Android Internals
Duration: 5 days

Back to course list Home
Synopsis This course, modeled after Jonathan's Levin's seminal works of the same name, discusses the architecture of Android - covering both its design and its implementation. We examine the features of the Android Operating System, and highlight exactly what it inherits from its Linux core, as well as how it diverges with its idiosyncrasies and "Android-isms". Every nook and cranny of the architecture is explored, with modules discussing specific subsystems, such as the Dalvik Virtual Machine, Android RunTime (ART), the Binder IPC mechanism, Hardware Abstraction Layer (HAL), the Media Framework and Android Power Management.
Target Audience Experienced Android Developers or Implementors; Security Researchers with a deep desire to understand the internals of the world's most popular mobile operating system.
This course is NOT intended for user mode developers who wish to develop GUI applications or use the Android Java SDKs - but can be a great recommended followup for those who already do
  • Describe the architecture of the Android operating system
  • Describe the similarities between Linux and Android
  • Describe the differences between Linux and Android
  • Understand core architectural differences from Froyo (2.2) to Android 11.0 and 13.0!
  • Describe the functions and architecture of the Android Kernel
  • Reverse Engineer Android Apps
  • Understand Android Security, its evolution over history, and its weaknesses
  • Monitor, trace and intercept inter process communication on Android
  • Understand the frameworks of Android, and interception points
  • Understand both the framework layers and the native layer of Android
  • Gain deep knowledge of the DEX, ART and OAT formats
  • Learn to use innovative free tools, such as Dextra, bindump, and jtrace
Exercises This course allocates time for hands-on practice, and plenty of instructor led demos.
The hands-on exercises include:
  • Reverse Engineering an Android App
  • Native level debugging of Activities
  • System call and kernel level tracing
Day 1
1. Introduction - The Android Architecture
5-6 hours
Introduction to the Android architecture. We discuss the design and implementation of the various subsystems, at a modular "black box" level, without going into the source code level (yet).
  • Android features
    • Android vs. Linux vs. Embedded Linux
      • Filesystem layout and directories
        • The Runtime Environment
          • The Frameworks
            • Dalvik (Java)
              • Version differences - 1.5 through L (5.0) to Android T (13.0)
                • User-Mode and Kernel-Mode Architecture
                  • Android Kernel modifications
                    • Recompiling the Kernel
                      2. Android's Hardware Abstraction Layer
                      1 hours
                      The Android Hardware Abstraction Layer is a key component in Android. It enables the operating system to be adapted to different devices. The basic devices of a phone or tablet - the leds, power, vibrator and others - are abstracted by libhardware into virtual hardware devices, and we discuss them here.
                      • The need for a hardware abstraction layer
                        • The basic devices
                          • Camera
                            • Flashlight
                              • GPS
                                • Leds
                                  • Sensors
                                    • Vibrator
                                    • The User Event Daemon
                                      • HAL stubs
                                        • The last stretch - from HAL to the driver
                                          • Android O HAL modifications ("Project Treble")
                                            Day 2
                                            3. Partitions & Filesystems
                                            2 hours
                                            Unlike in a PC or Mac, Android devices have upwards of 20 partitions, and sometimes even double that - with some dozen partitions for Android common across all devices, and the rest vendor dependent. We explore both types, focusing on maintaining the partitions, the files in them, and more.
                                            • UFS vs. eMMC devices
                                              • Device Partition Layout and the GPT
                                                • Android standard partitions
                                                  • Vendor Specific Partitions (QCom, Samsung, MTK)
                                                    • A tour of the Android filesystems (/system, /vendor, /data)
                                                      4-5. Booting
                                                      6 hours
                                                      System startup and initialization - Walk through the various stages, from boot loader through kernel startup to basic setup of user mode processes. We also describe the modification of the boot loaders.
                                                      • The Boot loader, and FastBoot
                                                        • Samsung Odin
                                                          • ARM TrustZone (32-bit) and ELx (64-bit)
                                                            • Kernel Startup
                                                              • User mode init - /init and /init.rc
                                                                • Boot-to-root: Rooting techniques by unlocking the bootloader
                                                                  Day 3
                                                                  6. Native Services
                                                                  2 hours
                                                                  Describing the native services started by init - we walk through each and every one of the AOSP services, as well as some common vendor ones. The list includes:
                                                                  • adbd
                                                                    • servicemanager
                                                                      • healthd (K +)
                                                                        • logd (L +)
                                                                          • lmkd (L +)
                                                                            • keystore
                                                                              • keymaster (M +)
                                                                                • zygote/app_process
                                                                                  • debuggerd
                                                                                    7. Android IPC
                                                                                    2 hours
                                                                                    Android's IPC mechanism is based on Binder, with some UNIX domain sockets on the side. We detail the inner workings of Binder, including:
                                                                                    • IPC and RPC basics
                                                                                      • The servicemanager
                                                                                        • Binder by layers:
                                                                                          • Java: AIDL
                                                                                            • Frameworks: android.os.Binder
                                                                                              • Native level: libBinder, BBinder, BpBinder
                                                                                                • Kernel interface: ProcessState and IPCThreadState
                                                                                                  • Kernel implementation: ioctl(2) codes and protocol
                                                                                                    • hwbinder, vnbinder and other O improvements
                                                                                                    • Other communication mechanisms: Sockets and socketpairs

