The team who did this paper did a fairly simple static analysis for
determining permissions use, and they didn't really comment on how
much reflection they handled. But in general I don't think it's an
inherent shortcoming of static analysis to determine reflective calls.
(Especially since most of the time people who are using reflection
hardcode their strings, they don't do things like let the user input
some class name, then look it up, which makes the analysis fairly
standard.)
The ScanDroid [1] work does some string analysis to find things like
ranges of inputs for intents, etc...
Kris
[1] SCanDroid: Automated security certification of Android applications
On Thu, Feb 23, 2012 at 9:52 AM, Mark Murphy <mmurphy@commonsware.com> wrote:
> Static analysis like this usually fails for things like reflection.
> IOW, it will fail the same places that, say, ProGuard will fail.
>
> On Thu, Feb 23, 2012 at 9:17 AM, Yaron Reinharts
> <yaron.reinharts@gmail.com> wrote:
>> Hi,
>>
>> Regarding "Can it made redundant..through automatic application
>> introspection.."
>>
>> It can be done, check out http://android-permissions.org/
>> "A static analysis tool and permission map for identifying permission use in
>> Android applications"
>>
>> By the way, by saying that it can be done I'm not suggesting that this tool
>> will do the work :)
>>
>> /Yaron
>>
>>
>> --
>> Yaron Reinharts
>> Smart Drive Applications
>> http://www.poncho.co.il/gateaway.php
>> https://market.android.com/details?id=com.poncho.gsm.gate.activities
>>
>>
>>
>>
>>
>>
>>
>> On 02/23/2012 03:23 PM, Mark Murphy wrote:
>>>
>>> On Thu, Feb 23, 2012 at 6:57 AM, Raja Nagendra Kumar
>>> <nagendra.raja@tejasoft.com> wrote:
>>>>
>>>> Can Android Run time introspect at run time or during compile time and
>>>> prepare such info based on the API used by the application...
>>>
>>> No.
>>>
>>>> Can it made redundant..through automatic application introspection..
>>>
>>> No.
>>>
>>>> Basically looking for why android is designed for explicit permissions
>>>> declaration.. when it can be automatically discovered at compiler time
>>>> or at run time..
>>>
>>> While the need for permissions could be determined at runtime, if you
>>> would prompt the user for the permission then, you wind up with a
>>> Vista-style "The CPU would like to execute an instruction: allow?
>>> deny?" UX, which is not pleasant.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Android Developers" group.
>> To post to this group, send email to android-developers@googlegroups.com
>> To unsubscribe from this group, send email to
>> android-developers+unsubscribe@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/android-developers?hl=en
>
>
>
> --
> Mark Murphy (a Commons Guy)
> http://commonsware.com | http://github.com/commonsguy
> http://commonsware.com/blog | http://twitter.com/commonsguy
>
> Android Training...At Your Office: http://commonsware.com/training
>
> --
> You received this message because you are subscribed to the Google
> Groups "Android Developers" group.
> To post to this group, send email to android-developers@googlegroups.com
> To unsubscribe from this group, send email to
> android-developers+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
No comments:
Post a Comment