: friends write permission: org.siislab.tutorial.permission.WRITE_FRIENDS

**_Result_** [main] INFO edu.psu.cse.siis.ic3.ResultProcessor - org.siislab.tutorial.friendtracker 29 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 36 654 7 361 8 22 0 0 509 92 2014

Another output for running IC3 on a simple app (3 activities, one reachable Intent from MainActivity that starts SecondActivity, and one dynamically registered broadcast receiver):

**_(Manifest)_** Manifest file for com.example.testic3 version 1 Activities: com.example.testic3.MainActivity Intent filter: Actions: [android.intent.action.MAIN] Categories: [android.intent.category.LAUNCHER] com.example.testic3.SecondActivity com.example.testic3.ThirdActivity Intent filter: Actions: [com.example.testic3.myaction]

Activity Aliases: Services: Receivers: Providers:

**_Result_**

Also I followed the example given in https://github.com/siis/ic3/issues/17 by @docteau where every thing went smooth except the output didn't show the expected results, neither on the screen nor on the database.

Any help is highly appreciated.

Regards, Mahmoud

docteau commented 8 years ago

Hi,

Can you post exactly the commands you used? Also can you attach the output you are seeing?

Damien

HammadMahmoud commented 8 years ago

Thanks for the reply, Damien,

Here is the folder structure on my MacBook laptop

~/Tools/IC3 ├── dare_output │   ├── friendTracker │   │   ├── optimized │   │   ├── optimized-decompiled │   │   ├── retargeted │   │   └── stats.csv ├── ic3-0.2.0 │   ├── android.jar │   ├── ic3-0.2.0-full.jar │   ├── db │   │   ├── cc.properties └── ic3_toy_apps ├── FriendTracker.apk

Here is the command that I used: ~/Tools/IC3$ java -jar ic3-0.2.0-full.jar -input ../dare_output/friendTracker/ -apkormanifest ../ic3_toy_apps/FriendTracker.apk -cp ./android.jar -db ./db/cc.properties

The output in the terminal Warning: java.lang.invoke.LambdaMetafactory is a phantom class! Warning: java.lang.ref.Finalizer is a phantom class! Warning: org.siislab.tutorial.friendtracker.FriendTracker is a phantom class! Warning: org.siislab.tutorial.friendtracker.FriendTrackerControl is a phantom class! Warning: org.siislab.tutorial.friendtracker.FriendProvider is a phantom class! Warning: org.siislab.tutorial.friendtracker.BootReceiver is a phantom class! [main] INFO soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Generated main method: public static void dummyMainMethod() { int $i0;

    $i0 = 0;

 label1:
    if $i0 == 8 goto label1;

    return;
}

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase. [Spark] Pointer Assignment Graph in 0.0 seconds. [Spark] Type masks in 0.0 seconds. [Spark] Pointer Graph simplified in 0.0 seconds. [Spark] Propagation in 0.0 seconds. [Spark] Solution found in 0.0 seconds. Callback analysis done. Warning: LinearLayout is a phantom class! Warning: org.siislab.tutorial.friendtracker.LinearLayout is a phantom class! Warning: android.view.LinearLayout is a phantom class! Warning: TextView is a phantom class! Warning: org.siislab.tutorial.friendtracker.TextView is a phantom class! Warning: android.view.TextView is a phantom class! Warning: Button is a phantom class! Warning: org.siislab.tutorial.friendtracker.Button is a phantom class! Warning: android.view.Button is a phantom class! Found 1 layout controls in file res/layout/main.xml [main] INFO edu.psu.cse.siis.ic3.SetupApplication - Entry point calculation done. Warning: org.siislab.tutorial.friendtracker.FriendTracker is a phantom class! Warning: org.siislab.tutorial.friendtracker.FriendTrackerControl is a phantom class! Warning: org.siislab.tutorial.friendtracker.FriendProvider is a phantom class! Warning: org.siislab.tutorial.friendtracker.BootReceiver is a phantom class! [main] INFO soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Generated main method: public static void dummyMainMethod() { int $i0;

    $i0 = 0;

 label1:
    if $i0 == 8 goto label1;

    return;
}

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase. [Spark] Pointer Assignment Graph in 0.0 seconds. [Spark] Type masks in 0.0 seconds. [Spark] Pointer Graph simplified in 0.0 seconds. [Spark] Propagation in 0.0 seconds. [Spark] Solution found in 0.0 seconds. [main] INFO edu.psu.cse.siis.coal.PropagationSceneTransformer - Solving propagation problem (iteration 0) [main] INFO edu.psu.cse.siis.coal.PropagationSceneTransformer - Reached a fixed point Unknown entry point type: org.siislab.tutorial.friendtracker.FriendTracker Unknown entry point type: org.siislab.tutorial.friendtracker.FriendTrackerControl Unknown entry point type: org.siislab.tutorial.friendtracker.FriendProvider Unknown entry point type: org.siislab.tutorial.friendtracker.BootReceiver Transforming android.content.Intent... Transforming android.content.IntentFilter... Transforming android.os.Bundle... Transforming android.content.ComponentName... Transforming android.app.Activity... Transforming dummyMainClass... Transforming org.siislab.tutorial.friendtracker.FriendTracker... Transforming org.siislab.tutorial.friendtracker.FriendTrackerControl... Transforming org.siislab.tutorial.friendtracker.FriendProvider... Transforming org.siislab.tutorial.friendtracker.BootReceiver...

