Hi,

i have followed instructions from http://siis.cse.psu.edu/ic3/source.html in order to build IC3, but I got a following exception while building:
[INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 16.739s [INFO] Finished at: Mon Jun 15 16:39:45 CEST 2015 [INFO] Final Memory: 6M/240M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal on project ic3: Could not resolve dependencies for project edu.psu.cse.siis:ic3:jar:0.1.1-SNAPSHOT: Could not find artifact edu.psu.cse.siis:coal:jar:0.1.7-SNAPSHOT in soot-repo (https://raw.github.com/siis/soot/mvn-repo/) -> [Help 1]

Can you help me with this?

Thank you in advance,
Vitalii

Hi Damien,

i have developed a simple app, which reads IMEI in one activity, then passes it to another activity and then sends it via SMS.

But it seems that IC3 can not identify startActivity of the first component.
Can you take a look on it?
An Apk can be found here: https://drive.google.com/file/d/0BxV2Pl6rGO7uaGs1RDBBLUZNNUU/view?usp=sharing

Thank you in advance.

Best Regards,
Vitalii

I use ic3-0.2.0-bin and dare to analyze some Android apk, and obtain a great deal of information about inter-component communication in exporting file "(specified path -out)/(packagename)_.txt".

When I get a new folder "sootOutput" in ./ when I run the ic3 cmd as follow:

java -jar ../ic3-0.2.0/ic3-0.2.0-full.jar -apkormanifest ./1.apk -input ./out/retargeted/1 -cp ../ic3-0.2.0/android.jar -out ./out2 -protobuf ./out2

The "sootOutput" always be empty iin my test, so I can't makesure the use of this folder. Do it will have some output files in certain special cases?

Thanks.

Dear developers:

I am trying to run IC3 from Eclipse, but the source code could not find
import edu.psu.cse.siis.ic3.Ic3Data;
import edu.psu.cse.siis.ic3.Ic3Data.Application.Builder;
import edu.psu.cse.siis.ic3.Ic3Data.Application.Component;
import edu.psu.cse.siis.ic3.Ic3Data.Application.Component.ComponentKind;
import edu.psu.cse.siis.ic3.Ic3Data.Application.Component.IntentFilter;
import edu.psu.cse.siis.ic3.Ic3Data.Attribute;
import edu.psu.cse.siis.ic3.Ic3Data.AttributeKind;

I wonder how can i fix it.
Thank you very much!

I ran IC3 on a simple app using following command:
java -jar ic3-0.2.0-full.jar -computecomponents -input /home/ubuntu/data/apks/dare_kara888/retargeted/kara888/ -apkormanifest /home/ubuntu/data/apks/kara888.apk -cp android.jar -db db/cc.properties.template

The result is fine but in some cases, the exit components (where ICC calls are being made) are wrong. For example:

com.jeyteam.karafarin.MainActivity$2$1$2/void onClick(android.content.DialogInterface,int) : virtualinvoke r12.<com.jeyteam.karafarin.MainActivity: void startActivity(android.content.Intent)>(r2) Components: [com.jeyteam.karafarin.tests.MBTIResultActivity, com.jeyteam.karafarin.tests.EQIActivity, com.jeyteam.karafarin.reminder.ReminderService, com.jeyteam.karafarin.CanvasBusinessActivity, com.jeyteam.karafarin.StarterActivity, com.jeyteam.karafarin.utils.ReceiveSms, com.jeyteam.karafarin.HistoryActivity, com.jeyteam.karafarin.tests.EQIResultActivity, com.jeyteam.karafarin.MainActivity, com.jeyteam.karafarin.BuyActivity, com.jeyteam.karafarin.tests.MBTIActivity] 0 : Value: 1 path values action=android.intent.action.VIEW, dataType=application/vnd.android.package-archive, flags=[268435456], uri=file://(.*),

Or this case:

com.jeyteam.karafarin.StarterActivity/void r() : virtualinvoke r0.<com.jeyteam.karafarin.StarterActivity: void startActivity(android.content.Intent)>(r4) Components: [com.jeyteam.karafarin.tests.MBTIResultActivity, com.jeyteam.karafarin.tests.EQIActivity, com.jeyteam.karafarin.reminder.ReminderService, com.jeyteam.karafarin.CanvasBusinessActivity, com.jeyteam.karafarin.StarterActivity, com.jeyteam.karafarin.utils.ReceiveSms, com.jeyteam.karafarin.HistoryActivity, com.jeyteam.karafarin.tests.EQIResultActivity, com.jeyteam.karafarin.MainActivity, com.jeyteam.karafarin.BuyActivity, com.jeyteam.karafarin.tests.MBTIActivity] 0 : Value: 1 path values clazz=com/jeyteam/karafarin/MainActivity, package=com.jeyteam.karafarin,

In former case, Components should only contain com.jeyteam.karafarin.MainActivity and it should contain only com.jeyteam.karafarin.StarterActivity in latter case but there many other components. Am i wrong?

Any app I analyze with ic3, I get always this error. Why?

_Manifest_
Exception in thread "main" java.lang.NullPointerException
at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:278)
at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:65)
at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:70)
at edu.psu.cse.siis.ic3.Main.main(Main.java:14)

I try to compile IC3 with newest version of Soot and FlowDroid. But lots of files are missing, such as the icc.cmodel. In you release file ic3-full.jar these files exits but I can't find these files in github.

Hello, I am running ic3 with the following error.Could you please tell me how to solve it？

java -jar ic3-0.2.0-full.jar -input ../ydjt/retargeted/ydjtdx -apkormanifest ../ydjtdx.apk -cp android.jar -protobuf ../ydjt

Part of the output：

 label1579:
    if $i0 == 1955 goto label1576;

 label1580:
    virtualinvoke $r2422.<com.orient.orframework.android.BaseFragmentActivity: void onPause()>();

    if $i0 == 1956 goto label1575;

    if $i0 == 1957 goto label1581;

    if $i0 == 1958 goto label1575;

 label1581:
    if $i0 == 1960 goto label1592;

    $r2426 = new com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity;

    specialinvoke $r2426.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity: void <init>()>();

    if $i0 == 1961 goto label1592;

    $r2427 = new android.os.Bundle;

    specialinvoke $r2427.<android.os.Bundle: void <init>()>();

    virtualinvoke $r2426.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity: void onCreate(android.os.Bundle)>($r2427);

    $r2427 = null;

 label1582:
    virtualinvoke $r2426.<com.orient.orframework.android.BaseActivity: void onResume()>();

    if $i0 == 1962 goto label1590;

 label1583:
    $r2428 = new com.orient.mobileuniversity.scientific.breakpoint.DownloadInfo;

    specialinvoke $r2428.<com.orient.mobileuniversity.scientific.breakpoint.DownloadInfo: void <init>(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long,long)>("", "", "", "", 0L, 0L);

