Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Binding Android piece by piece

Radu Marin

Softvision

November 19, 2015

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

1 Introduction

2 Implementation

3 Learn by doing

4 Improvements

5 Conclusions

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

1 Introduction

2 Implementation

3 Learn by doing

4 Improvements

5 Conclusions

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions Java = Love

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions Linux + Java = Open Love

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

ConclusionsLinux + C/C++ + JNI +Java = Marriage (AOSP)

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Android Software Stack

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Hiccup #1

Linux: process-unit component model

Security: each process is sandboxedand run under a distinct system identity

Stability: if a process misbehaves (i.e.crashes), it does not affect otherprocesses

Memory management: unneededprocesses are removed to free resources(mainly memory)

Inter-process communication = ?

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Hiccup #1

Linux: process-unit component model

Security: each process is sandboxedand run under a distinct system identity

Stability: if a process misbehaves (i.e.crashes), it does not affect otherprocesses

Memory management: unneededprocesses are removed to free resources(mainly memory)

Inter-process communication = sharing data across multipleand commonly specialized processes using communicationprotocols

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Android IPC

Android does not support System V IPCs (Posix):

1 SysV semaphores2 SysV shared memory segments3 SysV message queues

Why not?

1 they lead to global kernel resource leakage, i.e. there is noway to automatically release a SysV semaphore allocatedin the kernel when:

a buggy or malicious process exitsa non-buggy and non-malicious process crashes or isexplicitely killed.

2 Killing processes automatically to make room for new onesis an important part of Android’s application lifecycleimplementation

We can’t ignore potential malicious applications.

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Android IPC

So what’s left?

UNIX domain sockets

has support directly in the init processused for low level services (e.g. ril)file based, need a shared folderno support in Java

TCP/IP sockets

not really useful for IPCcannot use it internally in the software stack (does notpass CTS)

pipes

does not support RPC calls

Files (including memory mapped files)

but what about small data?relatively small support in Java

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

OpenBinder

Started at Be, Inc as a part of the Next generation BeOS(2001)

Acquired by Palm

First real implementation in Palm Cobalt OS(micro-kernel)

Palm switches to Linux, so does OpenBinder (2005)

Key lead engineer, Dianne Hackborn, hired by Google(along most other engineers)

Re-written from scratch for Android, as Binder (2008)

OpenBinder dies, Binder lives!

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

What is Binder anyway?

IPC mechanism/system used for developing objectoriented system services over traditional kernels

built-in reference counting of object references (acrossprocesses)

death-notification mechanism

built-in support for marshalling many common data types

ability to send file descriptors across processes

methods on remote objects can be invoked as if they werelocal

local execution mode if client and service are in the sameprocess (no overhead whatsoever)

simplified APIs (especially for Java)

focused on scalability, stability, flexibility, low-latency, easyto use

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

What is Binder used for?

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

What is Binder used for?

Dianne Hackborn:package manager, telephony manager, app widgets, audioservices, search manager, location manager, notificationmanager, accessibility manager, connectivity manager, wifimanager, input method manager, clipboard, status bar, windowmanager, sensor service, alarm manager, content service,activity manager, power manager, surface compositor

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Binder controversy

That must have hurt

Most of these questions related to the fact that I don’t think an interface

like this just slips into the kernel as a driver. Since it’s IPC, it’s totally

generic, and it’s not part of a standard (i.e. POSIX), we need to have

some better and more specific information about it (or at least I do)

Didn’t see that one coming

If for instance the main reason for Google using this interface is cause

a large number of android people once worked at Palm or BeOS, that’s

not reason enough for it to go into the kernel. Or if this binder interface

really fits well with Java or C++ people and they just love it, that’s not

really acceptable either..

