Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Android] Callbacks in MainActivity do not get analyzed #203

Open
AnakinRaW opened this issue Nov 13, 2019 · 1 comment
Open

[Android] Callbacks in MainActivity do not get analyzed #203

AnakinRaW opened this issue Nov 13, 2019 · 1 comment
Labels
bug false negative

Comments

@AnakinRaW
Copy link
Collaborator

Consider the following app code

with MainActivity.java

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
    }

    public void onClick(View view){
        try {
            Cipher c = Cipher.getInstance("DES");
            c.doFinal();
        }
       catch (Exception e){
       }
    }
}

and activity_main.xml

<?xml version="1.0" encoding="utf-8"?>
<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:app="http://schemas.android.com/apk/res-auto"
    xmlns:tools="http://schemas.android.com/tools"
    android:layout_width="match_parent"
    android:layout_height="match_parent"
    tools:context=".MainActivity">

    <Button
        android:id="@+id/button"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:onClick="onClick"
        android:text="Button" />

</androidx.constraintlayout.widget.ConstraintLayout>

Analyzing the code is done as follows:

CogniCryptAndroidAnalysis analysis = new CogniCryptAndroidAnalysis(apkPath, platformPath, rulesPath, Collections.EMPTY_LIST);
Collection<AbstractError> errors = analysis.run();
Assert.assertTrue(errors.size() >  0);

The test fails as CryptoAnalysis is unable to find any misuses. My guess is that the error is somewhere in the FlowDroid configuration which is done in CogniCryptAndroidAnalysis.
Reason for the error (probably) is because onClick() is nowhere connected to the onCreate() method (which is the virtual main() for android apps). Thus the constructed callgraph does not contain the button callback and CryptoAnalysis is unable to check rules against the onCreate() method.

As far as i understand the FlowDroid documentation it should be able to get it working, however i was not able to find the relevant code pieces yet.
@AnakinRaW
Copy link
Collaborator Author

branch with fix development: https://github.com/CROSSINGTUD/CryptoAnalysis/tree/androidCallbackFix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug false negative
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AnakinRaW