Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IC3 gives me the Manifets file information only #21

Open
HammadMahmoud opened this issue Jul 11, 2016 · 11 comments
Open

IC3 gives me the Manifets file information only #21

HammadMahmoud opened this issue Jul 11, 2016 · 11 comments

Comments

@HammadMahmoud
Copy link

Hello,

I have downloaded IC3 source code and build it successfully, I was able to retarget some apps using Date project and use them as inputs to IC3 project. IC3 only gives me information from the Manifest file such as components and Intent Filters, same information stored in the database. Tables such as Intents or ExitPoints are totally empty.

I tried IC3 on different apps: small apps that I created, apps from Google Play store, apps provided by IC3 group at http://siis.cse.psu.edu/slides/android-sec-tutorial-apk.tar.gz, in all cases I got the information stored in the Manifest file only.

For example, this is the result of analyzing FriendTracker app:

_Manifest_
Manifest file for org.siislab.tutorial.friendtracker version 1
Activities:
org.siislab.tutorial.friendtracker.FriendTrackerControl
Intent filter:
Actions: [android.intent.action.MAIN]
Categories: [android.intent.category.LAUNCHER]

Activity Aliases:
Services:
org.siislab.tutorial.friendtracker.FriendTracker
Receivers:
org.siislab.tutorial.friendtracker.BootReceiver
Intent filter:
Actions: [android.intent.action.BOOT_COMPLETED]
Providers:
org.siislab.tutorial.friendtracker.FriendProvider
authority: friends
write permission: org.siislab.tutorial.permission.WRITE_FRIENDS

_Result_
[main] INFO edu.psu.cse.siis.ic3.ResultProcessor - org.siislab.tutorial.friendtracker 29 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 36 654 7 361 8 22 0 0 509 92 2014

Another output for running IC3 on a simple app (3 activities, one reachable Intent from MainActivity that starts SecondActivity, and one dynamically registered broadcast receiver):

****(Manifest)****
Manifest file for com.example.testic3 version 1
Activities:
com.example.testic3.MainActivity
Intent filter:
Actions: [android.intent.action.MAIN]
Categories: [android.intent.category.LAUNCHER]
com.example.testic3.SecondActivity
com.example.testic3.ThirdActivity
Intent filter:
Actions: [com.example.testic3.myaction]

Activity Aliases:
Services:
Receivers:
Providers:

_Result_

Also I followed the example given in https://github.com/siis/ic3/issues/17 by @docteau where every thing went smooth except the output didn't show the expected results, neither on the screen nor on the database.

Any help is highly appreciated.

Regards,
Mahmoud
@docteau
Copy link
Member

docteau commented Jul 13, 2016

Hi,

Can you post exactly the commands you used? Also can you attach the output you are seeing?

Damien

@HammadMahmoud
Copy link
Author

Thanks for the reply, Damien,

Here is the folder structure on my MacBook laptop

~/Tools/IC3
├── dare_output
│   ├── friendTracker
│   │   ├── optimized
│   │   ├── optimized-decompiled
│   │   ├── retargeted
│   │   └── stats.csv
├── ic3-0.2.0
│   ├── android.jar
│   ├── ic3-0.2.0-full.jar
│   ├── db
│   │   ├── cc.properties
└── ic3_toy_apps
├── FriendTracker.apk

Here is the command that I used:
~/Tools/IC3$ java -jar ic3-0.2.0-full.jar -input ../dare_output/friendTracker/ -apkormanifest ../ic3_toy_apps/FriendTracker.apk -cp ./android.jar -db ./db/cc.properties

The output in the terminal
Warning: java.lang.invoke.LambdaMetafactory is a phantom class!
Warning: java.lang.ref.Finalizer is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendTracker is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendTrackerControl is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendProvider is a phantom class!
Warning: org.siislab.tutorial.friendtracker.BootReceiver is a phantom class!
[main] INFO soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Generated main method:
public static void dummyMainMethod()
{
int $i0;

