Skip to content

Flowdroid could not detect Taint Propagation to Sink for taints in a method #766

Open
@marshalwahlexyz1

Description

@marshalwahlexyz1

Hi @StevenArzt , @t1mlange

I am working on analyzing Android Apps, I included API used to retrieve contact, sms and media in the source and sink file.
Flowdroid does identify these sources and sinks but does not detect a leak when actually data was tainted using those methods (this was confirmed by manually inspecting the code, and when data was tainted it ends up in a network connection, it was also confirmed dynamically using Frida to hook into the methods along that path.)

All I need is to be able to see the taint path for each source flowdroid analyzes. I suppose flowdroid could not find a leak because the source and sink file are in different classes. However, the sink method was called within the source method class.

This is my source and sink file

<android.content.ContentResolver: android.database.Cursor query(android.net.Uri, java.lang.String[], java.lang.String, java.lang.String[], java.lang.String)> -> SOURCE
<android.database.Cursor: java.lang.String getString(int)> -> SOURCE
<android.net.Uri: android.net.Uri parse(java.lang.String)> -> SOURCE
<android.media.ExifInterface: java.lang.String getAttribute(java.lang.String)> -> SOURCE

<com.lzy.okgo.OkGo: com.lzy.okgo.request.PostRequest post(java.lang.String)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest upJson(java.lang.String)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest execute()> -> SINK
<okhttp3.OkHttpClient: okhttp3.Call newCall(okhttp3.Request)> -> SINK

This is the output from Flowdroid showing it finds 69 sources and 8 sinks. and it detects 0 leaks.

[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Looking for sources and sinks...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Source lookup done, found 69 sources and 8 sinks.
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Taint wrapper hits: 0
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Taint wrapper misses: 0
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - IFDS problem with 69 forward and 0 backward edges solved in 0 seconds, processing 0 results...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Current memory consumption: 514 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Memory consumption after cleanup: 255 MB
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Memory consumption after path building: 255 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Path reconstruction took 0 seconds
[main] WARN soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - No results found.
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Data flow solver took 2 seconds. Maximum memory consumption: 514 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication - Found 0 leaks from 0 sources

My question is: How do I make Flowdroid produce Taint Path for all the identified sources regardless of if a leak is detected or not?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions