typo ch 4

4_class_loader/3_obfuscation.typ

@@ -63,21 +63,22 @@ Such shadow attacks are more difficult to detect by a reverse engineer, who may
 
 === Impact on Static Analysis Tools <sec:cl-evaltools>
 
-#figure(
+#figure({
+  set text(size: 10pt)
   ```java
   public class Main {
-      public static void main(Activity ac) {
-          String personal_data = Taint.source();
-  	String obfuscated_personal_data = Obfuscation.hide_flow(personal_data);
-  	Taint.sink(ac, obfuscated_personal_data);
-      }
+    public static void main(Activity ac) {
+      String personal_data = Taint.source();
+      String obfuscated_personal_data = Obfuscation.hide_flow(personal_data);
+      Taint.sink(ac, obfuscated_personal_data);
+    }
   }
 
   // customised for each obfuscation technique
   public class Obfuscation {
   	public static String hide_flow(String personal_data) { ... } 
   }
-  ```,
+  ```},
   caption: [Main body of test apps]
 )<lst:cl-testapp>
 
@@ -102,7 +103,7 @@ We used 4 versions of this application:
   We used the #SDK class `Pair` as the class to shadow.
   We put data in a new `Pair` instance and reread the data from the `Pair`. 
   The colliding `Pair` class we created discards the data at the initialisation and stores `null` instead of the argument values.
-  This decoy class break the flow of information: Flowdroid will detect the information flow if it uses the actual #SDK implementation of `Pair` to compute the #DFG, but not if it uses the decoy.
+  This decoy class breaks the flow of information: Flowdroid will detect the information flow if it uses the actual #SDK implementation of `Pair` to compute the #DFG, but not if it uses the decoy.
 + The last version tests for Hidden #API shadowing. 
   Like for the third one, we similarly store data in `com.android.okhttp.Request` and then retrieve it.
   Again, the shadowing implementation discards the data.