    $i0 = 0;

 label1:
    if $i0 == 8 goto label1;

    return;
}

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
Callback analysis done.
Warning: LinearLayout is a phantom class!
Warning: org.siislab.tutorial.friendtracker.LinearLayout is a phantom class!
Warning: android.view.LinearLayout is a phantom class!
Warning: TextView is a phantom class!
Warning: org.siislab.tutorial.friendtracker.TextView is a phantom class!
Warning: android.view.TextView is a phantom class!
Warning: Button is a phantom class!
Warning: org.siislab.tutorial.friendtracker.Button is a phantom class!
Warning: android.view.Button is a phantom class!
Found 1 layout controls in file res/layout/main.xml
[main] INFO edu.psu.cse.siis.ic3.SetupApplication - Entry point calculation done.
Warning: org.siislab.tutorial.friendtracker.FriendTracker is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendTrackerControl is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendProvider is a phantom class!
Warning: org.siislab.tutorial.friendtracker.BootReceiver is a phantom class!
[main] INFO soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Generated main method:
public static void dummyMainMethod()
{
int $i0;

    $i0 = 0;

 label1:
    if $i0 == 8 goto label1;

    return;
}

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
[main] INFO edu.psu.cse.siis.coal.PropagationSceneTransformer - Solving propagation problem (iteration 0)
[main] INFO edu.psu.cse.siis.coal.PropagationSceneTransformer - Reached a fixed point
Unknown entry point type: org.siislab.tutorial.friendtracker.FriendTracker
Unknown entry point type: org.siislab.tutorial.friendtracker.FriendTrackerControl
Unknown entry point type: org.siislab.tutorial.friendtracker.FriendProvider
Unknown entry point type: org.siislab.tutorial.friendtracker.BootReceiver
Transforming android.content.Intent...
Transforming android.content.IntentFilter...
Transforming android.os.Bundle...
Transforming android.content.ComponentName...
Transforming android.app.Activity...
Transforming dummyMainClass...
Transforming org.siislab.tutorial.friendtracker.FriendTracker...
Transforming org.siislab.tutorial.friendtracker.FriendTrackerControl...
Transforming org.siislab.tutorial.friendtracker.FriendProvider...
Transforming org.siislab.tutorial.friendtracker.BootReceiver...

_Manifest_
Manifest file for org.siislab.tutorial.friendtracker version 1
Activities:
org.siislab.tutorial.friendtracker.FriendTrackerControl
Intent filter:
Actions: [android.intent.action.MAIN]
Categories: [android.intent.category.LAUNCHER]

Activity Aliases:
Services:
org.siislab.tutorial.friendtracker.FriendTracker
Receivers:
org.siislab.tutorial.friendtracker.BootReceiver
Intent filter:
Actions: [android.intent.action.BOOT_COMPLETED]
Providers:
org.siislab.tutorial.friendtracker.FriendProvider
authority: friends
write permission: org.siislab.tutorial.permission.WRITE_FRIENDS

_Result_
[main] INFO edu.psu.cse.siis.ic3.ResultProcessor - org.siislab.tutorial.friendtracker 29 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 30 709 6 402 10 21 0 0 486 89 2058

The Database

mysql> select * from cc.applications;
+----+------------------------------------+---------+
| id | app | version |
+----+------------------------------------+---------+
| 5 | org.siislab.tutorial.friendtracker | 1 |
+----+------------------------------------+---------+

mysql> select * from cc.classes where app_id=5;
//app_id=5 because I have other apps in the database from previous executions
+-----+--------+---------------------------------------------------------+
| id | app_id | class |
+-----+--------+---------------------------------------------------------+
| 187 | 5 | org.siislab.tutorial.friendtracker.FriendTrackerControl |
| 188 | 5 | org.siislab.tutorial.friendtracker.FriendTracker |
| 189 | 5 | org.siislab.tutorial.friendtracker.BootReceiver |
| 190 | 5 | org.siislab.tutorial.friendtracker.FriendProvider |
+-----+--------+---------------------------------------------------------+
4 rows in set (0.00 sec)

mysql> select * from cc.components where class_id>187;
+-----+----------+------+----------+------------+---------+
| id | class_id | kind | exported | permission | missing |
+-----+----------+------+----------+------------+---------+
| 188 | 188 | s | 0 | 53 | NULL |
| 189 | 189 | r | 1 | NULL | NULL |
| 190 | 190 | p | 0 | NULL | NULL |
+-----+----------+------+----------+------------+---------+
3 rows in set (0.00 sec)

mysql> select * from cc.intents;
Empty set (0.00 sec)

mysql> select * from cc.ExitPoints;
Empty set (0.00 sec)

Please let me know if you need any further information to find the problem.

