Merge pull request #708 from MarcMil/extensibility

Add support for JS interfaces and WebViewClient

Author: StevenArzt

soot-infoflow-android/AndroidCallbacks.txt

@@ -349,6 +349,7 @@ android.webkit.WebMessagePort$WebMessageCallback
 android.webkit.WebView$FindListener
 android.webkit.WebView$PictureListener
 android.webkit.WebView$VisualStateCallback
+android.webkit.WebViewClient
 android.widget.AbsListView$MultiChoiceModeListener
 android.widget.AbsListView$OnScrollListener
 android.widget.AbsListView$RecyclerListener
@@ -401,4 +402,4 @@ javax.security.auth.callback.PasswordCallback
 javax.sql.ConnectionEventListener
 javax.sql.RowSetListener
 javax.sql.StatementEventListener
-javax.xml.transform.ErrorListener
+javax.xml.transform.ErrorListener

soot-infoflow-android/src/soot/jimple/infoflow/android/SetupApplication.java

@@ -122,6 +122,7 @@ public class SetupApplication implements ITaintWrapperDataFlowAnalysis {
 	protected InfoflowAndroidConfiguration config = new InfoflowAndroidConfiguration();
 
 	protected Set<SootClass> entrypoints = null;
+	protected MultiMap<SootMethod, Stmt> javascriptInterfaceStmts = new HashMultiMap<>();
 	protected Set<String> callbackClasses = null;
 	protected AndroidEntryPointCreator entryPointCreator = null;
 	protected IccInstrumenter iccInstrumenter = null;
@@ -776,6 +777,9 @@ private void calculateCallbackMethods(LayoutFileParser lfp, SootClass component)
 				if (entrypoints.addAll(jimpleClass.getDynamicManifestComponents()))
 					hasChanged = true;
 
+				if (javascriptInterfaceStmts.putAll(jimpleClass.getJavaScriptInterfaces()))
+					hasChanged = true;
+
 				// Collect the XML-based callback methods
 				if (collectXmlBasedCallbackMethods(lfp, jimpleClass))
 					hasChanged = true;
@@ -1634,6 +1638,7 @@ protected void processEntryPoint(ISourceSinkDefinitionProvider sourcesAndSinks,
 		// We don't need the computed callbacks anymore
 		this.callbackMethods.clear();
 		this.fragmentClasses.clear();
+		this.javascriptInterfaceStmts.clear();
 
 		// Notify our result handlers
 		for (ResultsAvailableHandler handler : resultsAvailableHandlers)
@@ -1787,6 +1792,7 @@ private AndroidEntryPointCreator createEntryPointCreator(SootClass component) {
 		entryPointCreator.setCallbackFunctions(callbackMethodSigs);
 		entryPointCreator.setFragments(fragmentClasses);
 		entryPointCreator.setComponents(components);
+		entryPointCreator.setJavaScriptInterfaces(javascriptInterfaceStmts);
 		return entryPointCreator;
 	}
 

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/AbstractCallbackAnalyzer.java

@@ -199,6 +199,8 @@ else if (arrayLocals.contains(lop))
 
 			});
 
+	private MultiMap<SootMethod, Stmt> javaScriptInterfaces = new HashMultiMap<SootMethod, Stmt>();
+
 	public AbstractCallbackAnalyzer(InfoflowAndroidConfiguration config, Set<SootClass> entryPointClasses)
 			throws IOException {
 		this(config, entryPointClasses, "AndroidCallbacks.txt");
@@ -432,6 +434,28 @@ protected void analyzeMethodForDynamicBroadcastReceiver(SootMethod method) {
 		}
 	}
 
+	protected void analyzeMethodForJavascriptInterfaces(SootMethod method) {
+		// Do not analyze system classes
+		if (SystemClassHandler.v().isClassInSystemPackage(method.getDeclaringClass().getName()))
+			return;
+		if (!method.isConcrete() || !method.hasActiveBody())
+			return;
+
+		final FastHierarchy fastHierarchy = Scene.v().getFastHierarchy();
+		final RefType webViewType = RefType.v("android.webkit.WebView");
+		for (Unit u : method.getActiveBody().getUnits()) {
+			Stmt stmt = (Stmt) u;
+			if (stmt.containsInvokeExpr()) {
+				final InvokeExpr iexpr = stmt.getInvokeExpr();
+				final SootMethodRef methodRef = iexpr.getMethodRef();
+				if (methodRef.getName().equals("addJavascriptInterface") && iexpr.getArgCount() == 2
+						&& fastHierarchy.canStoreType(methodRef.getDeclaringClass().getType(), webViewType)) {
+					this.javaScriptInterfaces.put(method, stmt);
+				}
+			}
+		}
+	}
+
 	/**
 	 * Checks whether the given method dynamically registers a new service
 	 * connection
@@ -1046,4 +1070,12 @@ public void setValueProvider(IValueProvider valueProvider) {
 		this.valueProvider = valueProvider;
 	}
 
