Checker PrivacyAndroid

belongs to group Advanced
Identify potential dangerous information flows in Android applications

Frameworks supported by this checker

  • android up to API level 28

Warnings generated by this checker

  • MessageInjectionIntoFieldWarning: tainted data flows into a field annotated as @MessageTrusted [ CWE319 ]
  • MessageInjectionWarning: tainted data might flow into a message sent by the device [ CWE319 ]
  • URLInjectionIntoFieldWarning: tainted data flows into a field annotated as @UrlTrusted [ CWE74 ]
  • URLInjectionWarning: tainted data might flow into a URL creation [ CWE74 ]

Options accepted by this checker

  • dumpAnalysis: dump extensive (very large!) log information about the analysis
    Only useful for debugging the analyzer
  • dumpCompleteGraphs: dump the complete backward flow graph derivated from a sink
    If set to true, it produces an archive with the complete backward flow graphs that are used for the extraction of source-sink subgraphs
  • dumpDotWithInvariants: dump the analysed code in dot format, with flow information
    This option dumps a dot file for each method or constructor that is reachable from the entry points of the analysis. At the beginning of each code, a flow invariant is reported
  • flow: where possible, reconstructs the instruction flows leading to injection issues
    If true, it reconstructs the flow and provides detailed information on the warning if successful.
  • flowComputingSpeed: efficiency of the flow reconstruction
    This speciefies the efficiency of the flow reconstruct. Interesting only if option flow is set to true. (AVERAGE by default)
    • AVERAGE: reconstruct graphs until max of 2000 nodes
    • FAST: reconstruct graphs until max of 1000 nodes
    • FASTEST: reconstruct graphs until max of 500 nodes
    • SLOW: reconstruct graphs until max of 4000 nodes
    • SLOWEST: reconstruct graphs until max of integer limit nodes
  • fullJaif: dump a jaif file with the information flow information of the program, containing both the selected properties of interest and their complement
    The generated jaif file is a compact report of the program places that might contain a secret (tainted) value. Differently from the -jaif option, this generates explicit information for the places that contain a non-secret value as well and is hence a more verbose version of the same information
  • fullyQualifiedNames: use fully qualified class names in the jaif files
    The generated jaif file is a compact report of the program places that might contain a secret (tainted) value. This option forces the use of fully qualified class names in the jaif file, also when referring to classes in the same package that is being reported
  • jaif: dump a jaif file with the information flow information of the program
    A jaif file is a compact report of the program places that might contain a secret (tainted) value. It can be used for reference and documentation, but can also be imported in the source code of the program by using the annotation file utilities (see http://types.cs.washington.edu/annotation-file-utilities)
  • mergeCreations: merge the creation points for the same type inside the same class
    This enhances the efficiency of the creation points analysis performed as part of flow analysis but, in general, reduces the precision of the analyzer. However, it can be an important option to select for the analysis of very large applications and in library mode, in the rare cases when the creation points analysis takes too long to complete. This option is automatically selected for large programs
  • noOracle: do not use an oracle semantics for the fields
    This largely reduces the precision of the analysis, since Julia will not track anymore the fields that are definitely initialized to a non-secret (non-tainted) value before being accessed. Mainly useful for profiling and statistics
  • noUnreachable: do not dump information on unreachable code
    By selecting this option, the jaif files become smaller
  • reportLocals: dump information on local variables
    By selecting this option, the jaif file contains information on local variables as well and consequently becomes larger
  • trustDatabase: consider data coming from a database query as trusted
    This option lets Julia consider data coming from database queries as untainted and hence trusted. This is false by default
  • trustDevice: consider data about the specific device as trusted
    This option lets Julia consider data about the specific device running the application as untainted and hence trusted. This is false by default
  • trustEnvironment: consider data coming from the running environment as trusted
    This option lets Julia consider data coming from files or properties as untainted and hence trusted. This is true by default
  • trustExternalStreams: consider data coming from external streams as trusted
    This option lets Julia consider data coming from external streams and sockets as untainted and hence trusted. This is true by default
  • trustUserInput: consider data from servlet requests and console as trusted
    This option lets Julia consider data coming from servlet requests and console input as untainted and hence trusted. This is false by default

Annotations understood by this checker

  • none


Description

The PrivacyAndroid checker is dedicated to the analysis of Android applications. Most of the work done by the checker rely on both the Injection checker and the Flow Analysis. In particular the PrivacyAndroidChecker replicates both the behaviours and the capabilities of the Injection checker. The core difference is that it limits the set of sources and sinks to the action sphere of the Android OS. In particular, it considers as sources the information coming from all the methods annotated as @UntrustedDevice (out the Android context the method TelephonyManager.getDeviceId() has no meaning). On the other hand the sinks are all the methods allowing data to leave the device (ex.SmsManager.sendTextMessage(..)).


Examples

Consider the following program:

public class MainActivity extends AppCompatActivity {
    private Button button;
    private EditText text;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        button = (Button) this.findViewById(R.id.goToSecond);
        button.setOnClickListener( new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                String writeText=text.getText().toString();
                memorizeText(writeText);
            }
        });
    }

    private void memorizeText(String writeText) {
        try {
            OutputStreamWriter outputStreamWriter = new OutputStreamWriter(this.openFileOutput("StoreMyNotes.txt", Context.MODE_PRIVATE));
            outputStreamWriter.write(writeText);
            outputStreamWriter.close();
        }
        catch (IOException e) {
            Log.d("Err",e.getMessage());
            onBugShake();
        }
    }

    private void onBugShake(){
        TelephonyManager tm =(TelephonyManager)getApplicationContext().getSystemService(Context.TELEPHONY_SERVICE);
        try {
            URL myUrl = new URL("http://www.captureIssues.com/memorize?device="+ Build.DEVICE+"&id="+ tm.getDeviceId()+"&system="+Build.VERSION.SDK_INT);
            URLConnection uc=myUrl.openConnection();
            uc.connect();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

This checker issues the following warnings:

UrlInjectionAndroid.java:38: [PrivacyAndroid: URLInjectionWarning] possible URL-injection through the 0th actual parameter of init

Let us discuss the motivation of the warning. What happens here is that sensitive information flows into the first parameter of an URL connection. The result is that the web server receives sensitive information of the device. In particular the example reports a sink of the IMEI code of the device. The source of the leak is coming from the method TelephonyManager.getDeviceId() annotated as @UntrustedDevice. At the same line the sink happens. Indeed the constructor (here comes the init) of an URL object receives a parameter that is the string representation of the URL. The parameter is annotated as @UrlTrusted then the warning is the result of tainted data flowing into the constructor parameter. The goal of the Privacy checker is similar to what performs the InjectionChecker. The Privacy checker applies the behaviours and the capabilities of the Injection checker to the Android OS context. Indeed the PrivacyChecker extends Injection, but it overwrites some options parameters. In particular the boolean @UntrustedDevice is the only true by default.