Thanks,
Mahmoud

@docteau
Copy link
Member

docteau commented Jul 14, 2016

Try -input ../dare_output/friendTracker/retargeted

Damien

@HammadMahmoud
Copy link
Author

HammadMahmoud commented Jul 14, 2016
edited
Loading

Its exactly the same output. Also executing IC3 from its source code gives the same output. Any suggestions, please?

Thanks,
Mahmoud

@docteau
Copy link
Member

docteau commented Jul 18, 2016

Try -input ../dare_output/friendTracker/retargeted/FriendTracker

The "phantom class" message means that some class is missing from the Soot analysis. It is not always an issue, but in your case you have important classes missing (for example: Warning: org.siislab.tutorial.friendtracker.FriendTracker is a phantom class!). So you have to ensure that you are actually pointing IC3 to exactly the right directory. More specifically, if you have class org.siislab.tutorial.friendtracker.FriendTracker, you have to make sure that you point IC3 to the directory that contains the org subdirectory.

Damien

@HammadMahmoud
Copy link
Author

Hooray, it worked!!!!

Here is the output for others to compare:

_Manifest_
Manifest file for org.siislab.tutorial.friendtracker version 1
Activities:
org.siislab.tutorial.friendtracker.FriendTrackerControl
Intent filter:
Actions: [android.intent.action.MAIN]
Categories: [android.intent.category.LAUNCHER]

Activity Aliases:
Services:
org.siislab.tutorial.friendtracker.FriendTracker
Receivers:
org.siislab.tutorial.friendtracker.BootReceiver
Intent filter:
Actions: [android.intent.action.BOOT_COMPLETED]
Providers:
org.siislab.tutorial.friendtracker.FriendProvider
authority: friends
write permission: org.siislab.tutorial.permission.WRITE_FRIENDS

_Result_
org.siislab.tutorial.friendtracker.FriendFinder/void run() : virtualinvoke r15.<android.content.ContentResolver: int update(android.net.Uri,android.content.ContentValues,java.lang.String,java.lang.String[])>(r16, r1, r2, r3)
Components: [org.siislab.tutorial.friendtracker.FriendTracker]
0 : Value: 1 path values
uri=content://friends/location,

org.siislab.tutorial.friendtracker.FriendProvider/android.net.Uri insert(android.net.Uri,android.content.ContentValues) : virtualinvoke r18.<android.content.ContentResolver: void notifyChange(android.net.Uri,android.database.ContentObserver)>(r4, null)
Components: [org.siislab.tutorial.friendtracker.FriendProvider]
0 : Value: 1 path values
appendedPaths=[-1], uri=content://friends/location,

org.siislab.tutorial.friendtracker.FriendProvider/int delete(android.net.Uri,java.lang.String,java.lang.String[]) : virtualinvoke r12.<android.content.ContentResolver: void notifyChange(android.net.Uri,android.database.ContentObserver)>(r1, null)
Components: [org.siislab.tutorial.friendtracker.FriendProvider]
0 : null

org.siislab.tutorial.friendtracker.FriendProvider/int update(android.net.Uri,android.content.ContentValues,java.lang.String,java.lang.String[]) : virtualinvoke r13.<android.content.ContentResolver: void notifyChange(android.net.Uri,android.database.ContentObserver)>(r1, null)
Components: [org.siislab.tutorial.friendtracker.FriendProvider]
0 : null

org.siislab.tutorial.friendtracker.FriendTracker/void actionStartTracking(android.content.Context) : virtualinvoke r0.<android.content.Context: android.content.ComponentName startService(android.content.Intent)>(r1)
Components: [org.siislab.tutorial.friendtracker.FriendTrackerControl]
0 : Value: 1 path values
action=org.siislab.tutorial.action.START_TRACKING, clazz=org/siislab/tutorial/friendtracker/FriendTracker, package=org.siislab.tutorial.friendtracker,

