Context

In Android, an Activity (and, up to API level 28, a Fragment too) can start another Activity expecting to receive an Intent in response using the method startActivityForResult.

If the target Activity is started with an implicit Intent, which means that any application could intercept it and return a response, the Intent that the original Activity receives back becomes potentially tainted since it comes from an untrusted source.

This PR introduces a new RemoteFlowSource that attempts to model this behavior, considering the Intent parameter of onActivityResult a source, only when the Activity or Fragment that implements it also calls startActivityForResult with an implicit Intent.

Caveats

• To properly model the source, data flow analysis is needed. This means that a DataFlow5::Configuration instance is brought into the global scope, which is not ideal. I'm open to suggestions about how to improve this. I guess we could create another copy of the DataFlow library as we did with DataFlowForSerializability, but that doesn't sound like a desirable solution in the long run.

• In the current implementation, the source is only correctly identified if both the callable in which the call to startActivityForResult occurs and the implementation of onActivityResult are declared in the same type (Activity or Fragment). Check the TestMissing.java test case to see an example of a source that isn't supported by this PR.