    $r2429 = new com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity$1;

    specialinvoke $r2429.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity$1: void <init>(com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity,com.orient.mobileuniversity.scientific.breakpoint.DownloadInfo)>($r2426, $r2428);

    if $i0 == 1963 goto label1584;

    $r2430 = new android.view.View;

    specialinvoke $r2430.<android.view.View: void <init>(android.content.Context)>($r2426);

    virtualinvoke $r2429.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity$1: void onClick(android.view.View)>($r2430);

    $r2430 = null;

 label1584:
    if $i0 == 1964 goto label1585;

    $r2431 = new android.view.KeyEvent;

    specialinvoke $r2431.<android.view.KeyEvent: void <init>(int,int)>(0, 0);

    $z118 = virtualinvoke $r2426.<android.app.Activity: boolean onKeyUp(int,android.view.KeyEvent)>(0, $r2431);

    $r2431 = null;

 label1585:
    if $i0 == 1965 goto label1586;

    virtualinvoke $r2426.<android.app.Activity: void setContentView(int)>(0);

 label1586:
    if $i0 == 1966 goto label1587;

    $r2432 = new android.view.View;

    specialinvoke $r2432.<android.view.View: void <init>(android.content.Context)>($r2426);

    virtualinvoke $r2426.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity: void onClick(android.view.View)>($r2432);

    $r2432 = null;

 label1587:
    $r2433 = new com.orient.mobileuniversity.scientific.breakpoint.DownloadInfo;

    specialinvoke $r2433.<com.orient.mobileuniversity.scientific.breakpoint.DownloadInfo: void <init>(java.lang.String,java.lang.String,java.lang.String,java.lang.String,long,long)>("", "", "", "", 0L, 0L);

    $r2434 = new com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity$3;

    specialinvoke $r2434.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity$3: void <init>(com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity,com.orient.mobileuniversity.scientific.breakpoint.DownloadInfo)>($r2426, $r2433);

    if $i0 == 1967 goto label1588;

    $r2435 = new android.view.View;

    specialinvoke $r2435.<android.view.View: void <init>(android.content.Context)>($r2426);

    virtualinvoke $r2434.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity$3: void onClick(android.view.View)>($r2435);

    $r2435 = null;

 label1588:
    $r2436 = new com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity$2;

    specialinvoke $r2436.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity$2: void <init>(com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity)>($r2426);

    if $i0 == 1968 goto label1589;

    virtualinvoke $r2436.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity$2: void onCheckedChanged(android.widget.CompoundButton,boolean)>(null, false);

 label1589:
    if $i0 == 1969 goto label1583;

 label1590:
    virtualinvoke $r2426.<com.orient.orframework.android.BaseActivity: void onPause()>();

    if $i0 == 1970 goto label1582;

    if $i0 == 1971 goto label1591;

    if $i0 == 1972 goto label1582;

 label1591:
    virtualinvoke $r2426.<com.orient.mobileuniversity.scientific.AnnouncementDownloadActivity: void onDestroy()>();

 label1592:
    if $i0 == 1974 goto label1606;

    $r2437 = new com.orient.mobileuniversity.scientific.FundListActivity;

    specialinvoke $r2437.<com.orient.mobileuniversity.scientific.FundListActivity: void <init>()>();

    if $i0 == 1975 goto label1606;

    $r2438 = new android.os.Bundle;

    specialinvoke $r2438.<android.os.Bundle: void <init>()>();

    virtualinvoke $r2437.<com.orient.mobileuniversity.scientific.FundListActivity: void onCreate(android.os.Bundle)>($r2438);

    $r2438 = null;

 label1593:
    $r2439 = new android.os.Bundle;

    specialinvoke $r2439.<android.os.Bundle: void <init>()>();

    virtualinvoke $r2437.<com.orient.orframework.widget.SlidingMenu.app.SlidingActivity: void onPostCreate(android.os.Bundle)>($r2439);

    $r2439 = null;

 label1594:
    virtualinvoke $r2437.<com.orient.mobileuniversity.scientific.FundListActivity: void onResume()>();

    if $i0 == 1976 goto label1605;

 label1595:
    if $i0 == 1977 goto label1596;

    virtualinvoke $r2437.<com.orient.orframework.widget.SlidingMenu.app.SlidingActivity: void setContentView(int)>(0);

 label1596:
    if $i0 == 1978 goto label1597;

    $r2440 = new android.view.View;

    specialinvoke $r2440.<android.view.View: void <init>(android.content.Context)>($r2437);

    virtualinvoke $r2437.<com.orient.mobileuniversity.scientific.FundListActivity: void onItemClick(android.widget.AdapterView,android.view.View,int,long)>(null, $r2440, 0, 0L);

    $r2440 = null;

 label1597:
    if $i0 == 1979 goto label1598;

    $r2441 = new android.view.View;

    specialinvoke $r2441.<android.view.View: void <init>(android.content.Context)>($r2437);

    virtualinvoke $r2437.<com.orient.mobileuniversity.scientific.FundListActivity: void onClick(android.view.View)>($r2441);

    $r2441 = null;

 label1598:
    $r2442 = new com.orient.mobileuniversity.scientific.FundListActivity$2;

    specialinvoke $r2442.<com.orient.mobileuniversity.scientific.FundListActivity$2: void <init>(com.orient.mobileuniversity.scientific.FundListActivity,java.util.ArrayList)>($r2437, null);

    if $i0 == 1980 goto label1599;

    $r2443 = new android.view.View;

    specialinvoke $r2443.<android.view.View: void <init>(android.content.Context)>($r2437);

    virtualinvoke $r2442.<com.orient.mobileuniversity.scientific.FundListActivity$2: void onItemClick(android.widget.AdapterView,android.view.View,int,long)>(null, $r2443, 0, 0L);

    $r2443 = null;

 label1599:
    $r2444 = new com.orient.mobileuniversity.common.widget.SearchOptionDialog;

    specialinvoke $r2444.<com.orient.mobileuniversity.common.widget.SearchOptionDialog: void <init>(android.content.Context)>($r2437);

    if $i0 == 1981 goto label1600;

    $r2445 = new android.view.View;

    specialinvoke $r2445.<android.view.View: void <init>(android.content.Context)>($r2437);

    virtualinvoke $r2444.<com.orient.mobileuniversity.common.widget.SearchOptionDialog: void onClick(android.view.View)>($r2445);

    $r2445 = null;

 label1600:
    $r2446 = new com.umeng.analytics.pro.ap;

    specialinvoke $r2446.<com.umeng.analytics.pro.ap: void <init>(android.app.Activity)>($r2437);

