Soot Warning for Multidex Apk Scanning for Previous CogniCrypt_Android

[LordAmit]

Hi,

I understand that a lot of things changed in the last few months as Cognicrypt_Android is being merged here.

I and my team was using CogniCrypt_SAST for Android from CROSSINGTUD/CryptoAnalysis-Android for research and found that it was giving this warning

[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files...
[main] WARN soot.dexpler.DexFileProvider - Multiple dex files detected, only processing 'classes.dex'. Use '-process-multiple-dex' option to process them all.

Components:

• Using CryptoAnalysis-Android-1.0.0-jar-with-dependencies.jar
• Using OpenJDK version 1.8.0_232 64 bit
• Running on Ubuntu: 18.04 Kernel: 4.4.0-174-generic

This appears to be due to an issue in setting up Soot to process multidex apps.
We thought we should inform you in case it is not already considered in the merged CogniCryptSAST.

Please let me know if this was the case. Thanks for creating CogniCrypt!

[AnakinRaW]

Hi,
could you please provide us a sample Android App that yields this warning?

[LordAmit]

Yes!
https://github.com/netmackan/ATimeTracker
When an APK is created in debug mode (gradlew assembleDebug) and then scanned it will give the warning mentioned above.

For your convenience, I am attaching the apk I built here.

app-debug.apk.zip

[AnakinRaW]

thx, it will be fixed for the next release!