**_Manifest_** Manifest file for org.siislab.tutorial.friendtracker version 1 Activities: org.siislab.tutorial.friendtracker.FriendTrackerControl Intent filter: Actions: [android.intent.action.MAIN] Categories: [android.intent.category.LAUNCHER]

Activity Aliases: Services: org.siislab.tutorial.friendtracker.FriendTracker Receivers: org.siislab.tutorial.friendtracker.BootReceiver Intent filter: Actions: [android.intent.action.BOOT_COMPLETED] Providers: org.siislab.tutorial.friendtracker.FriendProvider authority: friends write permission: org.siislab.tutorial.permission.WRITE_FRIENDS

**_Result_** [main] INFO edu.psu.cse.siis.ic3.ResultProcessor - org.siislab.tutorial.friendtracker 29 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 30 709 6 402 10 21 0 0 486 89 2058

The Database

mysql> select * from cc.applications; +----+------------------------------------+---------+ | id | app | version | +----+------------------------------------+---------+ | 5 | org.siislab.tutorial.friendtracker | 1 | +----+------------------------------------+---------+

mysql> select * from cc.classes where app_id=5; //app_id=5 because I have other apps in the database from previous executions +-----+--------+---------------------------------------------------------+ | id | app_id | class | +-----+--------+---------------------------------------------------------+ | 187 | 5 | org.siislab.tutorial.friendtracker.FriendTrackerControl | | 188 | 5 | org.siislab.tutorial.friendtracker.FriendTracker | | 189 | 5 | org.siislab.tutorial.friendtracker.BootReceiver | | 190 | 5 | org.siislab.tutorial.friendtracker.FriendProvider | +-----+--------+---------------------------------------------------------+ 4 rows in set (0.00 sec)

mysql> select * from cc.components where class_id>187; +-----+----------+------+----------+------------+---------+ | id | class_id | kind | exported | permission | missing | +-----+----------+------+----------+------------+---------+ | 188 | 188 | s | 0 | 53 | NULL | | 189 | 189 | r | 1 | NULL | NULL | | 190 | 190 | p | 0 | NULL | NULL | +-----+----------+------+----------+------------+---------+ 3 rows in set (0.00 sec)

mysql> select * from cc.intents; Empty set (0.00 sec)

mysql> select * from cc.ExitPoints; Empty set (0.00 sec)

Please let me know if you need any further information to find the problem.

Thanks, Mahmoud

docteau commented 8 years ago

Try -input ../dare_output/friendTracker/retargeted

Damien

HammadMahmoud commented 8 years ago

Its exactly the same output. Also executing IC3 from its source code gives the same output. Any suggestions, please?

Thanks, Mahmoud

docteau commented 8 years ago

Try -input ../dare_output/friendTracker/retargeted/FriendTracker

The "phantom class" message means that some class is missing from the Soot analysis. It is not always an issue, but in your case you have important classes missing (for example: Warning: org.siislab.tutorial.friendtracker.FriendTracker is a phantom class!). So you have to ensure that you are actually pointing IC3 to exactly the right directory. More specifically, if you have class org.siislab.tutorial.friendtracker.FriendTracker, you have to make sure that you point IC3 to the directory that contains the org subdirectory.

Damien

HammadMahmoud commented 8 years ago

Hooray, it worked!!!!

Here is the output for others to compare:

**_Manifest_** Manifest file for org.siislab.tutorial.friendtracker version 1 Activities: org.siislab.tutorial.friendtracker.FriendTrackerControl Intent filter: Actions: [android.intent.action.MAIN] Categories: [android.intent.category.LAUNCHER]

Activity Aliases: Services: org.siislab.tutorial.friendtracker.FriendTracker Receivers: org.siislab.tutorial.friendtracker.BootReceiver Intent filter: Actions: [android.intent.action.BOOT_COMPLETED] Providers: org.siislab.tutorial.friendtracker.FriendProvider authority: friends write permission: org.siislab.tutorial.permission.WRITE_FRIENDS

