Is there any CLI option to exclude packages from analysis?

[r1pu5u]

Hi FlowDroid team,

I’m currently analyzing a large Android application (Kotlin + Jetpack Compose) and I’m running into severe performance and memory issues. The analysis appears to fully process framework and third-party libraries such as androidx, kotlin, com.google, and other large SDKs.

I’m wondering whether there is any way to exclude packages via the CLI when using soot-infoflow-cmd.

This is the command I’m currently using:

java -Xmx13g -jar soot-infoflow-cmd/target/soot-infoflow-cmd-jar-with-dependencies.jar \
  -a app.apk \
  -p ~/Android/Sdk/platforms \
  -s DeeplinkWebview.txt \
  -cg CHA \
  -tw NONE \
  -aa NONE \
  -ds FLOWINSENSITIVE \
  -nc \
  -ns \
  -l NONE

Despite disabling callbacks, static tracking, and using a flow-insensitive solver, memory usage still grows very large. Below is a shortened excerpt of the output:

[Low memory monitor] INFO soot.jimple.infoflow.memory.MemoryWarningSystem -
Triggering memory warning at 12621 MB (13958 MB max, 12566 in watched memory pool)...
...
[Low memory monitor] WARN soot.jimple.infoflow.memory.FlowDroidMemoryWatcher -
Running out of memory, solvers terminated
...
[main] INFO soot.jimple.infoflow.android.SetupApplication -
Data flow solver took 1158 seconds. Maximum memory consumption: 12674 MB
[main] INFO soot.jimple.infoflow.android.SetupApplication - Found 2 leaks from 2 sources

[StevenArzt]

Your configuration seems suboptimal. Using CHA as a callgraph algorithm will save some time during callgraph construction, but will lead to a much larger CG that the taint analysis then needs to explore. You will usually spend a lot more time (and memory) on these false paths than whatever you gained during CG construction.

Having no taint wrapper (-tw NONE) disables the library summaries, forcing FlowDroid to descend into each library. This will take a lot of extra effort for no apparent reason.

Disabling the alias analysis (-aa NONE) will save time and memory, but you will only get a subset of results. Which results are missing depends on how the compiler that created the DEX files chose to represent some Kotlin code. I don't see how you could interpret the outcome aside from "I got a random subset of flows".

The context-insensitive solver (-ds FLOWINSENSITIVE) will also lead to spurious flows and might hurt more than it helps.

Excluding static flows (-ns) might actually help, so I'd keep that if you're struggling with memory consumption.

In general, FlowDroid may need a lot of memory when analyzing large apps. The problem is not your average app, but the occasional outlier. It's challenging to tell in advance how much memory will be required for analyzing a given app because there is no simple correlation between, e.g., app size and time/memory consumption.

Since I don't have your app, it's difficult to tell whether 13 GB should suffice or not. FlowDroid is built to deal with OOMs gracefully. You will get the leaks that were found before the OOM occurred. Depending on your use case, that might already be something to work with.

If you can assign more memory, that's always worth trying. We run our large-scale paper studies on massive compute servers (I just saw -Xmx750g in a script for the most recent paper) and FlowDroid scales to that. We don't have a single OOM in that dataset.

If you want to exclude libraries, the best option is to provide a library model such that FlowDroid still knows the taint semantics of that library. You can have a look at the summariesManual folder for examples.

If you're desperate, you can also patch SummaryMetaData.xml in the same folder to exclude a class by marking it as exclusive. This will tell the taint wrapper to assume that it has a full model of the respective class even if there is no model. It will then just skip these classes.