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

1 Introduction

2 Implementation

3 Learn by doing

4 Improvements

5 Conclusions

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Down in the Linux kernel

driver to facilitate IPC:$ adb s h e l ls h e l l @ a n d r o i d : / $ l s − l / dev / | grep b i n d e rcrw−rw−rw− r o o t r oo t 10 , 49 2015−09−07 20 :23 b i n d e rs h e l l @ a n d r o i d : / $ ca t / s y s / d e v i c e s / v i r t u a l /misc / b i n d e r / ueventMAJOR=10MINOR=49DEVNAME=b i nd e r

supports: open, mmap, release, poll, and ioctl

key command - ioctl (sending commands and data):

BINDER WRITE READBINDER SET MAX THREADSBINDER SET CONTEXT MGRBINDER THREAD EXITBINDER VERSION

multi-thread aware (status per thread)

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Down in the Linux kernel

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Hiccup #2

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Moving up to the Linux userspace

token address 0 (well-known address)

must be started before anything else

other processes use it find services → Mediator pattern

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Moving up to the Linux userspace

$ adb s h e l ls h e l l @ a n d r o i d : / $ s e r v i c e l i s tFound 75 s e r v i c e s :0 s i p : [ and ro i d . net . s i p . I S i p S e r v i c e ]1 phone : [ com . and ro i d . i n t e r n a l . t e l e phony . ITe l ephony ]2 i p h on e s u b i n f o : [ com . and ro i d . i n t e r n a l . t e l e phony . IPhoneSub In fo ]3 s imphonebook : [ com . and ro i d . i n t e r n a l . t e l e phony . I I ccPhoneBook ]4 i sms : [ com . and ro i d . i n t e r n a l . t e l e phony . ISms ]5 p i e s e r v i c e : [ and ro i d . s e r v i c e . p i e . I P i e S e r v i c e ][ . . . ]

s h e l l @ a n d r o i d : / $ dumpsys media . cameraCamera module HAL API v e r s i o n : 0 x100Camera module API v e r s i o n : 0 x100Camera module name : Exynos CameraCamera module au tho r : Paul Koc i a l k owsk iNumber o f camera d e v i c e s : 2

Camera 0 s t a t i c i n f o rma t i o n :Fac ing : BACKOr i e n t a t i o n : 90Dev ice v e r s i o n : 0 x100Dev ice i s c l o s ed , no c l i e n t i n s t a n c e

Camera 1 s t a t i c i n f o rma t i o n :Fac ing : FRONTOr i e n t a t i o n : 270Dev ice v e r s i o n : 0 x100Dev ice i s c l o s ed , no c l i e n t i n s t a n c e

No a c t i v e camera c l i e n t s y e t .

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Moving up to the Linux userspace

Simple inter process messaging system

In an object oriented view, the transaction data is calledparcel.

The procedure of building a parcel is called marshalling anobject.

The procedure of rebuilding a object from a parcel iscalled unmarshalling an object.

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Moving up to the Linux userspace

c l a s s I S e r v i c eManage r : p u b l i c I I n t e r f a c e{p u b l i c :

DECLARE META INTERFACE( Serv i ceManager ) ;v i r t u a l sp<IB i nde r> g e t S e r v i c e ( con s t S t r i n g16& name) con s t = 0 ;v i r t u a l sp<IB i nde r> c h e c kS e r v i c e ( con s t S t r i n g16& name) cons t = 0 ;v i r t u a l Vector<St r i ng16> l i s t S e r v i c e s ( ) = 0 ;

} ;

c l a s s BnServ iceManager : p u b l i c Bn I n t e r f a c e<I Se rv i c eManage r>{p u b l i c :

v i r t u a l s t a t u s t onTransact ( u i n t 3 2 t code ,con s t Pa r c e l& data ,Pa r c e l∗ r e p l y ,u i n t 3 2 t f l a g s = 0) ;

} ;

methods are purely virtual → Proxy pattern

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Moving up to the Linux userspace

enum {GET SERVICE TRANSACTION = IB i n d e r : : FIRST CALL TRANSACTION ,CHECK SERVICE TRANSACTION ,ADD SERVICE TRANSACTION ,LIST SERVICES TRANSACTION ,

} ;

c l a s s BpServ iceManager : p u b l i c Bp I n t e r f a c e<I Se rv i c eManage r> {p u b l i c :

v i r t u a l sp<IB i nde r> g e t S e r v i c e ( con s t S t r i n g16& name) cons t{

