diff --git a/test_apks/README.md b/test_apks/README.md index a10e552..b4f8c54 100644 --- a/test_apks/README.md +++ b/test_apks/README.md @@ -3,7 +3,32 @@ ## Requirements to build - Openjdk 17 at `/usr/lib/jvm/java-17-openjdk` -- Android SDK at `$(HOME)/Android/Sdk` with `build-tools;34.0.0` and `platform-tools` +- Android SDK at `$(HOME)/Android/Sdk` with `build-tools;34.0.0`, `platform-tools` and `platforms;android-34` + +## Demo + +Build the demo: + +``` +cd simple_demo/ +make +``` + +### Flowdroid: + +Get Flowdroid from https://github.com/secure-software-engineering/FlowDroid + +Run flow analysis: + +- `./simple_demo/build/tests.apk` is the apk +- `~/Android/Sdk/platforms/` is the platform directory, it must contains `android-34/android.jar` (if not, `sdkmanager platforms;android-34`) +- `-r`: "Enable support for reflective method calls" +- `./simple_demo/source_sink.txt` contains the sources and sinks for our demo app + +``` +java -jar soot-infoflow-cmd-jar-with-dependencies.jar -a ./simple_demo/build/tests.apk -p ~/Android/Sdk/platforms/ -r -s ./simple_demo/source_sink.txt + +``` ## Filtering logs: diff --git a/test_apks/reflection/soot_test/test.sh b/test_apks/reflection/soot_test/test.sh deleted file mode 100644 index 25da5a1..0000000 --- a/test_apks/reflection/soot_test/test.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bash - -SDK_TOOLS="${HOME}/Android/Sdk/" -VERSION='34.0.0' -VERSION_B=$(echo "${VERSION}" | sed 's/\..*//') -ANDROID_JAR="${SDK_TOOLS}/platforms/android-${VERSION_B}/android.jar" - -FOLDER=$(dirname "$(realpath $0)") - -FLOWDROID="${FOLDER}/soot-infoflow-cmd-jar-with-dependencies.jar" -SOURCE_SINK="${FOLDER}/source_sink.txt" -JAVA='/usr/lib/jvm/java-17-openjdk/bin/java' - -"${JAVA}" -jar "${FLOWDROID}" -a "${1}" -p "${ANDROID_JAR}" -s "${SOURCE_SINK}" diff --git a/test_apks/simple_demo/Makefile b/test_apks/simple_demo/Makefile index 882da1a..dc040fb 100644 --- a/test_apks/simple_demo/Makefile +++ b/test_apks/simple_demo/Makefile @@ -4,7 +4,7 @@ JAVA_PATH=/usr/lib/jvm/java-17-openjdk/bin JAVAC=/usr/lib/jvm/java-17-openjdk/bin/javac JAR=/usr/lib/jvm/java-17-openjdk/bin/jar PYTHON=python3 -APP=tests +APP=demo PACKAGE=com.example.theseus MAIN_ACTIVITY=MainActivity @@ -51,6 +51,7 @@ build/classes/classes: build/deps.jar build/inline/classes.dex $(shell find java mkdir -p ./build/classes/classes sed -i "s# private static final String DEX =.*# private static final String DEX = \"$$(base64 -w 0 build/inline/classes.dex)\";#" java/classes/com/example/theseus/Main.java $(JAVAC) $(JAVAC_ARGS) -d ./build/classes/classes -classpath build/deps.jar:$(SDK_TOOLS)/platforms/android-$(VERSION_B)/android.jar $$(find java/$*/ -type f -regex ".