Android Internals -- Duration: 5 days
----------------------------------------------
Synopsis
This course, modeled after Jonathan's Levin's seminal works of the same name, discusses the architecture of Android - covering both its design and its implementation. We examine the features of the Android Operating System, and highlight exactly what it inherits from its Linux core, as well as how it diverges with its idiosyncrasies and "Android-isms". Every nook and cranny of the architecture is explored, with modules discussing specific subsystems, such as the Dalvik Virtual Machine, Android RunTime (ART), the Binder IPC mechanism, Hardware Abstraction Layer (HAL), the Media Framework and Android Power Management.
Target Audience
Experienced Android Developers or Implementors; Security Researchers with a deep desire to understand the internals of the world's most popular mobile operating system.
This course is NOT intended for user mode developers who wish to develop GUI applications or use the Android Java SDKs - but can be a great recommended followup for those who already do.
Prerequisites
None.
Objectives
- Describe the architecture of the Android operating system
- Describe the similarities between Linux and Android
- Describe the differences between Linux and Android
- Understand core architectural differences from Froyo (2.2) to Android 11.0 and 13.0!
- Describe the functions and architecture of the Android Kernel
- Reverse Engineer Android Apps
- Understand Android Security, its evolution over history, and its weaknesses
- Monitor, trace and intercept inter process communication on Android
- Understand the frameworks of Android, and interception points
- Understand both the framework layers and the native layer of Android
- Gain deep knowledge of the DEX, ART and OAT formats
- Learn to use innovative free tools, such as Dextra, bindump, and jtrace
Exercises
This course allocates time for hands-on practice, and plenty of instructor led demos. The hands-on exercises include:
- Reverse Engineering an Android App
- Native level debugging of Activities
- System call and kernel level tracing
MODULES
Day 1
1. Introduction - The Android Architecture - 5-6 hours
Introduction to the Android architecture. We discuss the design and implementation of the various subsystems, at a modular "black box" level, without going into the source code level (yet).
- Android features
- Android vs. Linux vs. Embedded Linux
- Filesystem layout and directories
- The Runtime Environment
- The Frameworks
- Dalvik (Java)
- Version differences - 1.5 through L (5.0) to Android T (13.0)
- User-Mode and Kernel-Mode Architecture
- Android Kernel modifications
- Recompiling the Kernel
2. Android's Hardware Abstraction Layer - 1 hour
The Android Hardware Abstraction Layer is a key component in Android. It enables the operating system to be adapted to different devices. The basic devices of a phone or tablet - the leds, power, vibrator and others - are abstracted by libhardware into virtual hardware devices, and we discuss them here.
- The need for a hardware abstraction layer
- The basic devices
- Camera
- Flashlight
- GPS
- Leds
- Sensors
- Vibrator
- The User Event Daemon
- HAL stubs
- The last stretch - from HAL to the driver
- Android O HAL modifications ("Project Treble")
Day 2
3. Partitions & Filesystems - 2 hours
Unlike in a PC or Mac, Android devices have upwards of 20 partitions, and sometimes even double that - with some dozen partitions for Android common across all devices, and the rest vendor dependent. We explore both types, focusing on maintaining the partitions, the files in them, and more.
- UFS vs. eMMC devices
- Device Partition Layout and the GPT
- Android standard partitions
- Vendor Specific Partitions (QCom, Samsung, MTK)
- A tour of the Android filesystems (/system, /vendor, /data)
4-5. Booting - 6 hours
System startup and initialization - Walk through the various stages, from boot loader through kernel startup to basic setup of user mode processes. We also describe the modification of the boot loaders.
