Something Wrong in the leak oracle of Exceptions1.apk

[ForgottenField]

Recently, I used FlowDroid to conduct a taint analysis on the Exceptions1.apk file under the directory of GeneralJava and found that FlowDroid detected a leak successfully. The leak oracle written in the comments of source code is as followed:

/**
 * @testcase_name Exceptions1
 * @version 0.1
 * @author Secure Software Engineering Group (SSE), European Center for Security and Privacy by Design (EC SPRIDE) 
 * @author_mail steven.arzt@cased.de
 * 
 * @description tainted data is created and sent out in an exception handler
 * @dataflow source -> imei -> exception handler -> sink
 * @number_of_leaks 1
 * @challenges the analysis must handle exceptions
 */
public class Exceptions1 extends Activity {

	@Override
	protected void onCreate(Bundle savedInstanceState) {
		super.onCreate(savedInstanceState);
		setContentView(R.layout.activity_main);

		String imei = "";		
		try {
			TelephonyManager telephonyManager = (TelephonyManager)getSystemService(Context.TELEPHONY_SERVICE);
			imei = telephonyManager.getDeviceId(); //source
			throw new RuntimeException();
		}
		catch (RuntimeException ex) {
			SmsManager sm = SmsManager.getDefault();
			sm.sendTextMessage("+49 1234", null, imei, null, null); //sink, leak
		}
	}

}

I can figure out that the source API locates in the unit of telephonyManager.getDeviceId() and the sink API locates in the unit of sm.sendTextMessage("+49 1234", null, imei, null, null). However, according to the default SourcesAndSinks.txt file provided by FlowDroid, the source and sink APIs mentioned above are accompanied by corresponding permissions of the Android app.

<android.telephony.TelephonyManager: java.lang.String getDeviceId()> android.permission.READ_PHONE_STATE -> _SOURCE_
<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String,java.lang.String,android.app.PendingIntent,android.app.PendingIntent)> android.permission.SEND_SMS -> _SINK

After I check the source code of Exceptions1.apk, I find there is not any permission listed in the manifest.xml file.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="de.ecspride"
    android:versionCode="1"
    android:versionName="1.0" >

    <uses-sdk
        android:minSdkVersion="8"
        android:targetSdkVersion="17" />

    <application
        android:allowBackup="true"
        android:icon="@drawable/ic_launcher"
        android:label="@string/app_name"
        android:theme="@style/AppTheme" >
        <activity
            android:name="de.ecspride.Exceptions1"
            android:label="@string/app_name" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

So I am wondering about whether the leak behavior actually take place in the Apk without permissions required by the source and sink APIs, and whether the leak oracle listed in the source code of Exceptions1.apk is correct.

Maybe some configuration settings in FlowDroid which can be utilized to figure out the permission problems are completely ignored by me. If that happened, I would be much grateful that you could spare time to help me out. Thank you so much!