Source and sink definition of methods in the MainActivity.java class

[NicolasFNino]

I wanted to ask if the methods inside the MainActivity class of an apk are not supposed to be defined as a source or a sink. This is because during the taint analysis these types of methods are never recognized as such, despite being declared in the sourcessinks.xml file. Meanwhile, a method in any other class is correctly identified as a source or a sink depending on the xml file definition.

Thank you.

[StevenArzt]

You can declare any method as source or sink, regardless of the class in which it is defined. If your method signature is correct in the source/sink definition file, that should work.

App-specific sources or sinks are rather uncommon, though. Most people declare Android API methods as sources or sinks.

[NicolasFNino]

Thank you so much for your response.

My follow-up question now is, how would I define the source signature definition of a constructor, when i am interested in one of the parameters used, as an example:

public class Test { public Test(int, String) { .... } }

The value I'm interested in is the second parameter of type String. This is what I am thinking:

<method signature="&lt;com.test.Test: void &lt;init&gt;(int, java.lang.String)&gt;">
<param index="1" type="java.lang.String">
<accessPath isSource="true" isSink="false"/>
</param>
</method>

But it does not seem to work.

Thank you so much for taking the time to look at this.

[NicolasFNino]

Also, can you please help me understand what is wrong with these signatures? Flowdroid cannot recognize the methods as source or sink.

The code:

SinksAndSources.txt:

Thanks a lot!