*\.java") + rm build/classes/classes/com/example/theseus/Malicious.class build/%/classes.dex: build/%/classes mkdir -p ./build/$* diff --git a/test_apks/simple_demo/java/classes/com/example/theseus/Main.java b/test_apks/simple_demo/java/classes/com/example/theseus/Main.java index d78b57e..f910162 100644 --- a/test_apks/simple_demo/java/classes/com/example/theseus/Main.java +++ b/test_apks/simple_demo/java/classes/com/example/theseus/Main.java @@ -14,7 +14,7 @@ import java.security.Key; public class Main { - private static final String DEX = "ZGV4CjAzNQAvtfp88wvPHZi+B2FO1HZ02SatJfZGyA94BAAAcAAAAHhWNBIAAAAAAAAAANgDAAAVAAAAcAAAAAcAAADEAAAABQAAAOAAAAAAAAAAAAAAAAgAAAAcAQAAAQAAAFwBAAD8AgAAfAEAACACAAAoAgAAKwIAAC8CAAA0AgAATAIAAG0CAACKAgAAngIAALICAADNAgAA3QIAAOoCAADtAgAA8gIAAPUCAAD9AgAABwMAABIDAAAYAwAAIgMAAAQAAAAFAAAABgAAAAcAAAAIAAAACQAAAAwAAAABAAAABAAAAAAAAAADAAAABAAAAAgCAAACAAAABQAAABACAAAMAAAABgAAAAAAAAANAAAABgAAABgCAAABAAMAAAAAAAEAAQAQAAAAAQABABEAAAACAAQAEgAAAAMAAwAAAAAABQADAAAAAAAFAAIADwAAAAUAAAATAAAAAQAAAAEAAAADAAAAAAAAAAoAAAAAAAAAwAMAAAAAAAADAAIAAgAAAPQBAAAaAAAAIgIFAHAQBQACABoACwBuIAYAAgAMAm4gBgASAAwBGgIOAG4gBgAhAAwBbhAHAAEADAERAQIAAgACAAAA+gEAAAUAAABxIAMAAQASABEAAAABAAEAAQAAAAECAAAEAAAAcBAEAAAADgAGAgAADgAKAgAADjwABAAOAAAAAAIAAAAEAAAAAQAAAAQAAAACAAAAAAAEAAY8aW5pdD4AAUwAAkxMAANMTEwAFkxhbmRyb2lkL2FwcC9BY3Rpdml0eTsAH0xjb20vZXhhbXBsZS90aGVzZXVzL01hbGljaW91czsAG0xjb20vZXhhbXBsZS90aGVzZXVzL1V0aWxzOwASTGphdmEvbGFuZy9PYmplY3Q7ABJMamF2YS9sYW5nL1N0cmluZzsAGUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsADk1hbGljaW91cy5qYXZhAAtTZWNyZXREYXRhWwABVgADVkxMAAFdAAZhcHBlbmQACGdldF9kYXRhAAlzZW5kX2RhdGEABHNpbmsACHRvU3RyaW5nAJsBfn5EOHsiYmFja2VuZCI6ImRleCIsImNvbXBpbGF0aW9uLW1vZGUiOiJkZWJ1ZyIsImhhcy1jaGVja3N1bXMiOmZhbHNlLCJtaW4tYXBpIjoxLCJzaGEtMSI6ImZhY2VkZjQxYmJkMjhiNTYzZDFlOWUwOWM1ZjcyZDdjNWNhNTk4ZDUiLCJ2ZXJzaW9uIjoiOC4yLjItZGV2In0AAAADAACBgATcAwEJ/AIBCcADAAAAAAAADQAAAAAAAAABAAAAAAAAAAEAAAAVAAAAcAAAAAIAAAAHAAAAxAAAAAMAAAAFAAAA4AAAAAUAAAAIAAAAHAEAAAYAAAABAAAAXAEAAAEgAAADAAAAfAEAAAMgAAADAAAA9AEAAAEQAAADAAAACAIAAAIgAAAVAAAAIAIAAAAgAAABAAAAwAMAAAMQAAABAAAA1AMAAAAQAAABAAAA2AMAAA=="; + private static final String DEX = "ZGV4CjAzNQDonIk5owDjcxORqWvCJ0rZuaMyJCy5AF7kAwAAcAAAAHhWNBIAAAAAAAAAAEQDAAAQAAAAcAAAAAYAAACwAAAABAAAAMgAAAAAAAAAAAAAAAYAAAD4AAAAAQAAACgBAACcAgAASAEAAMQBAADMAQAA0AEAANUBAADtAQAADgIAACsCAAA/AgAAUwIAAGMCAABmAgAAawIAAHUCAACAAgAAhgIAAI4CAAADAAAABAAAAAUAAAAGAAAABwAAAAkAAAABAAAABAAAAKwBAAACAAAABAAAALQBAAAJAAAABQAAAAAAAAAKAAAABQAAALwBAAABAAIAAAAAAAEAAQALAAAAAQABAAwAAAACAAMADQAAAAIAAAAOAAAAAwACAAAAAAABAAAAAQAAAAMAAAAAAAAACAAAAAAAAAAsAwAAAAAAAAIAAgABAAAAmAEAAAUAAABxEAQAAAAMABEAAAACAAIAAgAAAJ4BAAAFAAAAcSADAAEAEgARAAAAAQABAAEAAAClAQAABAAAAHAQBQAAAA4ABgIAAA4ACgIAAA48AAQADgAAAAABAAAABAAAAAIAAAAEAAAAAgAAAAAABAAGPGluaXQ+AAJMTAADTExMABZMYW5kcm9pZC9hcHAvQWN0aXZpdHk7AB9MY29tL2V4YW1wbGUvdGhlc2V1cy9NYWxpY2lvdXM7ABtMY29tL2V4YW1wbGUvdGhlc2V1cy9VdGlsczsAEkxqYXZhL2xhbmcvT2JqZWN0OwASTGphdmEvbGFuZy9TdHJpbmc7AA5NYWxpY2lvdXMuamF2YQABVgADVkxMAAhnZXRfZGF0YQAJc2VuZF9kYXRhAARzaW5rAAZzb3VyY2UAmwF+fkQ4eyJiYWNrZW5kIjoiZGV4IiwiY29tcGlsYXRpb24tbW9kZSI6ImRlYnVnIiwiaGFzLWNoZWNrc3VtcyI6ZmFsc2UsIm1pbi1hcGkiOjEsInNoYS0xIjoiZmFjZWRmNDFiYmQyOGI1NjNkMWU5ZTA5YzVmNzJkN2M1Y2E1OThkNSIsInZlcnNpb24iOiI4LjIuMi1kZXYifQAAAAMAAIGABIADAQnIAgEJ5AIAAAAAAAANAAAAAAAAAAEAAAAAAAAAAQAAABAAAABwAAAAAgAAAAYAAACwAAAAAwAAAAQAAADIAAAABQAAAAYAAAD4AAAABgAAAAEAAAAoAQAAASAAAAMAAABIAQAAAyAAAAMAAACYAQAAARAAAAMAAACsAQAAAiAAABAAAADEAQAAACAAAAEAAAAsAwAAAxAAAAEAAABAAwAAABAAAAEAAABEAwAA"; private Key key; ClassLoader cl; Activity ac; diff --git a/test_apks/simple_demo/java/classes/com/example/theseus/Utils.java b/test_apks/simple_demo/java/classes/com/example/theseus/Utils.java index 0c8ca2a..7674434 100644 --- a/test_apks/simple_demo/java/classes/com/example/theseus/Utils.java +++ b/test_apks/simple_demo/java/classes/com/example/theseus/Utils.java @@ -5,11 +5,8 @@ import android.app.AlertDialog; public class Utils { - public static String source() { - return "Secret"; - } public static String source(String tag) { - return "[" + tag + "] Secret"; + return "SecretData[" + tag + "]"; } public static void popup(Activity ac, String title, String msg) { diff --git a/test_apks/simple_demo/java/inline/com/example/theseus/Malicious.java b/test_apks/simple_demo/java/inline/com/example/theseus/Malicious.java index 3ccc67a..5b5e5f5 100644 --- a/test_apks/simple_demo/java/inline/com/example/theseus/Malicious.java +++ b/test_apks/simple_demo/java/inline/com/example/theseus/Malicious.java @@ -3,7 +3,7 @@ import android.app.Activity; public class Malicious { public static String get_data(String data, Activity ac) { - return "SecretData[" + data + "]"; + return Utils.source(data); } public static String send_data(String data, Activity ac) { diff --git a/test_apks/reflection/soot_test/source_sink.txt b/test_apks/simple_demo/source_sink.txt similarity index 71% rename from test_apks/reflection/soot_test/source_sink.txt rename to test_apks/simple_demo/source_sink.txt index b5cec8f..38b91b2 100644 --- a/test_apks/reflection/soot_test/source_sink.txt +++ b/test_apks/simple_demo/source_sink.txt @@ -1,3 +1,2 @@ - -> _SOURCE_ -> _SOURCE_ -> _SINK_ diff --git a/test_apks/reflection/soot_test/soot-infoflow-cmd-jar-with-dependencies.jar b/test_apks/soot-infoflow-cmd-jar-with-dependencies.jar similarity index 100% rename from test_apks/reflection/soot_test/soot-infoflow-cmd-jar-with-dependencies.jar rename to test_apks/soot-infoflow-cmd-jar-with-dependencies.jar