Pa r c e l data , r e p l y ;data . w r i t e I n t e r f a c eTo k e n ( ISe r v i c eManage r : : g e t I n t e r f a c eD e s c r i p t o r ( ) ) ;data . w r i t e S t r i n g 1 6 (name) ;remote ( )−>t r a n s a c t (CHECK SERVICE TRANSACTION , data , &r e p l y ) ;r e t u r n r e p l y . r e adS t r ongB inde r ( ) ;

}

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Moving up to the Linux userspace

s t a t u s t BnServ iceManager : : onTransact (u i n t 3 2 t code , con s t Pa r c e l& data , Pa r c e l∗ r e p l y , u i n t 3 2 t f l a g s ) {sw i t c h ( code ) {

ca se GET SERVICE TRANSACTION : {CHECK INTERFACE( ISe rv i c eManage r , data , r e p l y ) ;S t r i n g16 which = data . r e a dS t r i n g 16 ( ) ;sp<IB i nde r> b = con s t c a s t<BnServ iceManager∗>( t h i s )−>

g e t S e r v i c e ( which ) ;r e p l y−>wr i t e S t r o ngB i n d e r ( b ) ;r e t u r n NO ERROR;

} break ;[ . . . ]

}

v i r t u a l sp<IB i nde r> g e t S e r v i c e ( con s t S t r i n g16& name) cons t{

uns i gned n ;f o r ( n = 0 ; n < 5 ; n++){

sp<IB i nde r> s vc = ch e c kS e r v i c e ( name) ;i f ( s vc != NULL) r e t u r n svc ;ALOGI( ”Wait ing f o r s e r v i c e %s . . . \ n” , S t r i n g 8 (name) . s t r i n g ( ) ) ;s l e e p (1 ) ;

}r e t u r n NULL ;

}

IMPLEMENT META INTERFACE( Serv iceManager , ” and ro i d . os . I S e r v i c eManage r ” ) ;}

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Moving up to the Linux userspace

$ adb s h e l ls h e l l @ a n d r o i d : / $ s e r v i c e c a l l −hs e r v i c e : No s e r v i c e s p e c i f i e d f o r c a l lUsage : s e r v i c e [−h|−?]

s e r v i c e l i s ts e r v i c e check SERVICEs e r v i c e c a l l SERVICE CODE [ i 3 2 INT | s16 STR] . . .

Opt ions :i 3 2 : Wr i te the i n t e g e r INT i n t o the send p a r c e l .s16 : Wr i te the UTF−16 s t r i n g STR i n t o the send p a r c e l .

10 | s h e l l @ a n d r o i d : / $ s e r v i c e c a l l phone 2 s16 ”123456”Re s u l t : P a r c e l (00000000 ’ . . . . ’ )

130 | s h e l l @ a n d r o i d : / $ pm l i s t packages | headpackage : and ro i dpackage : a t . s p a r da t . b c rmob i l epackage : com . adobe . r e a d e rpackage : com . andrew . a p o l l opackage : com . and ro i d . backupconf i rmpackage : com . and ro i d . b l u e t o o t hpackage : com . and ro i d . b rowse rpackage : com . and ro i d . c a l c u l a t o r 2package : com . and ro i d . c a l e n d a rpackage : com . and ro i d . c e l l b r o a d c a s t r e c e i v e r

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Reaching the Android framework

JNI wrappers over C++ APIs → Bridge pattern

wraps the entire middleware

exposed mainly through AIDL, but low-level APIs can becalled

all service references through from APIs are implementedthrough AIDL / Binder

all interactions with the Android framework are mediatedthrough Binder (e.g. activity callbacks: onCreate,onResume etc)

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Hiccup #3

Android application building blocks:

Activity

Service

Content Provider

Broadcast Receiver

Intent

Manifest file

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Reaching the Android framework - AIDL

eases the implementation of Android remote services

defines a Java-like interface for such remote services

fully automated: parser generates Java classes:

Proxy class for clientStub class exposed by a Service through onBind

allows sending: primitive data types, basic containers,compound data types (i.e. Parcelable), Binder objectsetc.

paramater direction: in, out, inout

allows oneway (asynchronous calls)

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Reaching the Android framework

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

1 Introduction

2 Implementation

3 Learn by doing

4 Improvements

5 Conclusions

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Why use it?

a more object-oriented approach for applicationarchitectures

complicated business logic → message passing isinsufficient

strong coupling between Service and Activity

decoupling control logic from UI → allow customers tocreate own UI by exposing an AIDL interface

better suited for engines, middlewares, frameworks etc.

