/** * Checks whether the given call site indicates a UI source, e.g. a password * input * * @param sCallSite * The call site that may potentially read data from a sensitive * UI control * @param cfg * The bidirectional control flow graph * @return True if the given call site reads data from a UI source, false * otherwise */ private boolean isUISource(Stmt sCallSite, InterproceduralCFG<Unit, SootMethod> cfg) { // If we match input controls, we need to check whether this is a call // to one of the well-known resource handling functions in Android if (this.layoutMatching != LayoutMatchingMode.NoMatch && sCallSite.containsInvokeExpr()) { InvokeExpr ie = sCallSite.getInvokeExpr(); final String signature = methodToSignature.getUnchecked(ie.getMethod()); if (signature.equals(Activity_FindViewById) || signature.equals(View_FindViewById)) { // Perform a constant propagation inside this method exactly // once SootMethod uiMethod = cfg.getMethodOf(sCallSite); if (analyzedLayoutMethods.add(uiMethod)) ConstantPropagatorAndFolder.v().transform(uiMethod.getActiveBody()); // If we match all controls, we don't care about the specific // control we're dealing with if (this.layoutMatching == LayoutMatchingMode.MatchAll) return true; // If we don't have a layout control list, we cannot perform any // more specific checks if (this.layoutControls == null) return false; // If we match specific controls, we need to get the ID of // control and look up the respective data object if (ie.getArgCount() != 1) { System.err.println("Framework method call with unexpected " + "number of arguments"); return false; } int id = 0; if (ie.getArg(0) instanceof IntConstant) id = ((IntConstant) ie.getArg(0)).value; else if (ie.getArg(0) instanceof Local) { Integer idVal = findLastResIDAssignment(sCallSite, (Local) ie.getArg(0), (BiDiInterproceduralCFG<Unit, SootMethod>) cfg, new HashSet<Stmt>(cfg.getMethodOf(sCallSite).getActiveBody().getUnits().size())); if (idVal == null) { System.err.println("Could not find assignment to local " + ((Local) ie.getArg(0)).getName() + " in method " + cfg.getMethodOf(sCallSite).getSignature()); return false; } else id = idVal.intValue(); } else { System.err.println("Framework method call with unexpected " + "parameter type: " + ie.toString() + ", " + "first parameter is of type " + ie.getArg(0).getClass()); return false; } LayoutControl control = this.layoutControls.get(id); if (control == null) { System.err.println("Layout control with ID " + id + " not found"); return false; } if (this.layoutMatching == LayoutMatchingMode.MatchSensitiveOnly && control.isSensitive()) return true; } } return false; }
/** * Collects the XML-based callback methods, e.g., Button.onClick() declared in layout XML files * * @param resParser The ARSC resource parser * @param lfp The layout file parser * @param jimpleClass The analysis class that gives us a mapping between layout IDs and components */ private void collectXmlBasedCallbackMethods(ARSCFileParser resParser, LayoutFileParser lfp, AbstractCallbackAnalyzer jimpleClass) { // Collect the XML-based callback methods for (Entry<String, Set<Integer>> lcentry : jimpleClass.getLayoutClasses().entrySet()) { final SootClass callbackClass = Scene.v().getSootClass(lcentry.getKey()); for (Integer classId : lcentry.getValue()) { AbstractResource resource = resParser.findResource(classId); if (resource instanceof StringResource) { final String layoutFileName = ((StringResource) resource).getValue(); // Add the callback methods for the given class Set<String> callbackMethods = lfp.getCallbackMethods().get(layoutFileName); if (callbackMethods != null) { for (String methodName : callbackMethods) { final String subSig = "void " + methodName + "(android.view.View)"; // The callback may be declared directly in the // class // or in one of the superclasses SootClass currentClass = callbackClass; while (true) { SootMethod callbackMethod = currentClass.getMethodUnsafe(subSig); if (callbackMethod != null) { addCallbackMethod(callbackClass.getName(), new AndroidMethod(callbackMethod)); break; } if (!currentClass.hasSuperclass()) { System.err.println("Callback method " + methodName + " not found in class " + callbackClass.getName()); break; } currentClass = currentClass.getSuperclass(); } } } // For user-defined views, we need to emulate their // callbacks Set<LayoutControl> controls = lfp.getUserControls().get(layoutFileName); if (controls != null) { for (LayoutControl lc : controls) { registerCallbackMethodsForView(callbackClass, lc); } } } else { System.err.println("Unexpected resource type for layout class"); } } } // Add the callback methods as sources and sinks { Set<SootMethodAndClass> callbacksPlain = new HashSet<SootMethodAndClass>(); for (Set<SootMethodAndClass> set : this.callbackMethods.values()) { callbacksPlain.addAll(set); } System.out.println("Found " + callbacksPlain.size() + " callback methods for " + this.callbackMethods.size() + " components"); } }
/** * Creates a new instance of the {@link AndroidSourceSinkManager} class with strong matching, i.e. the methods in * the code must exactly match those in the list. * * @param sources * The list of source methods * @param sinks * The list of sink methods * @param callbackMethods * The list of callback methods whose parameters are sources through which the application receives data * from the operating system * @param weakMatching * True for weak matching: If an entry in the list has no return type, it matches arbitrary return types * if the rest of the method signature is compatible. False for strong matching: The method signature in * the code exactly match the one in the list. * @param layoutMatching * Specifies whether and how to use Android layout components as sources for the information flow * analysis * @param layoutControls * A map from reference identifiers to the respective Android layout controls */ public AccessPathBasedSourceSinkManager(Set<SourceSinkDefinition> sources, Set<SourceSinkDefinition> sinks, Set<SootMethodAndClass> callbackMethods, LayoutMatchingMode layoutMatching, Map<Integer, LayoutControl> layoutControls) { super(sources, sinks, callbackMethods, layoutMatching, layoutControls); }