    $r2447 = new com.umeng.analytics.pro.ap$1;

    specialinvoke $r2447.<com.umeng.analytics.pro.ap$1: void <init>(com.umeng.analytics.pro.ap)>($r2446);

    if $i0 == 1982 goto label1601;

    virtualinvoke $r2447.<com.umeng.analytics.pro.ap$1: void onActivityPaused(android.app.Activity)>($r2437);

    $r2437 = null;

 label1601:
    if $i0 == 1983 goto label1602;

    virtualinvoke $r2447.<com.umeng.analytics.pro.ap$1: void onActivityResumed(android.app.Activity)>($r2437);

    $r2437 = null;

 label1602:
    if $i0 == 1984 goto label1603;

    $r2448 = new android.view.KeyEvent;

    specialinvoke $r2448.<android.view.KeyEvent: void <init>(int,int)>(0, 0);

    $z119 = virtualinvoke $r2437.<com.orient.orframework.widget.SlidingMenu.app.SlidingActivity: boolean onKeyUp(int,android.view.KeyEvent)>(0, $r2448);

    $r2448 = null;

 label1603:
    if $i0 == 1985 goto label1604;

    $r2449 = new android.content.res.Configuration;

    specialinvoke $r2449.<android.content.res.Configuration: void <init>()>();

    virtualinvoke $r2437.<android.app.Activity: void onConfigurationChanged(android.content.res.Configuration)>($r2449);

    $r2449 = null;

 label1604:
    if $i0 == 1986 goto label1595;

 label1605:
    virtualinvoke $r2437.<com.orient.mobileuniversity.scientific.FundListActivity: void onPause()>();

    $r2450 = new android.os.Bundle;

    specialinvoke $r2450.<android.os.Bundle: void <init>()>();

    virtualinvoke $r2437.<com.orient.orframework.widget.SlidingMenu.app.SlidingActivity: void onSaveInstanceState(android.os.Bundle)>($r2450);

    $r2450 = null;

    if $i0 == 1987 goto label1594;

    if $i0 == 1988 goto label1606;

    if $i0 == 1989 goto label1593;

 label1606:
    if $i0 == 1991 goto label1613;

    $r2451 = new com.orient.mobileuniversity.finance.FinanceDetailActivity;

    specialinvoke $r2451.<com.orient.mobileuniversity.finance.FinanceDetailActivity: void <init>()>();

    if $i0 == 1992 goto label1613;

    $r2452 = new android.os.Bundle;

    specialinvoke $r2452.<android.os.Bundle: void <init>()>();

    virtualinvoke $r2451.<com.orient.mobileuniversity.finance.FinanceDetailActivity: void onCreate(android.os.Bundle)>($r2452);

    $r2452 = null;

 label1607:
    virtualinvoke $r2451.<com.orient.orframework.android.BaseActivity: void onResume()>();

    if $i0 == 1993 goto label1612;

 label1608:
    if $i0 == 1994 goto label1609;

    $r2453 = new android.view.KeyEvent;

    specialinvoke $r2453.<android.view.KeyEvent: void <init>(int,int)>(0, 0);

    $z120 = virtualinvoke $r2451.<android.app.Activity: boolean onKeyUp(int,android.view.KeyEvent)>(0, $r2453);

    $r2453 = null;

 label1609:
    if $i0 == 1995 goto label1610;

    virtualinvoke $r2451.<android.app.Activity: void setContentView(int)>(0);

 label1610:
    if $i0 == 1996 goto label1611;

    $r2454 = new android.view.View;

    specialinvoke $r2454.<android.view.View: void <init>(android.content.Context)>($r2451);

    virtualinvoke $r2451.<com.orient.mobileuniversity.finance.FinanceDetailActivity: void onClick(android.view.View)>($r2454);

    $r2454 = null;

 label1611:
    if $i0 == 1997 goto label1608;

 label1612:
    virtualinvoke $r2451.<com.orient.orframework.android.BaseActivity: void onPause()>();

    if $i0 == 1998 goto label1607;

    if $i0 == 1999 goto label1613;

    if $i0 == 2000 goto label1607;

 label1613:
    if $i0 == 2002 goto label1620;

    $r2455 = new com.orient.mobileuniversity.setting.RSSSubActivity;

    specialinvoke $r2455.<com.orient.mobileuniversity.setting.RSSSubActivity: void <init>()>();

    if $i0 == 2003 goto label1620;

    $r2456 = new android.os.Bundle;

    specialinvoke $r2456.<android.os.Bundle: void <init>()>();

    virtualinvoke $r2455.<com.orient.mobileuniversity.setting.RSSSubActivity: void onCreate(android.os.Bundle)>($r2456);

    $r2456 = null;

 label1614:
    virtualinvoke $r2455.<com.orient.orframework.android.BaseActivity: void onResume()>();

    if $i0 == 2004 goto label1619;

 label1615:
    if $i0 == 2005 goto label1616;

    virtualinvoke $r2455.<android.app.Activity: void setContentView(int)>(0);

 label1616:
    if $i0 == 2006 goto label1617;

    $r2457 = new android.view.View;

    specialinvoke $r2457.<android.view.View: void <init>(android.content.Context)>($r2455);

    virtualinvoke $r2455.<com.orient.mobileuniversity.setting.RSSSubActivity: void onClick(android.view.View)>($r2457);

    $r2457 = null;

 label1617:
    if $i0 == 2007 goto label1618;

    $r2458 = new android.view.KeyEvent;

    specialinvoke $r2458.<android.view.KeyEvent: void <init>(int,int)>(0, 0);

    $z121 = virtualinvoke $r2455.<android.app.Activity: boolean onKeyUp(int,android.view.KeyEvent)>(0, $r2458);

    $r2458 = null;

 label1618:
    if $i0 == 2008 goto label1615;

 label1619:
    virtualinvoke $r2455.<com.orient.orframework.android.BaseActivity: void onPause()>();

    if $i0 == 2009 goto label1614;

    if $i0 == 2010 goto label1620;

    if $i0 == 2011 goto label1614;

 label1620:
    if $i0 == 2013 goto label0001;

    return;
}

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 7.7 seconds.
[Spark] Solution found in 7.7 seconds.
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
at soot.jimple.internal.AbstractInvokeExpr.getArg(AbstractInvokeExpr.java:74)
at edu.psu.cse.siis.coal.arguments.AliasAdjuster.match_virtualinvoke_StringBuilder_XXX(AliasAdjuster.java:146)
at edu.psu.cse.siis.coal.arguments.AliasAdjuster.changeBody(AliasAdjuster.java:183)
at edu.psu.cse.siis.coal.arguments.ConstraintCollector.handleMethod(ConstraintCollector.java:127)
at edu.psu.cse.siis.coal.arguments.ConstraintCollector.globalCollection(ConstraintCollector.java:172)
at edu.psu.cse.siis.coal.arguments.StringValueAnalysis.initialize(StringValueAnalysis.java:50)
at edu.psu.cse.siis.coal.PropagationSceneTransformer.internalTransform(PropagationSceneTransformer.java:63)
at soot.SceneTransformer.transform(SceneTransformer.java:39)
at soot.Transform.apply(Transform.java:90)
at soot.ScenePack.internalApply(ScenePack.java:40)
at soot.Pack.apply(Pack.java:116)
at soot.PackManager.runWholeProgramPacks(PackManager.java:565)
at soot.PackManager.runPacksNormally(PackManager.java:457)
at soot.PackManager.runPacks(PackManager.java:392)
at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:68)
at edu.psu.cse.siis.ic3.Main.main(Main.java:14)

It's a coal specific question (not issue) however tightly relevant to android icc APIs.