- The Boot loader, and FastBoot
- Samsung Odin
- ARM TrustZone (32-bit) and ELx (64-bit)
- Kernel Startup
- User mode init - /init and /init.rc
- Boot-to-root: Rooting techniques by unlocking the bootloader
Day 3
6. Native Services - 2 hours
Describing the native services started by init - we walk through each and every one of the AOSP services, as well as some common vendor ones. The list includes:
- adbd
- servicemanager
- healthd (K +)
- logd (L +)
- lmkd (L +)
- keystore
- keymaster (M +)
- zygote/app_process
- debuggerd
7. Android IPC - 2 hours
Android's IPC mechanism is based on Binder, with some UNIX domain sockets on the side. We detail the inner workings of Binder, including:
- Java: AIDL
- Frameworks: android.os.Binder
- Native level: libBinder, BBinder, BpBinder
- Kernel interface: ProcessState and IPCThreadState
- Kernel implementation: ioctl(2) codes and protocol
- hwbinder, vnbinder and other O improvements
Exercises include: Debugging and Tracing Binder IPC
8. The Input Architecture - 2 hours
Android has a complex stack to manage various input sources, such as the touch screen, sensors, and external devices. This module traverses that stack, covering each layer in turn:
- The Linux Kernel Input Model
- The EventHub
- The InputReader
- The InputDispatcher
- The Activity Views
Exercises include: Injecting Events Monitoring and Capturing Input Events
Day 4
9. Dalvik 2 hours
Google would have you believe that Dalvik, the virtual machine architecture, is no longer relevant now that L and later versions use the Android RunTime (ART) by default. This couldn't be further from the truth. In this module, we discuss:
- The Dalvik VM architecture
- The DEX file format
- The DEX OpCode and instruction format
- Optimizing DEX
- Reversing DEX
- Obfuscating DEX
- The JNI model
Exercises include: Using dexdump and dextra to reverse a Dalvik APK's classes.dex all the way to Java source
10. ART - 1 hour
Since its inception as a "preview" in KitKat (4.4), ART has become the de facto standard for Android's application runtime. It has, however, changed with every version, up to and including the N Preview:
- The concepts behind ART
- Advantages over Dalvik
- The evolution - from 5.0 to the present day
- Reversing ART
- ART Memory Management
- Return of the (profiled) JIT
- The JNI implementation
Day 5
11. Android Kernel tweaks - 1 hour
Android is, at the kernel level, almost identical to the common Linux kernel. There are, however, idiosyncrasies and modifications, which optimize the kernel to the mobile environments - low memory conditions, power management considerations, and more. In this chapter, we dig deep into these modifications, by examining each in detail, at the source code level. Specifically, we discuss:
- ASHmem - Android's Anonymous Shared Memory mechanism
- PMem - Physical contiguous memory for non scatter/gather capable hardware
- Low memory killer - Allowing customized Linux OOM behavior from user space
- Wakelocks - and the enhancements to Power Management
- The RAM Console and pstore - Used in Android to save Panic data across reboot
- Timed GPIO/Output
- Recompiling the kernel
- Kernel level debugging and tracing
12. Security - 4 hours
- Java level modifiers: Private and Public
- Java level Permissions
- UNIX/native level Permissions
- Digital Signatures (code signing, etc)
- Key storage and encryption
- Service Hooks
- Protected APIs
- Kernel mode security
- The Linux Capabilities model
- Linux Security Modules (LSM) and SELinux ("SEAndroid")
- Android Verified Boot (AVB) v1 and v2
- Kernel buffer overflow protection - ExecShield and randomization
- Extensions and improvements in Oreo, Pie and 10 (e.g. seccomp-bpf, Webview-Zygote)
- Why it all fails - Android Exploitation
13. Connectivity (Optional) 2 hours
An examination of Android's connectivity mechanisms:
- The Network Stack (+ netd and ConnectivityManager)
- BlueTooth
- RILd
- VPNs
- The USB Stack
Frequently Asked Questions
-
When is this happening????
Either at your convenience, if you have a large enough group, or in our next public offering - Nov 21st (VA/MD)! Final location will be announced as soon as registration closes, so you will have ample time to prepare. Registrants will be able to vote on which location is preferable to them.
-
Who is your instructor for this course?
None other than our CTO, Jonathan Levin, himself - author of Android Internals - Volume I and Volume II - with material from Vols III and IV, slated for release (finally) later in this year.
-
What are the course materials??
Participants will receive a PDF version of the slide deck used, and all the tools.
-
What Android device(s) do I need?
Though you can get by with an emulator, we strongly recommend bringing a rooted device, of at least Android 10.0 or higher (12 recommended). You will also need a Linux host - though we will gladly supply a VM
-
What software do I need on my host?
The Android SDK, NDK, and full sources of Android - all of which freely obtainable, from developer.android.com and android.googlesource.com, respectively
-
What about COVID-19?
We encourage the general public (and especially our participants) to get the vaccine. Our instructor of choice has been thrice vaccinated, but the training will nonetheless observe masks and social distancing. Stay healthy, everyone!
-
How do I register??????
Shoot an email to i/n/f/o@technologeeks.com (without the slashes) for registration or more detail
------------------------------------------------
Completed in 0.01s