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A simple example

Step 1: define an AIDL interface

i n t e r f a c e ISeconda r y {/∗∗∗ Request the PID o f t h i s s e r v i c e , to do e v i l t h i n g s w i th i t .∗/i n t ge tP id ( ) ;

/∗∗∗ This demons t ra t e s the b a s i c t yp e s t ha t you can use as pa ramete r s∗ and r e t u r n v a l u e s i n AIDL .∗/

vo i d ba s i cType s ( i n t an In t , l ong aLong , boo l ean aBoolean , f l o a t aF loat ,doub l e aDouble , S t r i n g aS t r i n g ) ;

}

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A simple example

Step 2: provide Stub implementation

p r i v a t e f i n a l I S e conda r y . Stub mSecondaryBinder = new ISeconda r y . Stub ( ) {p u b l i c i n t ge tP id ( ) {

r e t u r n P roce s s . myPid ( ) ;}p u b l i c vo i d ba s i cType s ( i n t an In t , l ong aLong , boo l ean aBoolean ,

f l o a t aF loat , doub l e aDouble , S t r i n g aS t r i n g ) {// do someth ing wi th the data he r e

}} ;

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A simple example

Step 3: export it through a Service@Over r idep u b l i c I B i n d e r onBind ( I n t e n t i n t e n t ) {

// S e l e c t the i n t e r f a c e to r e t u r n . I f your s e r v i c e on l y implements// a s i n g l e i n t e r f a c e , you can j u s t r e t u r n i t he r e w i thout check i ng// the I n t e n t .i f ( IRemoteSe r v i c e . c l a s s . getName ( ) . e qu a l s ( i n t e n t . g e tAc t i on ( ) ) ) {

r e t u r n mBinder ;}i f ( I S e conda r y . c l a s s . getName ( ) . e qu a l s ( i n t e n t . g e tAc t i on ( ) ) ) {

r e t u r n mSecondaryBinder ;}r e t u r n n u l l ;

}

<s e r v i c e and ro i d : name=” . app . RemoteServ i ce ” and ro i d : p r o c e s s=” : remote ”><i n t e n t−f i l t e r >

<!−− These a r e the i n t e r f a c e s suppo r t ed by the s e r v i c e , whichyou can b ind to . −−>

<a c t i o nand ro i d : name=”com . example . and ro i d . a p i s . app . IRemoteSe r v i c e ”/>

<a c t i o n and ro i d : name=”com . example . and ro i d . a p i s . app . I Seconda r y ”/>

<a c t i o nand ro i d : name=”com . example . and ro i d . a p i s . app . REMOTE SERVICE”/>

</i n t e n t−f i l t e r ></s e r v i c e>

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A simple example

Step 4: Create a ServiceConnectionI S e conda r y mSecondarySe rv i ce = n u l l ;S e r v i c eConne c t i o n mSecondaryConnect ion = new Se r v i c eConne c t i o n ( ) {

p u b l i c vo i d onSe rv i c eConnec t ed (ComponentName className ,IB i n d e r s e r v i c e ) {

mSecondarySe rv i ce = ISeconda r y . Stub . a s I n t e r f a c e ( s e r v i c e ) ;// s t a r t u s i n g mSecondarySe rv i ce

}

p u b l i c vo i d onSe r v i c eD i s c onn e c t e d (ComponentName className ) {mSecondarySe rv i ce = n u l l ;

}} ;

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A simple example

Step 5: Bind/Unbind the Service

boo l ean mIsBound = f a l s e ;

@Over r idep u b l i c vo i d onCreate ( Bundle s a v e d I n s t a n c e S t a t e ) {

[ . . . ]b i n d S e r v i c e ( new I n t e n t ( ISeconda r y . c l a s s . getName ( ) ) ,

mSecondaryConnect ion , Context . BIND AUTO CREATE) ;mIsBound = t r u e ;