As to Intent.model of 20e3164 , some query declarations are Activity specific, but it is modeled as a more general parent class Context, so is it deliberately designed so?

Another question is that some "exit" methods of Activity is ignored, e.g., startIntentSenderFromChild. From android document this api is added from Level 16. In my viewpoint, it should also be intent relevant since it passes an intent and may start another activity similarly.

Hello,

I have downloaded IC3 source code and build it successfully, I was able to retarget some apps using Date project and use them as inputs to IC3 project. IC3 only gives me information from the Manifest file such as components and Intent Filters, same information stored in the database. Tables such as Intents or ExitPoints are totally empty.

I tried IC3 on different apps: small apps that I created, apps from Google Play store, apps provided by IC3 group at http://siis.cse.psu.edu/slides/android-sec-tutorial-apk.tar.gz, in all cases I got the information stored in the Manifest file only.

For example, this is the result of analyzing FriendTracker app:

_Manifest_
Manifest file for org.siislab.tutorial.friendtracker version 1
Activities:
org.siislab.tutorial.friendtracker.FriendTrackerControl
Intent filter:
Actions: [android.intent.action.MAIN]
Categories: [android.intent.category.LAUNCHER]

Activity Aliases:
Services:
org.siislab.tutorial.friendtracker.FriendTracker
Receivers:
org.siislab.tutorial.friendtracker.BootReceiver
Intent filter:
Actions: [android.intent.action.BOOT_COMPLETED]
Providers:
org.siislab.tutorial.friendtracker.FriendProvider
authority: friends
write permission: org.siislab.tutorial.permission.WRITE_FRIENDS

_Result_
[main] INFO edu.psu.cse.siis.ic3.ResultProcessor - org.siislab.tutorial.friendtracker 29 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 36 654 7 361 8 22 0 0 509 92 2014

Another output for running IC3 on a simple app (3 activities, one reachable Intent from MainActivity that starts SecondActivity, and one dynamically registered broadcast receiver):

****(Manifest)****
Manifest file for com.example.testic3 version 1
Activities:
com.example.testic3.MainActivity
Intent filter:
Actions: [android.intent.action.MAIN]
Categories: [android.intent.category.LAUNCHER]
com.example.testic3.SecondActivity
com.example.testic3.ThirdActivity
Intent filter:
Actions: [com.example.testic3.myaction]

Activity Aliases:
Services:
Receivers:
Providers:

_Result_

Also I followed the example given in https://github.com/siis/ic3/issues/17 by @docteau where every thing went smooth except the output didn't show the expected results, neither on the screen nor on the database.

Any help is highly appreciated.

Regards,
Mahmoud

Hello,

I am trying to use IC3 on a simple app. Here is the command that I am using to run IC3 analysis:
java -jar ./ic3-0.2.0-full.jar -apkormanifest ./testic3.apk -input ../dare_output/testIC3/retargeted/ -cp ./android.jar
Rather than getting the expected output, I am getting a NullPointerException:

Exception in thread "main" java.lang.NullPointerException
at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:278)
at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:65)
at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:70)
at edu.psu.cse.siis.ic3.Main.main(Main.java:14)**

********* More Information ********

• testIC3 is a simple app with only two activities, MainActivity sends an Intent to SecondActivity.
• Dare was able to generate the .class files using this command (dare -d ../dare_output/testIC3 ../ic3-0.2.0/testic3.apk)
• Attached is the full stack trace

runIC3.txt

Any help on how to solve this problem is appreciated.

Thanks,
Mahmoud

NullPointerException occurs when I use commond below.
java -jar ic3.jar -apkormanifest -input -db

details:
Exception in thread "main" java.lang.NullPointerException
at java.io.ObjectInputStream$PeekInputStream.read(ObjectInputStream.java:2741)
at java.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2757)
at java.io.ObjectInputStream$BlockDataInputStream.readShort(ObjectInputStream.java:3234)
at java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:913)
at java.io.ObjectInputStream.(ObjectInputStream.java:375)
at edu.psu.cse.siis.coal.Model.loadModelFromCompiledFile(Model.java:172)
at edu.psu.cse.siis.coal.Analysis.loadModel(Analysis.java:90)
at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:58)
at edu.psu.cse.siis.ic3.Main.main(Main.java:14)