+	/**
+	 * Returns a set of all statements which add a javascript interface
+	 * @return the statement list
+	 */
+	public MultiMap<SootMethod, Stmt> getJavaScriptInterfaces() {
+		return javaScriptInterfaces;
+	}
+
 }

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/DefaultCallbackAnalyzer.java

@@ -209,6 +209,7 @@ private void analyzeReachableMethods(SootClass lifecycleElement, List<MethodOrMe
 				analyzeMethodForServiceConnection(method);
 				analyzeMethodForFragmentTransaction(lifecycleElement, method);
 				analyzeMethodForViewPagers(lifecycleElement, method);
+				analyzeMethodForJavascriptInterfaces(method);
 			}
 		}
 	}

soot-infoflow-android/src/soot/jimple/infoflow/android/entryPointCreators/AndroidEntryPointCreator.java

@@ -10,6 +10,7 @@
  ******************************************************************************/
 package soot.jimple.infoflow.android.entryPointCreators;
 
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -30,8 +31,13 @@
 import soot.SootClass;
 import soot.SootField;
 import soot.SootMethod;
+import soot.Type;
 import soot.Unit;
+import soot.UnitPatchingChain;
+import soot.Value;
+import soot.jimple.AssignStmt;
 import soot.jimple.IfStmt;
+import soot.jimple.InvokeStmt;
 import soot.jimple.Jimple;
 import soot.jimple.NopStmt;
 import soot.jimple.NullConstant;
@@ -50,6 +56,8 @@
 import soot.jimple.infoflow.cfg.LibraryClassPatcher;
 import soot.jimple.infoflow.data.SootMethodAndClass;
 import soot.jimple.infoflow.entryPointCreators.IEntryPointCreator;
+import soot.jimple.infoflow.entryPointCreators.SimulatedCodeElementTag;
+import soot.jimple.infoflow.typing.TypeUtils;
 import soot.jimple.infoflow.util.SootMethodRepresentationParser;
 import soot.jimple.infoflow.util.SystemClassHandler;
 import soot.jimple.toolkits.scalar.NopEliminator;
@@ -92,6 +100,8 @@ public class AndroidEntryPointCreator extends AbstractAndroidEntryPointCreator i
 
 	private Collection<SootClass> components;
 
+	private MultiMap<SootMethod, Stmt> javascriptInterfaceStmts;
+
 	/**
 	 * Creates a new instance of the {@link AndroidEntryPointCreator} class and
 	 * registers a list of classes to be automatically scanned for Android lifecycle
@@ -305,6 +315,7 @@ protected SootMethod createDummyMainInternal() {
 			addApplicationCallbackMethods();
 			createIfStmt(beforeAppCallbacks);
 		}
+		createJavascriptCallbacks();
 
 		createIfStmt(outerStartStmt);
 
@@ -326,6 +337,51 @@ protected SootMethod createDummyMainInternal() {
 		return mainMethod;
 	}
 
+	private void createJavascriptCallbacks() {
+		Jimple j = Jimple.v();
+		for (SootMethod m : javascriptInterfaceStmts.keySet()) {
+			Set<Stmt> statements = javascriptInterfaceStmts.get(m);
+			for (Stmt s : statements) {
+				UnitPatchingChain units = m.retrieveActiveBody().getUnits();
+				SootField f = null;
+				Value arg = s.getInvokeExpr().getArg(0);
+				DummyMainFieldElementTag dm = (DummyMainFieldElementTag) s.getTag(DummyMainFieldElementTag.TAG_NAME);
+				if (dm != null) {
+					f = mainMethod.getDeclaringClass().getFieldByNameUnsafe(dm.getFieldName());
+				}
+				if (f == null) {
+					//create field
+					f = createField(arg.getType(), "jsInterface");
+					AssignStmt assign = j.newAssignStmt(j.newStaticFieldRef(f.makeRef()), arg);
+					assign.addTag(SimulatedCodeElementTag.TAG);
+					s.addTag(new DummyMainFieldElementTag(f.getName()));
+					units.insertAfter(assign, s);
+				}
+
+				Local l = j.newLocal(f.getName(), f.getType());
+				body.getLocals().add(l);
+				Stmt assignF = j.newAssignStmt(l, j.newStaticFieldRef(f.makeRef()));
+				body.getUnits().add(assignF);
+				SootClass cbtype = ((RefType) f.getType()).getSootClass();
+
+				for (SootClass c : TypeUtils.getAllDerivedClasses(cbtype)) {
+					for (SootMethod cbm : c.getMethods()) {
+						if (AndroidEntryPointUtils.isCallableFromJS(cbm)) {
+							List<Value> args = new ArrayList<>();
+							for (Type t : cbm.getParameterTypes())
+								args.add(getSimpleDefaultValue(t));
+							InvokeStmt st = j.newInvokeStmt(j.newVirtualInvokeExpr(l, cbm.makeRef(), args));
+							body.getUnits().add(st);
+						}
+					}
+
+				}
+				createIfStmt(assignF);
+
+			}
+		}
+	}
+
 	/**
 	 * Checks whether a lifecycle call should be added to the given SootClass,
 	 * designed to be overridden by different implementations
@@ -392,20 +448,24 @@ private void initializeApplicationClass() {
 				baseName = baseName.substring(baseName.lastIndexOf(".") + 1);
 
