FlowDroid
FlowDroid copied to clipboard
secure-software-engineering
Question: is it ok to use this repository as a library to parse APK files?
I'm trying to find a decent library that can be used on Android to parse APK files even if they exist within a zip file (without extraction, meaning using InputStream), getting some basic information: package name, version code, version name, app-label and app-icon.
Is it possible to do it here? Is it ok? If so, can you please point me to the place to do it? I can't find a way to use the repository for this purpose (of APK parsing). Searching for "axml" I've found a lot of results, but I think it's mainly in "...soot-infoflow-android\src\soot\jimple\infoflow\android\axml\parsers" . Is it correct?
You can do it, take a look at the ProcessManifest class. It has a constructor, which you can supply an InputStream. It is meant for reading the AndroidManifest.xml file. As such, you can get the input stream of the AndroidManifest.xml file of your Zip file and feed it into the constructor.
FlowDroid uses the AXMLPrinter2 library to read in the manifest. You can use this class as your guideline on how to interact with AXMLPrinter2 or use that class altogether.
I couldn't find how to get a gradle dependency to work with this repository. Are you sure it's possible? To me, I think I will have to copy the entire repository and keep track on it.
Suppose I do succeed parsing the manifest, how could I use it further, to get the app-label and app-icon?
We use maven. You can either search on how to integrate maven artifacts into gradle or you use the release jars: https://github.com/secure-software-engineering/FlowDroid/releases soot-infoflow-cmd-jar-with-dependencies.jar should contain all you need (and much more, but if you want to do it in a clean fashion, you can use axmlprinter2 directly). Take a look at ProcessManifest's code on how to use it (and internals about how it works). For some attributes there already are convenience functions, such as getMinSdkVersion(), getPermissions(), getApplicationName() and so on. When you look at the Android documentation about the Android manifest side by side with the implementations of these methods in ProcessManifest.java you should see how they match together and how you can extract attributes from the manifest in general. It really is just a generic XML parser for Androids binary xml files.
If you want a simple solution (which does not work in-memory), you can use apktool, which tries to generate a normal XML file (aka text/human readable file) from the binary AndroidManifest.xml and parse that using any XML parser you like.
You do? What should I put in the dependencies? I mean without manually getting the jar file, of course.
And you say I should use ProcessManifest ? Or that I should only look at its code to take what I need?
I don't think I can find a dependency to use apktool on Android.
Ah, so you're targeting Android. So, you can use ProcessManifest if you want, it is just a convenience class for AXMLPrinter2. Since FlowDroid is about computing dataflows, you'd get quite a few more dependencies you do not need. As such, I'd recommend to use the AXMLPrinter2 library itself. So, you could let you inspire by the code in ProcessManifest and implement it similarly. Maybe there are some tutorials online as well.
Where is this "AXMLPrinter2" library that you talk about? Is it this one: https://mvnrepository.com/artifact/ca.mcgill.sable/axmlprinter2 But I can't find its Github repository, and how come it has only one version there? And how come I don't see that this repository uses it? I can see only this:
<dependency>
<groupId>ca.mcgill.sable</groupId>
<artifactId>axmlprinter</artifactId>
<version>2016-07-27</version>
</dependency>
Why can't I use ProcessManifest here? Is it slow? Does it have too much that it loads?
You can use it, but it has more dependencies to other classes. As said, it's best to use it as a reference on how to use axml. AXML can be found under https://github.com/Sable/axml Compile it with
mvn package
You will find the jar file in the target folder.
Oh I tried this one today actually, and I used just this: https://jitpack.io/#Sable.axml.tree.master.src.pxb/android
Can you please show how to use ProcessManifest ? Or at least which parts of it I should copy from, to handle the information I've mentioned: package name, version code, version name, app-label and app-icon.