On Monday, April 23, 2012 11:22:51 AM UTC-4, atta wrote: > > I understand your point about JNI and reflection. I don't have solution > for JNI but for reflection, I think we can use static analyzer to see if > it's been used to load certain classes or make calls to certain methods. >
You might be able to find out if reflection is used at all, but you won't be able to tell what code is being reflected without executing/simulating the code to find the argument to the reflection. > What I don't know about is, "constructed intent". Could you please > elaborate. > Similarly, code can instruct an Intent with parameters that can't be known without executing/simulating the code. Consider the extreme case: the android-app equivalent to a command line shell, which gives the user text fields into which they can enter parameters to the reflection or Intent - obviously, there is no way to know what they enter. Then consider the less extreme case, in which those parameters are produced internally in a highly obfuscated way. Or the variant case where they seem to come from a straightforward source, but actually come from someplace else (like a network socket) due to the code having an intentional "bug" in it... -- You received this message because you are subscribed to the Google Groups "Android Discuss" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-discuss/-/Dr3D7IlraOUJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-discuss?hl=en.
