Fengguo Wei

Yes, you can use AndroidDataDependentTaintAnalysis. You can add "WebView.loadURL" as sink point, and mark your baseUrl string creation as source.

Please check the readme. There are no amandroid_core any more. You can use just amandroid

You can check whether the dummy env method is generated correctly by looking at https://github.com/arguslab/Argus-SAF/blob/df2557a9654260d5dd933a15f52143bbd6da1f6d/amandroid/src/main/scala/org/argus/amandroid/core/model/ApkModel.scala#L169

It might be filtered, you can check and disable the setting here: https://github.com/arguslab/Argus-SAF/blob/df2557a9654260d5dd933a15f52143bbd6da1f6d/amandroid/src/main/scala/org/argus/amandroid/core/decompile/DecompilerSettings.scala#L43

Thanks for pointing that out. I updated few class names but forget to update argus page.

The multiple outputs might be because find multiple callees at https://github.com/arguslab/Argus-SAF/blob/6adf246af40c77c067216812bf0bbfe1dfe79b89/amandroid/src/main/scala/org/argus/amandroid/alir/componentSummary/ComponentSummaryTable.scala#L104

The RPC method detection logic is here: https://github.com/arguslab/Argus-SAF/blob/df2557a9654260d5dd933a15f52143bbd6da1f6d/amandroid/src/main/scala/org/argus/amandroid/core/appInfo/AppInfoCollector.scala#L205

Currently, content provider is unsupported due to the method call to content providers are URI based and the URI string is runtime constructed. It is hard to resolve.

Could you provide me that APK to test?

If you can give me the apk to test, that will be helpful for me to see why it take that much time. Yes, you can customize the entry points....