The website cannot be accessed.
http://siis.cse.psu.edu/ic3/

Hello, I recently successfully ran the IC3 tool by running commands on Ubuntu, and got the test results, but the results I am a bit confused, can you tell me what they all mean。For example extras,statement,exit_points,etc.How should I understand What about this result?THANK YOU!!
components { name: "com.anzhi.ad.coverscreen.SA" kind: ACTIVITY exported: false extras { extra: "ads" instruction { statement: "r33 = virtualinvoke $r4.<android.content.Intent: java.lang.String getStringExtra(java.lang.String)>(\"ads\")" class_name: "com.anzhi.ad.coverscreen.SA" method: "<com.anzhi.ad.coverscreen.SA: java.util.Vector b()>" id: 2 } } extras { extra: "currentIndex" instruction { statement: "$i0 = virtualinvoke r1.<android.os.Bundle: int getInt(java.lang.String,int)>(\"currentIndex\", 0)" class_name: "com.anzhi.ad.coverscreen.SA" method: "<com.anzhi.ad.coverscreen.SA: void onCreate(android.os.Bundle)>" id: 16 } } exit_points { instruction { statement: "virtualinvoke r0.<com.anzhi.ad.coverscreen.SA: void startActivity(android.content.Intent)>(r78)" class_name: "com.anzhi.ad.coverscreen.SA" method: "<com.anzhi.ad.coverscreen.SA: void a(com.anzhi.ad.coverscreen.b.a)>" id: 129 } kind: ACTIVITY intents { attributes { kind: ACTION value: "android.intent.action.VIEW" } attributes { kind: FLAG int_value: 335544320 } attributes { kind: CLASS value: "com.tencent.mm.ui.qrcode.GetQRCodeInfoUI" } attributes { kind: PACKAGE value: "com.tencent.mm" } attributes { kind: URI value: "(.*)" } } intents { attributes { kind: ACTION value: "android.intent.action.VIEW" } attributes { kind: FLAG int_value: 335544320 } attributes { kind: URI value: "(.*)" } } } exit_points { instruction { statement: "virtualinvoke r0.<com.anzhi.ad.coverscreen.SA: void startActivity(android.content.Intent)>(r78)" class_name: "com.anzhi.ad.coverscreen.SA" method: "<com.anzhi.ad.coverscreen.SA: void a(com.anzhi.ad.coverscreen.b.a)>" id: 112 } kind: ACTIVITY intents { attributes { kind: FLAG int_value: 335544320 } attributes { kind: CLASS value: "com.tencent.mm.ui.qrcode.GetQRCodeInfoUI" } attributes { kind: PACKAGE value: "com.tencent.mm" } attributes { kind: URI value: "(.*)" } } } exit_points { instruction { statement: "virtualinvoke r0.<com.anzhi.ad.coverscreen.SA: void startActivity(android.content.Intent)>(r80)" class_name: "com.anzhi.ad.coverscreen.SA" method: "<com.anzhi.ad.coverscreen.SA: void a(com.anzhi.ad.coverscreen.b.a)>" id: 141 } kind: ACTIVITY intents { attributes { kind: EXTRA value: "url" } attributes { kind: CLASS value: "com/anzhi/ad/coverscreen/WA" } attributes { kind: PACKAGE value: "com.andan.dievksuqch" } } } exit_points { instruction { statement: "virtualinvoke r0.<android.content.Context: void sendBroadcast(android.content.Intent)>($r1)" class_name: "com.anzhi.ad.coverscreen.CoverAdComponent" method: "<com.anzhi.ad.coverscreen.CoverAdComponent: void close(android.content.Context)>" id: 3 } kind: RECEIVER intents { attributes { kind: ACTION value: "com.screen.main.coverscreen.close" } } } exit_points { instruction { statement: "virtualinvoke r0.<com.anzhi.ad.coverscreen.SA: void sendBroadcast(android.content.Intent)>(r73)" class_name: "com.anzhi.ad.coverscreen.SA" method: "<com.anzhi.ad.coverscreen.SA: void a(com.anzhi.ad.coverscreen.b.a)>" id: 23 } kind: RECEIVER intents { attributes { kind: ACTION value: "broadcast.route.control" } attributes { kind: EXTRA value: "packageName" value: "type" } } } }

Hi, I have runned ic3 with an app of DroidBanch, it's called "ImplicitFlow2".
I get these information:

Warning: java.lang.invoke.LambdaMetafactory is a phantom class!
Warning: java.lang.ref.Finalizer is a phantom class!
Warning: de.ecspride.ImplicitFlow2 is a phantom class!
[main] INFO soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Generated main method:
public static void dummyMainMethod()
{
int $i0;

    $i0 = 0;

 label1:
    if $i0 == 2 goto label1;

    return;
}

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
Callback analysis done.
Warning: RelativeLayout is a phantom class!
Warning: de.ecspride.RelativeLayout is a phantom class!
Warning: android.view.RelativeLayout is a phantom class!
Warning: EditText is a phantom class!
Warning: de.ecspride.EditText is a phantom class!
Warning: android.view.EditText is a phantom class!
Warning: requestFocus is a phantom class!
Warning: de.ecspride.requestFocus is a phantom class!
Warning: android.view.requestFocus is a phantom class!
Warning: android.widget.requestFocus is a phantom class!
Warning: android.webkit.requestFocus is a phantom class!
Could not find layout class requestFocus
Warning: Button is a phantom class!
Warning: de.ecspride.Button is a phantom class!
Warning: android.view.Button is a phantom class!
Found 1 layout controls in file res/layout/activity_implicit_flow2.xml
[main] INFO edu.psu.cse.siis.ic3.SetupApplication - Entry point calculation done.
Warning: de.ecspride.ImplicitFlow2 is a phantom class!
[main] INFO soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Generated main method:
public static void dummyMainMethod()
{
int $i0;

    $i0 = 0;

 label1:
    if $i0 == 2 goto label1;

    return;
}

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
[main] INFO edu.psu.cse.siis.coal.PropagationSceneTransformer - Solving propagation problem (iteration 0)
[main] INFO edu.psu.cse.siis.coal.PropagationSceneTransformer - Reached a fixed point
Transforming android.content.Intent...
Transforming android.content.IntentFilter...
Transforming android.os.Bundle...
Transforming android.content.ComponentName...
Transforming android.app.Activity...
Transforming dummyMainClass...
Transforming de.ecspride.ImplicitFlow2...

_Manifest_
Exception in thread "main" java.lang.NullPointerException
at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:278)
at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:65)
at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:70)
at edu.psu.cse.siis.ic3.Main.main(Main.java:14)

how to understand if there are any leaks?
There are errors in the execution of ic3?

Hi Damien,

i am trying to run IC3 on real-world apps from Google Play Store, but unfortunately the analysis for most of them never finishes. I have 2 days per app as a timeout but no success at all.

Do you have any idea how to improve the runtime of IC3? Maybe I can use some parameters?

Thanks in advance.

Best Regards,
Vitalii

Hi,

I'm using IC3 to perform an inter-component analysis on some real-world Android apps. However, it seems that IC3 is not able to find a subset of IPC communications between components. For example, one of my apps has a service that registers a broadcast receiver to monitor changes in the state of device's battery. Upon a change in the state of battery/charging, the app sends an intent in order to start a new activity.

public class BatteryService extends Service{

	public final static String EXTRA_MESSAGE = "edu.uci.seal.testapp.MESSAGE";
	
	private final BroadcastReceiver batteryStatus = new BroadcastReceiver() {

		@SuppressLint("InlinedApi")
		@Override
		public void onReceive(Context context, Intent intent) {
			Intent intent1 = new Intent(getApplicationContext(), DisplayMessageActivity.class); 
			int status = intent.getIntExtra(BatteryManager.EXTRA_STATUS, -1);
			int chargePlug = intent.getIntExtra(BatteryManager.EXTRA_PLUGGED, -1);
			if(status == BatteryManager.BATTERY_STATUS_CHARGING){
				if(chargePlug == BatteryManager.BATTERY_PLUGGED_USB)
					intent1.putExtra(EXTRA_MESSAGE, "Battery is charging thorugh usb");
				if(chargePlug == BatteryManager.BATTERY_PLUGGED_AC)
					intent1.putExtra(EXTRA_MESSAGE, "Battery is charging thorugh AC");
				if(chargePlug == BatteryManager.BATTERY_PLUGGED_WIRELESS)
					intent1.putExtra(EXTRA_MESSAGE, "Battery is charging wireless");
			}
			if(status == BatteryManager.BATTERY_STATUS_DISCHARGING || status == BatteryManager.BATTERY_STATUS_NOT_CHARGING)
				intent1.putExtra(EXTRA_MESSAGE, "Battery is discharging");
			
			intent1.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
			startActivity(intent1);
		}
	};
}

