TODO LIST for Taint Analysis for Andoid Apps By Ana

[GoogleCodeExporter]

1. Configure analysis for Android. That is, restrict THIS of
non-private methods of app classes extending/implementing
Android library classes/interfaces, to {POLY,TAINTED}. In other
words, disallow SECRET THIS for those methods. We start with
classes/interfaces Activity, Service, LocationListener and
later add all Android library classes.

This is necessary because of the lack of "main". That is, the
Activity/Service object is created implicitly, not explicitly
and the OS issues callbacks to its methods. Thus, there is
an implicit "x = new XyzActivity()" which amounts to implicit
constraints x <: x |> THIS_m1 and x <: x |> THIS_m2. By setting
the above requirement on THIS_m1 and THIS_m2, we prevent having
one THIS Secret and another THIS Tainted, and thus guarantee that
the above implicit constraints always hold.


2. Bug in dereferencing a Secret Char array. Description below:

The other problem is a new bug I think. They have the following code:
   for(char c : imei.toCharArray()) // imei is a Source, it's                                           Secret
      obfuscated += c + "_";
Here "obfuscated" must become Secret because imei.toCharArray() is Secret.
But for some reason it doesn't.

First I thought the problem was in the "for" construct, but then I tried
   char[] carr = imei.toCharArray();
   char c = carr[0];
   obfuscated = c + "_";
This doesn't work either.

I am almost 100% sure the problem is at "char c = carr[0]". I know that "carr" 
is
inferred as Secret, so it should be some problem with the [] field (maybe we
allow the [] field to be Tainted?).

Original issue reported on code.google.com by [email protected] on 1 Sep 2013 at 9:07

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

The 2nd problem was fixed in r7.

Original comment by [email protected] on 5 Sep 2013 at 12:47