                                                                                                      Exercises include:
                                                                                                      • Debugging and Tracing Binder IPC
                                                                                                      8. The Input Architecture
                                                                                                      2 hours
                                                                                                      Android has a complex stack to manage various input sources, such as the touch screen, sensors, and external devices. This module traverses that stack, covering each layer in turn:
                                                                                                      • The Linux Kernel Input Model
                                                                                                        • The EventHub
                                                                                                          • The InputReader
                                                                                                            • The InputDispatcher
                                                                                                              • The Activity Views

                                                                                                                Exercises include:
                                                                                                                • Injecting Events
                                                                                                                • Monitoring and Capturing Input Events
                                                                                                                Day 4
                                                                                                                9. Dalvik
                                                                                                                2 hours
                                                                                                                Google would have you believe that Dalvik, the virtual machine architecture, is no longer relevant now that L and later versions use the Android RunTime (ART) by default. This couldn't be further from the truth. In this module, we discuss:
                                                                                                                • The Dalvik VM architecture
                                                                                                                  • The DEX file format
                                                                                                                    • The DEX OpCode and instruction format
                                                                                                                      • Optimizing DEX
                                                                                                                        • Reversing DEX
                                                                                                                          • Obfuscating DEX
                                                                                                                            • The JNI model

                                                                                                                              Exercises include:
                                                                                                                              • Using dexdump and dextra to reverse a Dalvik APK's classes.dex all the way to Java source
                                                                                                                              10. ART
                                                                                                                              1 hours
                                                                                                                              Since its inception as a "preview" in KitKat (4.4), ART has become the de facto standard for Android's application runtime. It has, however, changed with every version, up to and including the N Preview:
                                                                                                                              • The concepts behind ART
                                                                                                                                • Advantages over Dalvik
                                                                                                                                  • The evolution - from 5.0 to the present day
                                                                                                                                    • Reversing ART
                                                                                                                                      • ART Memory Management
                                                                                                                                        • Return of the (profiled) JIT
                                                                                                                                          • The JNI implementation
                                                                                                                                            Day 5
                                                                                                                                            11. Android Kernel tweaks
                                                                                                                                            1 hours
                                                                                                                                            Android is, at the kernel level, almost identical to the common Linux kernel. There are, however, idiosyncrasies and modifications, which optimize the kernel to the mobile environments - low memory conditions, power management considerations, and more. In this chapter, we dig deep into these modifications, by examining each in detail, at the source code level. Specifically, we discuss:
                                                                                                                                            • ASHmem - Android's Anonymous Shared Memory mechanism
                                                                                                                                              • PMem - Physical contiguous memory for non scatter/gather capable hardware
                                                                                                                                                • Low memory killer - Allowing customized Linux OOM behavior from user space
                                                                                                                                                  • Wakelocks - and the enhancements to Power Management
                                                                                                                                                    • The RAM Console and pstore - Used in Android to save Panic data across reboot
                                                                                                                                                      • Timed GPIO/Output
                                                                                                                                                        • Recompiling the kernel
                                                                                                                                                          • Kernel level debugging and tracing
                                                                                                                                                            12. Security
                                                                                                                                                            4 hours

                                                                                                                                                            • Java level modifiers: Private and Public
                                                                                                                                                              • Java level Permissions
                                                                                                                                                                • UNIX/native level Permissions
                                                                                                                                                                  • Digital Signatures (code signing, etc)
                                                                                                                                                                    • Key storage and encryption
                                                                                                                                                                      • Service Hooks
                                                                                                                                                                        • Protected APIs
                                                                                                                                                                          • Kernel mode security
                                                                                                                                                                            • The Linux Capabilities model
                                                                                                                                                                              • Linux Security Modules (LSM) and SELinux ("SEAndroid")
                                                                                                                                                                                • Android Verified Boot (AVB) v1 and v2
                                                                                                                                                                                  • Kernel buffer overflow protection - ExecShield and randomization
                                                                                                                                                                                  • Extensions and improvements in Oreo, Pie and 10 (e.g. seccomp-bpf, Webview-Zygote)
                                                                                                                                                                                    • Why it all fails - Android Exploitation
                                                                                                                                                                                      13. Connectivity (Optional)
                                                                                                                                                                                      2 hours
                                                                                                                                                                                      An examination of Android's connectivity mechanisms:
                                                                                                                                                                                      • The Network Stack (+ netd and ConnectivityManager)
                                                                                                                                                                                        • BlueTooth
                                                                                                                                                                                          • RILd
                                                                                                                                                                                            • VPNs
                                                                                                                                                                                              • The USB Stack

                                                                                                                                                                                                Frequently Asked Questions