Update Android app detection

java/ql/lib/semmle/code/java/frameworks/android/Android.qll

@@ -5,8 +5,19 @@
 import java
 private import semmle.code.xml.AndroidManifest
 
-/** Holds if this database is of an Android application. */
-predicate isAndroid() { exists(AndroidManifestXmlFile m) }
+/**
+ * There is an android manifest file which defines an activity, service or
+ * content provider (so it corresponds to an android application rather than a
+ * library), and `file` is in a subfolder of the folder that contains it.
+ */
+predicate inAndroidApplication(File file) {
+  file.isSourceFile() and
+  exists(AndroidComponentXmlElement acxe, AndroidManifestXmlFile amxf |
+    acxe.getName().regexpMatch("(activity|service|provider)") and
+    acxe.getParent().(AndroidApplicationXmlElement).getParent() = amxf and
+    file.getParentContainer+() = amxf.getParentContainer()
+  )
+}
 
 /**
  * Gets a reflexive/transitive superType

java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll

@@ -6,7 +6,7 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.security.Encryption
 import semmle.code.java.security.HttpsUrls
-private import semmle.code.java.frameworks.android.Android as Android
+private import semmle.code.java.frameworks.android.Android
 
 /** An Android Network Security Configuration XML file. */
 class AndroidNetworkSecurityConfigFile extends XmlFile {
@@ -21,11 +21,11 @@ class AndroidNetworkSecurityConfigFile extends XmlFile {
 }
 
 /**
- * DEPRECATED. Use `semmle.code.java.frameworks.android.Android::isAndroid` instead.
+ * DEPRECATED. Use `semmle.code.java.frameworks.android.Android::inAndroidApplication` instead.
  *
- * Holds if this database is of an Android application.
+ * Holds if this database contains an Android manifest file.
  */
-deprecated predicate isAndroid() { Android::isAndroid() }
+deprecated predicate isAndroid() { exists(AndroidManifestXmlFile m) }
 
 /** Holds if the given domain name is trusted by the Network Security Configuration XML file. */
 private predicate trustedDomainViaXml(string domainName) {
@@ -127,7 +127,7 @@ private module UntrustedUrlFlow = TaintTracking::Global<UntrustedUrlConfig>;
 
 /** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
 predicate missingPinning(MissingPinningSink node, string domain) {
-  Android::isAndroid() and
+  inAndroidApplication(node.getLocation().getFile()) and
   exists(DataFlow::Node src | UntrustedUrlFlow::flow(src, node) |
     if trustedDomain(_) then domain = getDomain(src.asExpr()) else domain = ""
   )

java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll

@@ -15,7 +15,7 @@ private import semmle.code.java.frameworks.android.Android
 private class AndroidFilesystemCleartextStorageSink extends CleartextStorageSink {
   AndroidFilesystemCleartextStorageSink() {
     filesystemInput(_, this.asExpr()) and
-    isAndroid()
+    inAndroidApplication(this.getLocation().getFile())
   }
 }
 

java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql

@@ -12,10 +12,12 @@
 
 import java
 import semmle.code.java.security.AndroidCertificatePinningQuery
+private import semmle.code.java.frameworks.android.Android as Android
 
 from DataFlow::Node node, string domain, string msg
 where
   missingPinning(node, domain) and
+  Android::inAndroidApplication(node.getLocation().getFile()) and
   if domain = ""
   then msg = "(no explicitly trusted domains)"
   else msg = "(" + domain + " is not trusted by a pin)"