I generated IC3 analysis result using instructions in the website. Then I used the following code in order to get the components:

        File ipcResults = new File(mApp.getIpcProtoBuf());
        if (ipcResults.exists()) {
            InputStream stream = null;
            try {
                stream = new FileInputStream(mApp.getIpcProtoBuf());
                final Ic3Data.Application application = Ic3Data.Application.parseFrom(stream);
                mIpcComponents.addAll(application.getComponentsList());
            } catch (IOException e) {
                e.printStackTrace();
            }

        }

Then for each component, I iterate over the components to get the exit-points of each, in order to perform an inter-component analysis. For this example, the exit-point list is empty.

I appreciate your help on fixing this issue.

Hi, is Dare still available somewhere? this link is broken http://siis.cse.psu.edu/dare

Hi Damien,

i see from your code that there is a way to configure DB access through *.properties file.

What is the reason to use a hardcoded and predefined name for the database ("cc" in your case)? Can you extract it to *.properties file also?

I am asking because I want to run different instances of IC3 at the same time in a full isolation and, thus, want to use different databases for each instance.

Thanks in advance.

Best Regards,
Vitalii

I'm trying to generate ICC model to use in FlowDroid using IC3. When analyzing apps(including shadowsocks and telegram), it continues outputing things like [main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Ran into a constructor generation loop for class android.util.SparseArray, substituting with null... and can not stop(at least within 10 minutes).

There was really a lot of output. A part of it:

[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Constructor cannot be generated for callback class org.telegram.ui.Co
mponents.ThemeEditorView$1$$Lambda$0
[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Cannot create valid constructor for android.view.WindowManager, becau
se it is an interface and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Cannot create valid constructor for org.telegram.tgnet.TLRPC$Message, because it is abstract and cannot substitute with subclass
[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Ran into a constructor generation loop for class android.util.SparseArray, substituting with null...
[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Ran into a constructor generation loop for class org.telegram.ui.CallLogActivity, substituting with null...
[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Ran into a constructor generation loop for class org.telegram.ui.CallLogActivity, substituting with null...
[main] WARN soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator - Cannot create valid constructor for org.telegram.tgnet.TLRPC$ChatFull, because it is abstract and cannot substitute with subclass

How should I fix it?

Hi,

I am curious what does the "Components" (e.g. Components: [class1, class2, ...]) represent?
Thanks.

Hello,
I have built the source of IC3, then I test some applications and put the results to DB. But some tables in db are empty, such as Intents, Uris, UriData etc. And I'm interesting about the content of those tables.
Another question: can the IC3 detect the communication between applications? or get the values of intent?

Thank you very much！^_^

Hi,
I want to use IC3 for ICC in Android. I have gone through the Epicc research paper and successfully setup IC3 on my machine. After running IC3 on an app I looked at the results and data stored in the database but I was not able to figure out that how to interpret these results. Can you please tell me if there is available any tutorial or guide on how to use IC3 and interpret its result? It would be very helpful for me to understand IC3 more efficiently

Regards,
Fahad Ibrar

My apk are as follows：
1.MainActivity:
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);

    btn = (Button)findViewById(R.id.btn);
    btn.setOnClickListener(new View.OnClickListener() {

        @Override
        public void onClick(View arg0) {
            // TODO Auto-generated method stub
            Intent intent = new Intent();
            intent.setClass(MainActivity.this, second.class);
            startActivity(intent);
            MainActivity.this.finish();
        }
    });
}

2.second:
btn = (Button)findViewById(R.id.btn);
btn.setOnClickListener(new Button.OnClickListener(){

        @Override
        public void onClick(View arg0) {
            // TODO Auto-generated method stub
            Intent intent = new Intent();
            intent.setClass(second.this,third.class);
            startActivity(intent);
            second.this.finish();
        }});
}

3.third:
public class third extends Activity {

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.third);
}

@Override
public boolean onCreateOptionsMenu(Menu menu) {
    // Inflate the menu; this adds items to the action bar if it is present.
    getMenuInflater().inflate(R.menu.main, menu);
    return true;
}

}

Then,I use Dare and Epicc.The results are as follows:

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
Solving ICC problem
Composing values

Manifest file for com.example.hello version 1
Activities:
com.example.hello.MainActivity
Intent filter:
Actions: [android.intent.action.MAIN]
Categories: [android.intent.category.LAUNCHER]
com.example.hello.second
com.example.hello.third

Activity Aliases:
Services:
Receivers:
Providers:

The following ICC values were found:
febbie@febbie-OptiPlex-960:~/Documents/小论文相关工具/epicc-0.1$

I want to know where are Intent values of codes?
please!
thank you!

The website provided in the Readme file: http://siis.cse.psu.edu/ic3/, has become inaccessible. I was unable to get more information about this tool.

Manifest
Exception in thread "main" java.lang.NullPointerException
at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:278)
at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:65)
at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:70)
at edu.psu.cse.siis.ic3.Main.main(Main.java:14)

Hi,
It came out the information when i run IC3
"KNOWN-BUG:While recursing, parameters in this context look the same as the parameters in the callee context.That is a LanguageConstraints.Parameter passed via lc.arguments is really a parameter of this(caller) function,but it will be mistakenly interpreted as a parameter of the callee"
Does it mean IC3 failed to analysis this apk?
Thanks!

Hello,

I downloaded ic3-0.2.0.jar from the release here, then I run the file in its directory using:
java -jar ic3-0.2.0.jar -h

but it didn't work, showing the message 'no main manifest attribute, in ic3-0.2.0.jar'.

Can‘t the ic3-0.2.0.jar be used directly as above or is there a problem with ic3-0.2.0.jar?

Consider a simple application with only one Activity (named MainActivity) declared in its AndroidManifest file. The code of the Activity is shown below:

public class MainActivity extends Activity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        BroadcastReceiver receiver = new BroadcastReceiver() {
           @Override
            public void onReceive(Context context, Intent intent) {
                Intent i = new Intent();
                context.startActivity(i);
            }
        };
    }
}

The intent that is being sent above is shown in Epicc's output, but not in IC3's output.
The destination of this intent is irrelevant - regardless of its destination,
Epicc shows in its output that an intent is sent in MainActivity$1.onReceive,
but there is no related entry in IC3's output (even if the destination is statically resolvable).

