Description
Recently, I used FlowDroid to conduct a taint analysis on the Exceptions1.apk file under the directory of GeneralJava and found that FlowDroid detected a leak successfully. The leak oracle written in the comments of source code is as followed:
/**
* @testcase_name Exceptions1
* @version 0.1
* @author Secure Software Engineering Group (SSE), European Center for Security and Privacy by Design (EC SPRIDE)
* @author_mail [email protected]
*
* @description tainted data is created and sent out in an exception handler
* @dataflow source -> imei -> exception handler -> sink
* @number_of_leaks 1
* @challenges the analysis must handle exceptions
*/
public class Exceptions1 extends Activity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
String imei = "";
try {
TelephonyManager telephonyManager = (TelephonyManager)getSystemService(Context.TELEPHONY_SERVICE);
imei = telephonyManager.getDeviceId(); //source
throw new RuntimeException();
}
catch (RuntimeException ex) {
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage("+49 1234", null, imei, null, null); //sink, leak
}
}
}I can figure out that the source API locates in the unit of telephonyManager.getDeviceId() and the sink API locates in the unit of sm.sendTextMessage("+49 1234", null, imei, null, null). However, according to the default SourcesAndSinks.txt file provided by FlowDroid, the source and sink APIs mentioned above are accompanied by corresponding permissions of the Android app.
<android.telephony.TelephonyManager: java.lang.String getDeviceId()> android.permission.READ_PHONE_STATE -> _SOURCE_
<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)> android.permission.SEND_SMS -> _SINKAfter I check the source code of Exceptions1.apk, I find there is not any permission listed in the manifest.xml file.
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="de.ecspride"
android:versionCode="1"
android:versionName="1.0" >
<uses-sdk
android:minSdkVersion="8"
android:targetSdkVersion="17" />
<application
android:allowBackup="true"
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >
<activity
android:name="de.ecspride.Exceptions1"
android:label="@string/app_name" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>So I am wondering about whether the leak behavior actually take place in the Apk without permissions required by the source and sink APIs, and whether the leak oracle listed in the source code of Exceptions1.apk is correct.
Maybe some configuration settings in FlowDroid which can be utilized to figure out the permission problems are completely ignored by me. If that happened, I would be much grateful that you could spare time to help me out. Thank you so much!