secure-software-engineering
How to track const-string with flowdriod
I'm using flowdroid's cmd line tool(soot-infoflow-cmd-jar-with-dependencies.jar); I want to track this code
String param_content="v=1&month=1&day=24&key=b63fe1f62b3abee4aa1362c3616cd0aa";
System.out.println(param_content);
the smali of
String param_content="v=1&month=1&day=24&key=b63fe1f62b3abee4aa1362c3616cd0aa";
is
const-string v1, "v=1&month=1&day=24&key=b63fe1f62b3abee4aa1362c3616cd0aa"
In the SourceSink file, the code is just like this
<java.lang.String: void <init>(char[])> -> SOURCE
<java.io.PrintStream: void println(java.lang.String)> -> SINK
But there is no leakage.
Did "const-string" call the <init> constructor?
How can I trace the leak of a constant string?
reference link https://stackoverflow.com/questions/59353157/how-do-i-track-a-constant-string-using-flowdriod
Hi, has this issue been resolved?
FlowDroid works on Soot's IR Jimple. Further, FlowDroid performs some constant propagation and dead code elimination before running the data flow analysis. You can dump the Jimple IR to disk using config.setWriteOutputFiles(true);.
A simple constant string in Java
String c = "Constant String";
System.out.println(c);
is transformed into Jimple as follows:
$stack5 = <java.lang.System: java.io.PrintStream out>;
virtualinvoke $stack5.<java.io.PrintStream: void println(java.lang.String)>("Constant String");
There is no java.lang.String: void <init> call in the IR and thus, the analysis won't run but rather print [main] INFO soot.jimple.infoflow.Infoflow - No sources found, aborting analysis.
To track constant strings, you have to implement your own SourceSinkManager and handle the special case when the constant string is already the argument.
