Missed sink when using --pathreconstructionmode PRECISE

Question

Missed sink when using --pathreconstructionmode PRECISE

Opened this issue 3 months ago · 0 comments

Please consider the following code:

public void onCreate(Bundle savedInstanceState){
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);

    String taint_1 = function1(source());
    String taint_2 = function1(taint_1);
    sink(taint_2);
}
public String source(){ // Defined as source 
    return "Secret";
}

public void sink(String param){ // Defined as sink
}

public String function1(String arg1){
    arg1 = function2(arg1);
    return arg1;
}
public String function2(String arg1){
    return arg1;
}

There is a taint path from the source()-call in onCreate to the sink, traversing function1 and function2 two times. If I run FlowDroid with the following command

java -jar ./soot-infoflow-cmd-2.13.0-jar-with-dependencies.jar \
 -a {path-to-apk} \
 -s ./SourcesAndSinks.xml \
 -o ./out.xml \
 -p {path-to-android-platforms-folder} \
 --mergedexfiles \
 --pathreconstructionmode PRECISE

it won't report this leak. If I change the --pathreconstructionmode from PRECISE to FAST or NONE (or just remove the whole argument), FlowDroid reports this leak.

If relevant, my SourcesAndSinks.xml looks like this

<sinkSources>
    <category id="NO_CATEGORY">
        <method signature="{package-name}.MainActivity: java.lang.String source()&gt;">
            <return type="java.lang.String">
                <accessPath isSource="true" isSink="false">
                </accessPath>
            </return>
        </method>
        <method signature="{package-name}.MainActivity: void sink(java.lang.String)&gt;">
            <param index="0" type="java.lang.String">
                <accessPath isSource="false" isSink="true"/>
            </param>
        </method>
    </category>
</sinkSources>