 			// Generate a fresh field name
-			SootClass dummyMainClass = mainMethod.getDeclaringClass();
-			int idx = 0;
-			String fieldName = baseName;
-			while (dummyMainClass.declaresFieldByName(fieldName)) {
-				fieldName = baseName + "_" + idx;
-				idx++;
-			}
-			SootField fld = Scene.v().makeSootField(fieldName, RefType.v(callbackClass),
-					Modifier.PRIVATE | Modifier.STATIC);
-			mainMethod.getDeclaringClass().addField(fld);
+			SootField fld = createField(RefType.v(callbackClass), baseName);
 			callbackClassToField.put(callbackClass, fld);
 		}
 	}
 
+	protected SootField createField(Type type, String baseName) {
+		SootClass dummyMainClass = mainMethod.getDeclaringClass();
+		int idx = 0;
+		String fieldName = baseName;
+		while (dummyMainClass.declaresFieldByName(fieldName)) {
+			fieldName = baseName + "_" + idx;
+			idx++;
+		}
+		SootField fld = Scene.v().makeSootField(fieldName, type, Modifier.PRIVATE | Modifier.STATIC);
+		mainMethod.getDeclaringClass().addField(fld);
+		return fld;
+	}
+
 	/**
 	 * Removes if statements that jump to the fall-through successor
 	 * 
@@ -602,4 +662,8 @@ public void removeGeneratedMethods(boolean removeClass) {
 		}
 	}
 
+	public void setJavaScriptInterfaces(MultiMap<SootMethod, Stmt> javascriptInterfaceStmts) {
+		this.javascriptInterfaceStmts = javascriptInterfaceStmts;
+	}
+
 }

soot-infoflow-android/src/soot/jimple/infoflow/android/entryPointCreators/AndroidEntryPointUtils.java

@@ -17,6 +17,9 @@
 import soot.SootClass;
 import soot.SootMethod;
 import soot.jimple.infoflow.util.SystemClassHandler;
+import soot.tagkit.AnnotationTag;
+import soot.tagkit.Tag;
+import soot.tagkit.VisibilityAnnotationTag;
 
 /**
  * Class containing common utility methods for dealing with Android entry points
@@ -52,6 +55,8 @@ public enum ComponentType {
 		GCMListenerService, HostApduService, ServiceConnection, Plain
 	}
 
+	private static final String JS_INTERFACE = "Landroid/webkit/JavascriptInterface;";
+
 	/**
 	 * Creates a new instance of the {@link AndroidEntryPointUtils} class. Soot must
 	 * already be running when this constructor is invoked.
@@ -280,4 +285,24 @@ private static Collection<? extends MethodOrMethodContext> getLifecycleMethods(S
 		return lifecycleMethods;
 	}
 
+	/**
+	 * Checks whether a method is potentially callable from JavaScript
+	 * @param m the method
+	 * @return true if the method is pot. callable from JS
+	 */
+	public static boolean isCallableFromJS(SootMethod m) {
+		if (!m.isPublic() || m.isStatic() || m.isAbstract())
+			return false;
+
+		for (Tag tag : m.getTags()) {
+			if (tag instanceof VisibilityAnnotationTag) {
+				VisibilityAnnotationTag vatag = (VisibilityAnnotationTag) tag;
+				for (AnnotationTag t : vatag.getAnnotations()) {
+					if (t.getType().equals(JS_INTERFACE))
+						return true;
+				}
+			}
+		}
+		return false;
+	}
 }

soot-infoflow-android/src/soot/jimple/infoflow/android/entryPointCreators/DummyMainFieldElementTag.java

@@ -0,0 +1,41 @@
+package soot.jimple.infoflow.android.entryPointCreators;
+
+import soot.tagkit.AttributeValueException;
+import soot.tagkit.Tag;
+
+/**
+ * Tag to denote that a certain method or class was created by an entry point
+ * creator and should not be considered real app code
+ * 
+ * @author Steven Arzt
+ *
+ */
+public class DummyMainFieldElementTag implements Tag {
+
+	public static final String TAG_NAME = "DummyMainFieldElementTag";
+	public static DummyMainFieldElementTag TAG = new DummyMainFieldElementTag();
+	private String fieldName;
+
+	private DummyMainFieldElementTag() {
+		//
+	}
+
+	public DummyMainFieldElementTag(String name) {
+		this.fieldName = name;
+	}
+
+	public String getFieldName() {
+		return fieldName;
+	}
+
+	@Override
+	public String getName() {
+		return TAG_NAME;
+	}
+
+	@Override
+	public byte[] getValue() throws AttributeValueException {
+		return null;
+	}
+
+}