Input file
The test app and output of FlowDroid can be found in this repository
https://github.com/yuuuki-sato/reflection_static
Describe the flow that was not found by FlowDroid
The data flow originates from fetching the Android ID (Source) and is supposed to reach a sink inside the appendLog_static method.
While FlowDroid successfully tracks the taint propagation through instance method reflection (as demonstrated in the commented-out code), it fails to do so for static method reflection. When the source data is passed as an argument to the static method via m_static.invoke(null, androidId), the taint appears to drop entirely at this call.
String androidId = Utils.getAndroidId(this); // source
try {
Class c = Class.forName("com.example.reflection_static.Utils");
// Method m_instance = c.getDeclaredMethod("appendLog_instance", String.class);
// Object o = c.newInstance();
// m_instance.invoke(o, androidId); // sink via instance method
Method m_static = c.getDeclaredMethod("appendLog_static", String.class);
m_static.invoke(null, androidId); // sink via static method
} catch (Throwable ignored) {}
}To reproduce
https://github.com/yuuuki-sato/reflection_static/blob/main/flowdroid_result/analyze.sh
Version information
2.15.1
Input file
The test app and output of FlowDroid can be found in this repository
https://github.com/yuuuki-sato/reflection_static
Describe the flow that was not found by FlowDroid
The data flow originates from fetching the Android ID (Source) and is supposed to reach a sink inside the
appendLog_staticmethod.While FlowDroid successfully tracks the taint propagation through instance method reflection (as demonstrated in the commented-out code), it fails to do so for static method reflection. When the source data is passed as an argument to the static method via
m_static.invoke(null, androidId), the taint appears to drop entirely at this call.To reproduce
https://github.com/yuuuki-sato/reflection_static/blob/main/flowdroid_result/analyze.sh
Version information
2.15.1