FlowDroid Fails to Detect Taint Propagation to Network Sink for Contact and SMS Data tainted in a method

[marshalwahlexyz1]

Hi @t1mlange @StevenArzt ,

I am using flowdroid for dataflow analysis for some apk files, I am interested in points where contact, sms data are tainted in an app. I have manually confirmed that data was tainted in these methods and ends up in a network connection. I also confirmed dynamically using frida by hooking those methods and could see that data was been tainted.

However, using Android API's used to retrieve contact and sms in my Source and Sink. Flowdroid identifies these sources and sink but doesn't detect a leak.
Also, it only detects a leak for URi.parse for SMS when I use a customwrapper without a custom wrapper it doesnt detect any leak.

below is my source and sink file

<android.content.ContentResolver: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String)> -> SOURCE
<android.provider.ContactsContract$CommonDataKinds$Phone: android.net.Uri CONTENT_URI> -> SOURCE
<android.database.Cursor: java.lang.String getString(int)> -> SOURCE
<android.database.Cursor: boolean moveToNext()> -> SOURCE
<android.database.Cursor: void close()> -> SOURCE
<android.net.Uri: android.net.Uri parse(java.lang.String)> -> SOURCE

<android.media.ExifInterface: java.lang.String getAttribute(java.lang.String)> -> SOURCE
<com.google.android.gms.common.util.Base64Utils: java.lang.String encode(byte[])> -> SOURCE

<com.lzy.okgo.OkGo: com.lzy.okgo.request.PostRequest post(java.lang.String)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest upJson(java.lang.String)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest execute()> -> SINK
<okhttp3.OkHttpClient: okhttp3.Call newCall(okhttp3.Request)> -> SINK

<java.net.URLConnection: void connect()> -> SINK
<java.net.URLConnection: java.io.OutputStream getOutputStream()> -> SINK
<java.net.URL: java.io.InputStream openStream()> -> SINK
<java.net.URL: java.lang.Object getContent()> -> SINK
<java.net.URL: java.lang.Object getContent(java.lang.Class[])> -> SINK
<java.net.URL: void set(java.lang.String,java.lang.String,int,java.lang.String,java.lang.String)> -> SINK
<java.net.URL: void set(java.lang.String,java.lang.String,int,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)> -> SINK

<com.lzy.okgo.OkGo: com.lzy.okgo.request.PostRequest post(java.lang.String)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest upJson(java.lang.String)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest execute()> -> SINK
<okhttp3.OkHttpClient: okhttp3.Call newCall(okhttp3.Request)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest upJson(org.json.JSONObject)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest upString(java.lang.String)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest upBytes(byte[])> -> SINK
<com.lzy.okgo.OkGo: com.lzy.okgo.request.GetRequest get(java.lang.String)> -> SINK
<com.lzy.okgo.request.GetRequest: com.lzy.okgo.request.GetRequest execute()> -> SINK
<com.lzy.okgo.request.PutRequest: com.lzy.okgo.request.PutRequest upJson(org.json.JSONObject)> -> SINK
<com.lzy.okgo.request.PutRequest: com.lzy.okgo.request.PutRequest upString(java.lang.String)> -> SINK
<com.lzy.okgo.request.PutRequest: com.lzy.okgo.request.PutRequest upBytes(byte[])> -> SINK
<com.lzy.okgo.request.TraceRequest: com.lzy.okgo.request.TraceRequest upJson(org.json.JSONObject)> -> SINK
<com.lzy.okgo.request.TraceRequest: com.lzy.okgo.request.TraceRequest upString(java.lang.String)> -> SINK
<com.lzy.okgo.request.TraceRequest: com.lzy.okgo.request.TraceRequest upBytes(byte[])> -> SINK

CUSTOM WRAPPER

<com.google.android.gms.common.util.Base64Utils: java.lang.String encode(byte[])> -> SOURCE
<android.content.ContentResolver: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String)> -> SOURCE
<android.database.Cursor: java.lang.String getString(int)> -> SOURCE
<android.net.Uri: android.net.Uri parse(java.lang.String)> -> SOURCE
<android.media.ExifInterface: java.lang.String getAttribute(java.lang.String)> -> SOURCE

<android.database.Cursor: boolean moveToNext()> -> PROPAGATION
<com.glx.fenmiframe.getDuanXin.DuanXinUtils: void setData(java.util.List<com.glx.fenmiframe.getDuanXin.DuanXinUtils$SmslogBean>)> -> PROPAGATION
<com.glx.fenmiframe.get_photo.PhotoManager: void setData(java.util.List<java.lang.String>)> -> PROPAGATION
<java.util.List: boolean add(java.lang.Object)> -> PROPAGATION

<com.lzy.okgo.OkGo: com.lzy.okgo.request.PostRequest post(java.lang.String)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest upJson(java.lang.String)> -> SINK
<com.lzy.okgo.request.PostRequest: com.lzy.okgo.request.PostRequest execute()> -> SINK
<okhttp3.OkHttpClient: okhttp3.Call newCall(okhttp3.Request)> -> SINK
<android.database.Cursor: void close()> -> SINK.

command and options used

java -Xmx16384m -jar "C:\Users\walea\Desktop\FlowDroid-develop\soot-infoflow-cmd\target\soot-infoflow-cmd-jar-with-dependencies.jar" -a "C:\Apktool\apk_files\easycash.apk" -p "C:\Users\walea\AppData\Local\Android\Sdk\platforms" -s "C:\Users\walea\Desktop\FlowDroid-develop\soot-infoflow-android\ss.txt" -t "C:\Users\walea\Desktop\FlowDroid-develop\soot-infoflow\cw.txt" -tw EASY -o easycash.xml -pr fast -ls -process-multiple-dex

Why is Flowdroid not able to detect leak when there is obviously a taint that ends up in a network connection?