FlowDroid icon indicating copy to clipboard operation
FlowDroid copied to clipboard

Published 20 hours ago verified publisher icon secure-software-engineering

Not support Fragment and its lifecycle callbacks in callgraph

Open jwlin opened this issue 5 years ago • 3 comments

Hi,

I am using FlowDroid to generate a callgraph for an Android apk, but it seems not supporting Fragment classes. For example,

SetupApplication app = new SetupApplication(
    System.getenv("ANDROID_HOME") + File.separator + "platforms", "fragment.apk");
app.constructCallgraph();
for (Iterator<Edge> edgeIt = Scene.v().getCallGraph().iterator(); edgeIt.hasNext(); ) {
    Edge edge = edgeIt.next();
    System.out.println("From: " + edge.src() + ". To: " + edge.tgt() + ". In: " + edge.srcStmt());
}

The result is

From: <dummyMainClass: void dummyMainMethod(java.lang.String[])>. To: <dummyMainClass: com.test.ui.transition.MainActivity dummyMainMethod_com_test_ui_transition_MainActivity(android.content.Intent)>. In: staticinvoke <dummyMainClass: com.test.ui.transition.MainActivity dummyMainMethod_com_test_ui_transition_MainActivity(android.content.Intent)>(null)
From: <com.test.ui.transition.MainActivity: void onCreate(android.os.Bundle)>. To: <com.test.ui.transition.BlankFragment: void <init>()>. In: specialinvoke $r2.<com.test.ui.transition.BlankFragment: void <init>()>()
From: <com.test.ui.transition.MainActivity: void onCreate(android.os.Bundle)>. To: <android.support.v4.app.FragmentActivity: void setContentView(int)>. In: virtualinvoke $r0.<com.test.ui.transition.MainActivity: void setContentView(int)>(2131361819)
From: <com.test.ui.transition.MainActivity: void <init>()>. To: <android.support.v4.app.FragmentActivity: void <init>()>. In: specialinvoke $r0.<android.support.v4.app.FragmentActivity: void <init>()>()
From: <com.test.ui.transition.MainActivity: void onCreate(android.os.Bundle)>. To: <android.support.v4.app.FragmentActivity: void onCreate(android.os.Bundle)>. In: specialinvoke $r0.<android.support.v4.app.FragmentActivity: void onCreate(android.os.Bundle)>($r1)
From: <com.test.ui.transition.MainActivity: void onCreate(android.os.Bundle)>. To: <android.support.v4.app.FragmentActivity: android.support.v4.app.FragmentManager getSupportFragmentManager()>. In: $r3 = virtualinvoke $r0.<com.test.ui.transition.MainActivity: android.support.v4.app.FragmentManager getSupportFragmentManager()>()
From: <dummyMainClass: com.test.ui.transition.MainActivity dummyMainMethod_com_test_ui_transition_MainActivity(android.content.Intent)>. To: <com.test.ui.transition.MainActivity: void <init>()>. In: specialinvoke $r0.<com.test.ui.transition.MainActivity: void <init>()>()
From: <dummyMainClass: com.test.ui.transition.MainActivity dummyMainMethod_com_test_ui_transition_MainActivity(android.content.Intent)>. To: <com.test.ui.transition.MainActivity: void onCreate(android.os.Bundle)>. In: virtualinvoke $r0.<com.test.ui.transition.MainActivity: void onCreate(android.os.Bundle)>(null)
From: <com.test.ui.transition.BlankFragment: void <init>()>. To: <android.support.v4.app.Fragment: void <init>()>. In: specialinvoke $r0.<android.support.v4.app.Fragment: void <init>()>()

It missed a bunch of Fragment Classes, e.g., the NotBlankFragment, B, C, and D. Also, the lifecycle callbacks of the BlankFragment, e.g., onCreateView() and onAttach() are not analyzed by the callgraph.

image

image

Another thing is that getActiveBody() returns null for BlankFragment: onCreateView(), like this:

SootClass cls = Scene.v().getSootClass("com.test.ui.transition.BlankFragment");
String mName = "onCreateView";  // empty Body also happens on "onAttach"
System.out.println(cls.getMethodByName(mName));
System.out.println(cls.getMethodByName(mName).getActiveBody());

The result is

<com.test.ui.transition.BlankFragment: android.view.View onCreateView(android.view.LayoutInflater,android.view.ViewGroup,android.os.Bundle)>
Exception in thread "main" java.lang.RuntimeException: no active body present for method <com.test.ui.transition.BlankFragment: android.view.View onCreateView(android.view.LayoutInflater,android.view.ViewGroup,android.os.Bundle)>

I have to additionally call retrieveActiveBody() for the onCreateView() method. Can FlowDroid be configured to support the above stuff? Many thanks.

ps. the example apk can be downloaded here if necessary

jwlin avatar Jul 22 '19 22:07 jwlin

Hi, this question fixed?

xiyouMc avatar May 27 '20 03:05 xiyouMc

Hi Is this fixed?

rareham avatar Aug 25 '20 09:08 rareham

Hello, it seems this is not fixed and there is no answer for it. I am working on Android and need to know how to solve this problem since I face the same issue when performing analysis on apps with fragments. I see that the fragment classes and their callgraph is extracted within the callgaph construction. Their incoming edges are all null. And, the classes are not accessible by calling Scene.v().getClasses() or Scene.v().getApplicationClasses(). What could be the problem? How can it be solved?

maryammsd avatar Jan 07 '22 07:01 maryammsd