Mauro edited this page Apr 18, 2018 · 32 revisions

Welcome to the soot-infoflow-android wiki!

How to run FlowDroid

In general, there are two ways for running FlowDroid. You can either build all required components on your own, or you can use our nightly builds. If you only want to try FlowDroid out on number of Android applications, we recommend using our pre-compiled 2.0 release version.

In general, you always need the following components:

Obtaining The 2.0 Release Version

If you want a stable version of FlowDroid, this option is the preferrable one. Please download the following files and put all of them in the same directory:

Next, you need to configure FlowDroid with the sources and sinks you want to use. We provide a fairly comprehensive list here. Two other required configuration files you normally do not need to modify are those for the Taint Wrappers and for the Callbacks.

Obtaining The Nightly Builds

The nightly build offer the latest and greatest updates to FlowDroid. We are currently transitioning our servers, so the following links may or may not work.

Next, you need to configure FlowDroid with the sources and sinks you want to use. We provide a fairly comprehensive list here. Two other required configuration files you normally do not need to modify are those for the [Taint Wrappers] (http://ssebuild.cased.de/nightly/soot-infoflow/EasyTaintWrapperSource.txt) and for the [Callbacks] (http://ssebuild.cased.de/nightly/soot-infoflow-android/AndroidCallbacks.txt).

Building FlowDroid From Source

You first need to download all required source projects from Github and put them into a common parent directory:

The easiest way of building is to import all respective projects into Eclipse. The brave of heart may also give the ant build scripts a try, but you need to manually configure dependencies in this case.

Running FlowDroid

After you have downloaded and/or built all required components, you can run FlowDroid (command-line given for Windows):

java -Xmx4g -cp soot-trunk.jar;soot-infoflow.jar;soot-infoflow-android.jar;slf4j-api-1.7.5.jar;slf4j-simple-1.7.5.jar;axml-2.0.jar soot.jimple.infoflow.android.TestApps.Test "D:\Callbacks_Button1.apk" D:\Tools\AndroidSDK\sdk\platforms

If you are using Linux or Mac OS, please remember that the delimiters are OS-specific:

java -Xmx4g -cp soot-trunk.jar:soot-infoflow.jar:soot-infoflow-android.jar:slf4j-api-1.7.5.jar:slf4j-simple-1.7.5.jar:axml-2.0.jar soot.jimple.infoflow.android.TestApps.Test "D:\Callbacks_Button1.apk" D:\Tools\AndroidSDK\sdk\platforms

Note that you may need to adjust soot-trunk.jar to something else if you are building it yourself.

The first parameter is the path to the APK file you want to analyze. The second parameter is the path to the platforms directory inside the Android SDK which you can download from Google. Make sure to actually use Google's official version, not the one available here on GitHub which is much too large to be practically usable with FlowDroid.

In the example command-line above, we configure the Java VM to use a Maximum heap size of 4 GB. For some large applications, this might not be enough. In general, the more memory you can allocate, the more precise options (see below) you can use and the bigger applications you can analyze.

Improving Performance

FlowDroid is a highly precise tool. In some cases, this precision might not be required, though, in favor of a faster analysis or the ability to analyze a larger application which would otherwise not fit in memory. The most important options are:

  • --aliasflowins This option makes the alias search flow-insensitive and may generate more false positives, but on the other hand can greatly reduce runtime for large applications.
  • --aplength n Sets the maximum access path length to n. The default is 5. In general, larger values make the analysis more precise, but also more expensive.
  • --nostatic Disables tracking static fields. Makes the analysis faster, but may also miss some leaks.
  • --nocallbacks Disables the emulation of Android callbacks (button clicks, GPS location changes, etc.) This option reduces the runtime, but may miss some leaks.
  • --pathalgo Specifies the path reconstruction algorithm to be used. There are the following possibilities:
  1. "sourcesonly" just shows which sources are connected to which sinks, but does not reconstruct exact propagation paths. This path algorithm is context-insensitive by construction, but also the fastest algorithm.
  2. "contextinsensitive" shows the complete propagation path from source to sink and is context-insensitive.
  3. "contextsensitive" shows the complete propagation path from source to sink and is fully context-sensitive. It is the most precise, but also the slowest and most memory-demanding algorithm.
  • --nopaths Do not compute the exact propagation paths between source and sink, only report the source-and-sink pairs as such.
  • --noarraysize Do not distinguish between tainted array contents and tainted array lengths.

You could for instance try the following options to fully go into the performance direction and compromise on precision and soundness: --nostatic --aplength 1 --aliasflowins --nocallbacks --layoutmode none --noarraysize

Questions, Remarks, Bug Reports

If you have any technical questions on building FlowDroid or accessing the nightly builds, please contact Steven Arzt at Steven.Arzt@sit.fraunhofer.de. If you have found a bug, please submit it to the bug tracker here on GitHub.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.