**_Result_** org.siislab.tutorial.friendtracker.FriendFinder/void run() : virtualinvoke r15.<android.content.ContentResolver: int update(android.net.Uri,android.content.ContentValues,java.lang.String,java.lang.String[])>(r16, r1, r2, r3) Components: [org.siislab.tutorial.friendtracker.FriendTracker] 0 : Value: 1 path values uri=content://friends/location,

org.siislab.tutorial.friendtracker.FriendProvider/android.net.Uri insert(android.net.Uri,android.content.ContentValues) : virtualinvoke r18.<android.content.ContentResolver: void notifyChange(android.net.Uri,android.database.ContentObserver)>(r4, null) Components: [org.siislab.tutorial.friendtracker.FriendProvider] 0 : Value: 1 path values appendedPaths=[-1], uri=content://friends/location,

org.siislab.tutorial.friendtracker.FriendProvider/int delete(android.net.Uri,java.lang.String,java.lang.String[]) : virtualinvoke r12.<android.content.ContentResolver: void notifyChange(android.net.Uri,android.database.ContentObserver)>(r1, null) Components: [org.siislab.tutorial.friendtracker.FriendProvider] 0 : null

org.siislab.tutorial.friendtracker.FriendProvider/int update(android.net.Uri,android.content.ContentValues,java.lang.String,java.lang.String[]) : virtualinvoke r13.<android.content.ContentResolver: void notifyChange(android.net.Uri,android.database.ContentObserver)>(r1, null) Components: [org.siislab.tutorial.friendtracker.FriendProvider] 0 : null

org.siislab.tutorial.friendtracker.FriendTracker/void actionStartTracking(android.content.Context) : virtualinvoke r0.<android.content.Context: android.content.ComponentName startService(android.content.Intent)>(r1) Components: [org.siislab.tutorial.friendtracker.FriendTrackerControl] 0 : Value: 1 path values action=org.siislab.tutorial.action.START_TRACKING, clazz=org/siislab/tutorial/friendtracker/FriendTracker, package=org.siislab.tutorial.friendtracker,

org.siislab.tutorial.friendtracker.FriendTracker/void actionStopTracking(android.content.Context) : virtualinvoke r0.<android.content.Context: android.content.ComponentName startService(android.content.Intent)>(r1) Components: [org.siislab.tutorial.friendtracker.FriendTrackerControl] 0 : Value: 1 path values action=org.siislab.tutorial.action.STOP_TRACKING, clazz=org/siislab/tutorial/friendtracker/FriendTracker, package=org.siislab.tutorial.friendtracker,

org.siislab.tutorial.friendtracker.FriendTracker/void checkFriends(android.location.Location) : r2 = virtualinvoke r5.<android.content.ContentResolver: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String)>(r6, null, "active=1", null, null) Components: [org.siislab.tutorial.friendtracker.FriendTracker] 0 : Value: 1 path values uri=content://friends/location,

org.siislab.tutorial.friendtracker.FriendTracker/void checkFriends(android.location.Location) : virtualinvoke r0.<org.siislab.tutorial.friendtracker.FriendTracker: void sendBroadcast(android.content.Intent,java.lang.String)>(r4, "org.siislab.tutorial.permission.FRIEND_NEAR") Components: [org.siislab.tutorial.friendtracker.FriendTracker] 0 : Value: 1 path values action=org.siislab.tutorial.action.FRIEND_NEAR, extras=[nick, contacts_id, _id],

1 : [org.siislab.tutorial.permission.FRIEND_NEAR]

org.siislab.tutorial.friendtracker.FriendTracker/void deactivateProvider() : virtualinvoke r3.<android.content.ContentResolver: int update(android.net.Uri,android.content.ContentValues,java.lang.String,java.lang.String[])>(r4, r1, null, null) Components: [org.siislab.tutorial.friendtracker.FriendTracker] 0 : Value: 1 path values uri=content://friends/location,

org.siislab.tutorial.friendtracker.FriendTrackerControl/void onCreate(android.os.Bundle) : virtualinvoke r0.<org.siislab.tutorial.friendtracker.FriendTrackerControl: boolean bindService(android.content.Intent,android.content.ServiceConnection,int)>(r13, r15, b0) Components: [org.siislab.tutorial.friendtracker.FriendTrackerControl] 0 : Value: 1 path values clazz=org/siislab/tutorial/friendtracker/FriendTracker, package=org.siislab.tutorial.friendtracker,

[main] INFO edu.psu.cse.siis.ic3.ResultProcessor - org.siislab.tutorial.friendtracker 29 116 71328 4 0 0 3 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 2 0 8 8 32 1232 21 353 9 239 0 5 463 121 2799

Thanks, Mahmoud

gxyzwangyi commented 8 years ago

I use this command,but I also only get the Manifets file information only. java -jar ic3-0.2.0-full.jar -apkormanifest 209.apk -input 209/retargeted/209/ -cp android.jar -protobuf 209

HammadMahmoud commented 8 years ago

In lieu of usign a relative path (209/retargeted/209/), try to use full path

gxyzwangyi commented 8 years ago

I try to use this command,it same as ever. java -jar ic3-0.2.0-full.jar -apkormanifest ~/Downloads/ic3-0.2.0/209.apk -input ~/Downloads/ic3-0.2.0/209/retargeted/209/com -cp android.jar -protobuf ~/Downloads/ic3-0.2.0/209

gxyzwangyi commented 8 years ago

hello,are there any other means to help solving problems?

docteau commented 8 years ago

Please post the output you are seeing. This is likely due to pointing IC3 to an incorrect directory (or it could potentially be that there are no values for IC3 to find).