FlowDroid icon indicating copy to clipboard operation
FlowDroid copied to clipboard
verified publisher icon secure-software-engineering

callgraph incomplete?

Open pH-T opened this issue 3 years ago • 2 comments

Hi! Im trying to get a CFG/callgraph for an android app. It seems that Flowdroid is not able to "find" all methods inside the apk... The following code is used:

public static void main(String[] args) {
        //InfoflowConfiguration.CallgraphAlgorithm cgAlgorithm = InfoflowConfiguration.CallgraphAlgorithm.SPARK;
        InfoflowConfiguration.CallgraphAlgorithm cgAlgorithm = InfoflowConfiguration.CallgraphAlgorithm.CHA;

        final InfoflowAndroidConfiguration config = new InfoflowAndroidConfiguration();
        config.getAnalysisFileConfig().setTargetAPKFile(apkPath);
        config.getAnalysisFileConfig().setAndroidPlatformDir(androidJar);
        config.setCodeEliminationMode(InfoflowConfiguration.CodeEliminationMode.NoCodeElimination);
        config.setCallgraphAlgorithm(cgAlgorithm);
        config.setMergeDexFiles(true);
        config.setImplicitFlowMode(InfoflowConfiguration.ImplicitFlowMode.AllImplicitFlows);

        SetupApplication app = new SetupApplication(config);
        app.constructCallgraph();

        for (Iterator<Edge> edgeIt = Scene.v().getCallGraph().iterator(); edgeIt.hasNext(); ) {
          Edge edge = edgeIt.next();

          SootMethod smSrc = edge.src();
          Unit uSrc = edge.srcStmt();
          SootMethod smDest = edge.tgt();

          String out = "Edge from " + uSrc + " in " + smSrc + " to " + smDest;
          System.out.println(out);
        }
    }

If i decompile the app with jadx or if i use the following script ... im able to find all methods.

java -Xss50m \
    -Xmx1500m \
    -cp soot_4.1.0.jar soot.tools.CFGViewer \
    -android-jars ${ANDROID_JARS_PATH} \
    --graph=ExceptionalUnitGraph \
    -allow-phantom-refs -ire -src-prec apk -process-dir ${APK_FILE}

Am i missing something? it feels like Flowdroid is not going "deep enough"... maybe a config issue? Am i missing something else?

pH-T avatar May 18 '22 18:05 pH-T

The two implementation are fundamentally different. The CFGViewer simply interate over all classes in the app and prints out the intra-procedural control flow for each method. Your sample program with FlowDroid iterates over all reachable methods and prints out the edges between these methods. It will therefore miss all methods that are unreachable from an entry point - either because it's dead code (apps usually only use a small fraction of the library code they contain) or because you ran into a FlowDroid limitation (feel free to open a merge request in that case).

StevenArzt avatar May 19 '22 22:05 StevenArzt

hi @StevenArzt , thanks for the fast reply! i just tracked the callgraph myself via jadx and it seems that the following is the problem:

    public void f() {
        synchronized (this.f14630f) {
            if (this.f14627c == 1) {
                Log.d("fing:inet-finder", "Starting INET address finder...");
                this.f14627c = 2;
                Thread thread = new Thread(new Runnable() { // from class: com.overlook.android.fing.engine.j.f.a
                    @Override // java.lang.Runnable
                    public final void run() {
                        c.c(c.this);
                    }
                });
                this.f14628d = thread;
                thread.start();
            }
        }
    }

the methods in question is called via this thread... maybe any hints on this case? :) or is this a limitation?

pH-T avatar May 23 '22 18:05 pH-T