The bug occurs when:

1. The receiver of a method that sends an intent is a method parameter.
   AND
2. The intent is sent within an anonymous class.
   (only one of them was not enough to reproduce the bug).

Dear developers:
I download source code of ic3-0.2.0 and build it ,I found that ic3-0.2.0 can not parse intent in the callback method in the layout XML files.

MainActivity.java

public class MainActivity extends Activity {

	@Override
	protected void onCreate(Bundle savedInstanceState) {
		super.onCreate(savedInstanceState);
		setContentView(R.layout.activity_main);
	}
	
	
	public void startFoo(View view) {
		TelephonyManager tel = (TelephonyManager) getSystemService(TELEPHONY_SERVICE);
		String deviceID = tel.getDeviceId();
		Intent intent = new Intent(MainActivity.this,FooActivity.class);
		intent.putExtra("deviceID", deviceID);
		startActivity(intent);
	}


}

activity_main.xml

<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    android:layout_width="match_parent"
    android:layout_height="match_parent"
    android:paddingBottom="@dimen/activity_vertical_margin"
    android:paddingLeft="@dimen/activity_horizontal_margin"
    android:paddingRight="@dimen/activity_horizontal_margin"
    android:paddingTop="@dimen/activity_vertical_margin"
    tools:context=".MainActivity" >
    
    <Button
        android:text="显示启动FooActivity"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:onClick="startFoo"
        />

</RelativeLayout>

The result:the Intents table is null,but I used ic3-0.1.0-full.jar ,it does work,the Intents table is not null, can you give me some answers.

Best wishes.

hi,
I launched IC3 using：
D:\test>java -Xmx4g -jar ic3.jar -apkormanifest test.apk -input class -cp android.jar
here's the content under the D:\test

there is some .class files in test/class/

but I failed to launch it with soot.CompilationDeathException:Couldn't resolve classpath entry android.jar:class:
In addition,I run soot for retargeting and get some .class files from a apk like above in test/class/.
"-src-prec","apk",
"-android-jars","D:\work\adt\adt\sdk\platforms",
"-f","c",
"-cp",classpath,
"-process-dir",sootInput_android,
"-d",sootOutput};
Is there some difference from Dare and lead to that Exception?

Hi
please let you tell me what I need to do to launch IC3?

IC3 can be launched using:
% java [JVM options] -jar -apkormanifest <path to .apk>
-input -cp [IC3 options]

you can explain to me the paths of which files I have to add? Thank's

@docteau @aegiryy @hvijay I was trying to analyze sample apk files you guys provided here 'http://siis.cse.psu.edu/android_sec_tutorial.html' , and got the following log:

Do you mind if help explain why I encountered an exception please?

*****Manifest*****
Exception in thread "main" java.lang.NullPointerException
    at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:278)
    at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:65)
    at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:70)
    at edu.psu.cse.siis.ic3.Main.main(Main.java:14)

The full log is as below:

wenhui@wenhui:~/Downloads/ic3/target$ java -Xmx4g -jar ./ic3-0.2.0-full.jar  -apkormanifest ../../android-sec-tutorial-apk/FriendTracker.apk -input ../../ -cp /home/wenhui/Downloads/ic3-0.2.0/android.jar 
Warning: java.lang.invoke.LambdaMetafactory is a phantom class!
Warning: java.lang.ref.Finalizer is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendTracker is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendTrackerControl is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendProvider is a phantom class!
Warning: org.siislab.tutorial.friendtracker.BootReceiver is a phantom class!
[main] INFO  soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator  - Generated main method:
    public static void dummyMainMethod()
    {
        int $i0;

        $i0 = 0;

     label1:
        if $i0 == 8 goto label1;

        return;
    }

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
Callback analysis done.
Warning: LinearLayout is a phantom class!
Warning: org.siislab.tutorial.friendtracker.LinearLayout is a phantom class!
Warning: android.view.LinearLayout is a phantom class!
Warning: TextView is a phantom class!
Warning: org.siislab.tutorial.friendtracker.TextView is a phantom class!
Warning: android.view.TextView is a phantom class!
Warning: Button is a phantom class!
Warning: org.siislab.tutorial.friendtracker.Button is a phantom class!
Warning: android.view.Button is a phantom class!
Found 1 layout controls in file res/layout/main.xml
[main] INFO  edu.psu.cse.siis.ic3.SetupApplication  - Entry point calculation done.
Warning: org.siislab.tutorial.friendtracker.FriendTracker is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendTrackerControl is a phantom class!
Warning: org.siislab.tutorial.friendtracker.FriendProvider is a phantom class!
Warning: org.siislab.tutorial.friendtracker.BootReceiver is a phantom class!
[main] INFO  soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator  - Generated main method:
    public static void dummyMainMethod()
    {
        int $i0;

        $i0 = 0;

     label1:
        if $i0 == 8 goto label1;

        return;
    }

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
[main] INFO  edu.psu.cse.siis.coal.PropagationSceneTransformer  - Solving propagation problem (iteration 0)
[main] INFO  edu.psu.cse.siis.coal.PropagationSceneTransformer  - Reached a fixed point
Transforming android.content.Intent... 
Transforming android.content.IntentFilter... 
Transforming android.os.Bundle... 
Transforming android.content.ComponentName... 
Transforming android.app.Activity... 
Transforming dummyMainClass... 
Transforming org.siislab.tutorial.friendtracker.FriendTracker... 
Transforming org.siislab.tutorial.friendtracker.FriendTrackerControl... 
Transforming org.siislab.tutorial.friendtracker.FriendProvider... 
Transforming org.siislab.tutorial.friendtracker.BootReceiver... 

*****Manifest*****
Exception in thread "main" java.lang.NullPointerException
    at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:278)
    at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:65)
    at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:70)
    at edu.psu.cse.siis.ic3.Main.main(Main.java:14)
wenhui@wenhui:~/Downloads/ic3/target$ java -Xmx4g -jar ./ic3-0.2.0-full.jar  -apkormanifest ../../android-sec-tutorial-apk/  -input ../../ -cp /home/wenhui/Downloads/ic3-0.2.0/android.jar 
[main] ERROR edu.psu.cse.siis.ic3.Ic3Analysis  - Could not process application null
edu.psu.cse.siis.coal.FatalAnalysisException: Could not process manifest file ../../android-sec-tutorial-apk/: java.io.FileNotFoundException: ../../android-sec-tutorial-apk (Is a directory)
    at edu.psu.cse.siis.ic3.Ic3Analysis.initializeAnalysis(Ic3Analysis.java:149)
    at edu.psu.cse.siis.ic3.Ic3Analysis.initializeAnalysis(Ic3Analysis.java:65)
    at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:66)
    at edu.psu.cse.siis.ic3.Main.main(Main.java:14)
wenhui@wenhui:~/Downloads/ic3/target$ java -Xmx4g -jar ./ic3-0.2.0-full.jar  -apkormanifest ../../android-sec-tutorial-apk/*.apk -input ../../ -cp /home/wenhui/Downloads/ic3-0.2.0/android.jar 
Warning: java.lang.invoke.LambdaMetafactory is a phantom class!
Warning: java.lang.ref.Finalizer is a phantom class!
Warning: org.siislab.tutorial.friendseed.FriendSeed is a phantom class!
[main] INFO  soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator  - Generated main method:
    public static void dummyMainMethod()
    {
        int $i0;