org.siislab.tutorial.friendtracker.FriendTracker/void actionStopTracking(android.content.Context) : virtualinvoke r0.<android.content.Context: android.content.ComponentName startService(android.content.Intent)>(r1)
Components: [org.siislab.tutorial.friendtracker.FriendTrackerControl]
0 : Value: 1 path values
action=org.siislab.tutorial.action.STOP_TRACKING, clazz=org/siislab/tutorial/friendtracker/FriendTracker, package=org.siislab.tutorial.friendtracker,

org.siislab.tutorial.friendtracker.FriendTracker/void checkFriends(android.location.Location) : r2 = virtualinvoke r5.<android.content.ContentResolver: android.database.Cursor query(android.net.Uri,java.lang.String[],java.lang.String,java.lang.String[],java.lang.String)>(r6, null, "active=1", null, null)
Components: [org.siislab.tutorial.friendtracker.FriendTracker]
0 : Value: 1 path values
uri=content://friends/location,

org.siislab.tutorial.friendtracker.FriendTracker/void checkFriends(android.location.Location) : virtualinvoke r0.<org.siislab.tutorial.friendtracker.FriendTracker: void sendBroadcast(android.content.Intent,java.lang.String)>(r4, "org.siislab.tutorial.permission.FRIEND_NEAR")
Components: [org.siislab.tutorial.friendtracker.FriendTracker]
0 : Value: 1 path values
action=org.siislab.tutorial.action.FRIEND_NEAR, extras=[nick, contacts_id, _id],

1 : [org.siislab.tutorial.permission.FRIEND_NEAR]

org.siislab.tutorial.friendtracker.FriendTracker/void deactivateProvider() : virtualinvoke r3.<android.content.ContentResolver: int update(android.net.Uri,android.content.ContentValues,java.lang.String,java.lang.String[])>(r4, r1, null, null)
Components: [org.siislab.tutorial.friendtracker.FriendTracker]
0 : Value: 1 path values
uri=content://friends/location,

org.siislab.tutorial.friendtracker.FriendTrackerControl/void onCreate(android.os.Bundle) : virtualinvoke r0.<org.siislab.tutorial.friendtracker.FriendTrackerControl: boolean bindService(android.content.Intent,android.content.ServiceConnection,int)>(r13, r15, b0)
Components: [org.siislab.tutorial.friendtracker.FriendTrackerControl]
0 : Value: 1 path values
clazz=org/siislab/tutorial/friendtracker/FriendTracker, package=org.siislab.tutorial.friendtracker,

[main] INFO edu.psu.cse.siis.ic3.ResultProcessor - org.siislab.tutorial.friendtracker 29 116 71328 4 0 0 3 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 2 0 8 8 32 1232 21 353 9 239 0 5 463 121 2799

Thanks,
Mahmoud

@gxyzwangyi
Copy link

I use this command,but I also only get the Manifets file information only.
java -jar ic3-0.2.0-full.jar -apkormanifest 209.apk -input 209/retargeted/209/ -cp android.jar -protobuf 209

@HammadMahmoud
Copy link
Author

In lieu of usign a relative path (209/retargeted/209/), try to use full path

@gxyzwangyi
Copy link

I try to use this command,it same as ever.
java -jar ic3-0.2.0-full.jar -apkormanifest ~/Downloads/ic3-0.2.0/209.apk -input ~/Downloads/ic3-0.2.0/209/retargeted/209/com -cp android.jar -protobuf ~/Downloads/ic3-0.2.0/209

@gxyzwangyi
Copy link

gxyzwangyi commented Aug 14, 2016
edited
Loading

hello,are there any other means to help solving problems?

@docteau
Copy link
Member

docteau commented Aug 29, 2016

Please post the output you are seeing. This is likely due to pointing IC3 to an incorrect directory (or it could potentially be that there are no values for IC3 to find).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@docteau @gxyzwangyi @HammadMahmoud