Skip to main content

Exploitability Rules

Exploitability Rules

For android, some source to sink flows are only considered valid if the root callable of the source to sink flow is also accessible from outside the app. This access is controlled by exported setting in the manifest file. Exploitability rules allow us to additionally constraint source to sink rules on a call-chain flow from the root callable of the source to sink flow up to a call-chain effect source which is identified using the android manifest. Eg.

class ExportedActivity extends Activity {
    void onCreate() {
        Util.exploitabilityRootCallable(this);
    }
}

class Util {
    void exploitabilityRootCallable(Activity activity) {
        toSink(activity.getSource());
    }
}

Here, if we want to report an issue only if the android manifest sets exported: true for ExportedActivity. You can specify the explotability rule as follows:

{
  "name": "Source to sink flow is reachable from an exported class",
  "code": 1,
  "description": "Values from source may eventually flow into sink",
  "sources": [
    "ActivityUserInput"
  ],
  "effect_sources": [
    "Exported"
  ],
  "sinks": [
    "LaunchingComponent"
  ]
}

Here, source to sink flow is found in rootExploitabilityCallable() but the issue will be reported iff ExportedActivity has exported:true in the android manifest.

                   ExportedActivity::onCreate(): with effect_source: Exported
                           |
                   exploitabilityRootCallable(): with inferred effect_sink:
                           |                     SourceAsTransform[ActivityUserInput]@LaunchingComponent
         +-----------------+-----------------+
         |                                   |
  getSource(): with                      toSink(): with
source kind: ActivityUserInput        sink kind: LaunchingComponent