        $i0 = 0;

     label1:
        if $i0 == 2 goto label1;

        return;
    }

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
Callback analysis done.
Warning: LinearLayout is a phantom class!
Warning: org.siislab.tutorial.friendseed.LinearLayout is a phantom class!
Warning: android.view.LinearLayout is a phantom class!
Warning: TextView is a phantom class!
Warning: org.siislab.tutorial.friendseed.TextView is a phantom class!
Warning: android.view.TextView is a phantom class!
Found 1 layout controls in file res/layout/main.xml
[main] INFO  edu.psu.cse.siis.ic3.SetupApplication  - Entry point calculation done.
Warning: org.siislab.tutorial.friendseed.FriendSeed is a phantom class!
[main] INFO  soot.jimple.infoflow.entryPointCreators.AndroidEntryPointCreator  - Generated main method:
    public static void dummyMainMethod()
    {
        int $i0;

        $i0 = 0;

     label1:
        if $i0 == 2 goto label1;

        return;
    }

[Call Graph] For information on where the call graph may be incomplete, use the verbose option to the cg phase.
[Spark] Pointer Assignment Graph in 0.0 seconds.
[Spark] Type masks in 0.0 seconds.
[Spark] Pointer Graph simplified in 0.0 seconds.
[Spark] Propagation in 0.0 seconds.
[Spark] Solution found in 0.0 seconds.
[main] INFO  edu.psu.cse.siis.coal.PropagationSceneTransformer  - Solving propagation problem (iteration 0)
[main] INFO  edu.psu.cse.siis.coal.PropagationSceneTransformer  - Reached a fixed point
Transforming android.content.Intent... 
Transforming android.content.IntentFilter... 
Transforming android.os.Bundle... 
Transforming android.content.ComponentName... 
Transforming android.app.Activity... 
Transforming dummyMainClass... 
Transforming org.siislab.tutorial.friendseed.FriendSeed... 

*****Manifest*****
Exception in thread "main" java.lang.NullPointerException
    at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:278)
    at edu.psu.cse.siis.ic3.Ic3Analysis.processResults(Ic3Analysis.java:65)
    at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:70)
    at edu.psu.cse.siis.ic3.Main.main(Main.java:14)

I want to run IC3 in windows,so I wrote a run.bat like this

run.bat
@echo off
set appPath=%1

set forceAndroidJar=H:\ic3\android.jar

rm -rf testspace
mkdir testspace

set appName=%appPath:~0,-4%

set retargetedPath=testspace%appName%.apk\retargeted\retargeted%appName%

rm -rf output/ic3/$appName.txt

java -Xmx8192m -jar RetargetedApp.jar %forceAndroidJar% %appPath% %retargetedPath%
java -Xmx8192m -jar ic3-0.1.0-full.jar -apkormanifest %appPath% -input %retargetedPath% -classpath %forceAndroidJar% -db cc.properties

rm -rf sootOutput

until the first java statement
java -Xmx8192m -jar RetargetedApp.jar %forceAndroidJar% %appPath% %retargetedPath%
finished,everything is OK
but when the second
java -Xmx8192m -jar ic3-0.1.0-full.jar -apkormanifest %appPath% -input %retargetedPath% -classpath %forceAndroidJar% -db cc.properties
is executed,ERROR occured

H:\ic3>java -Xmx8192m -jar ic3-0.1.0-full.jar -apkormanifest ActivityLifecycle2.
apk -classpath "H:\ic3\android.jar" -input "testspace\ActivityLifecycle2.apk\re
targeted\retargeted\ActivityLifecycle2" -db cc.properties
Exception in thread "main" soot.CompilationDeathException: Couldn't resolve clas
spath entry H:\ic3\android.jar:testspace\ActivityLifecycle2.apk\retargeted\retar
geted\ActivityLifecycle2:: java.io.IOException: 文件名、目录名或卷标语法不正确。

    at soot.SourceLocator.explodeClassPath(SourceLocator.java:426)
    at soot.SourceLocator.getClassSource(SourceLocator.java:64)
    at soot.SootResolver.bringToHierarchy(SootResolver.java:200)
    at soot.SootResolver.bringToSignatures(SootResolver.java:252)
    at soot.SootResolver.bringToBodies(SootResolver.java:288)
    at soot.SootResolver.processResolveWorklist(SootResolver.java:164)
    at soot.SootResolver.resolveClass(SootResolver.java:129)
    at soot.Scene.tryLoadClass(Scene.java:629)
    at soot.Scene.loadBasicClasses(Scene.java:1200)
    at soot.Scene.loadNecessaryClasses(Scene.java:1279)
    at edu.psu.cse.siis.ic3.SetupApplication.initializeSoot(SetupApplication

.java:252)
at edu.psu.cse.siis.ic3.SetupApplication.calculateSourcesSinksEntrypoint
s(SetupApplication.java:125)
at edu.psu.cse.siis.ic3.Ic3Analysis.initializeAnalysis(Ic3Analysis.java:
125)
at edu.psu.cse.siis.ic3.Ic3Analysis.initializeAnalysis(Ic3Analysis.java:
64)
at edu.psu.cse.siis.coal.Analysis.performAnalysis(Analysis.java:66)
at edu.psu.cse.siis.ic3.Main.main(Main.java:14)

I think,maybe the reason is format of Windows filepath differences from Linux
Can somebody helps me?
THX!

Hello,

since gradle 3.0.0 aapt2 is used during compilation (https://developer.android.com/studio/build/gradle-plugin-3-0-0.html). The analyses of apps that are compiled without falling back to aapt (android.enableAapt2=false) seem to fail. Important parts such as action strings seem to be unresolved then.
The attached issue.zip contains two .apk files that clarify the issue. Both files represent the same app. The fallback was active/inactive while compiling Test.apk/Test2.apk respectively. For the latter one the action and category of all intent filters cannot be determined.
Any updates planed to fix this issue?

I hotfixed the issue by using the ApkParser to extract the manifest information: https://github.com/FoelliX/ic3
Please let me know if you want to pull the changes. Then i will come up with a pull request.

Regards,
FoelliX