}

@Over r idep u b l i c vo i d onDest roy ( ) {

[ . . . ]i f ( mIsBound ) {

unb i n dS e r v i c e ( mSecondaryConnect ion ) ;}

}

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A simple example

Using a Local Binder:

p u b l i c c l a s s MyLoca lSe r v i c e ex t end s S e r v i c e{

I B i n d e r mBinder = new Loca lB i nd e r ( ) ;

@Over r idep u b l i c I B i n d e r onBind ( I n t e n t i n t e n t ) {r e t u r n mBinder ;}

p u b l i c c l a s s Lo ca lB i nd e r e x t end s B inde r {p u b l i c MyLoca lSe rv i c e g e t I n s t a n c e ( ) {r e t u r n MyLoca lSe rv i c e . t h i s ;}}

p u b l i c vo i d myPulicMethod {// do someth ing

}}[ . . . ]p u b l i c vo i d onSe rv i c eConnec t ed (ComponentName name , IB i n d e r s e r v i c e ) {

mIsBound = t r u e ;Lo ca lB i nd e r mLoca lB inder = ( Loca lB i nd e r ) s e r v i c e ;mLoca lSe r v i c e = mLoca lB inder . g e t I n s t a n c e ( ) ;}

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A simple example

Sending complex data types (1):p u b l i c c l a s s MyData implements P a r c e l a b l e{

p r i v a t e S t r i n g myStr ing ;p r i v a t e i n t myInt ;p u b l i c MyData ( S t r i n g myStr ing , i n t myInt ){

t h i s . myStr ing = myStr ing ;t h i s . myInt = myInt ;

}p r i v a t e MyData ( Pa r c e l i n ){

t h i s . myStr ing = i n . r e a d S t r i n g ( ) ;t h i s . myInt = i n . r e a d I n t ( ) ;

}

@Over r idep u b l i c vo i d w r i t eToPa r c e l ( Pa r c e l des t , i n t f l a g s ) {

de s t . w r i t e S t r i n g ( myStr ing ) ;d e s t . w r i t e I n t ( myInt ) ;

}p u b l i c s t a t i c f i n a l P a r c e l a b l e . C r ea t o r CREATOR = new

Pa r c e l a b l e . C r ea t o r ( ) {p u b l i c MyData c r ea t eF romPar c e l ( Pa r c e l i n ) {

r e t u r n new MyData ( i n ) ;}

p u b l i c MyData [ ] newArray ( i n t s i z e ) {r e t u r n new Student [ s i z e ] ;

}} ;

}

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A simple example

Sending complex data types (2):

specify direction in AIDL:

i n t e r f a c e IMyData {vo i d send ( i n ou t MyData myData ) ;

}

create parcelable AIDL file:

package my . package ;

p a r c e l a b l e MyData ;

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A simple example

Passing Binders through Binder:

i n t e r f a c e IRemoteSe r v i c e {/∗∗∗ Often you want to a l l ow a s e r v i c e to c a l l back to i t s c l i e n t s .∗ This shows how to do so , by r e g i s t e r i n g a c a l l b a c k i n t e r f a c e w i th∗ the s e r v i c e .∗/

vo i d r e g i s t e r C a l l b a c k ( IR emo t eSe r v i c eCa l l b a c k cb ) ;

/∗∗∗ Remove a p r e v i o u s l y r e g i s t e r e d c a l l b a c k i n t e r f a c e .∗/

vo i d u n r e g i s t e r C a l l b a c k ( IR emo t eS e r v i c eCa l l b a c k cb ) ;}

oneway i n t e r f a c e IR emo t eSe r v i c eCa l l b a c k {/∗∗∗ Ca l l e d when the s e r v i c e has a new va l u e f o r you .∗/

vo i d va lueChanged ( i n t v a l u e ) ;}

API level ≥ 16 → can send Binders through Bundle (must manuallytake care of ownership)

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A highly available middleware for contextacquisition

Specs:

1 a middleware for sensing, acquiring and storing contextualdata

2 what is context? anything measurable from theenvironment

3 must enforce transparency (MVC architecture)

4 must enforce a stable and extensible API

5 must restrict contextual collectors by permissions

6 must manage the lifetime of collectors

7 must export data to other Android applications

8 must recognize collectors from any allowed applicationon-the-fly

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A highly available middleware for contextacquisition

ICollector.aidl:package ro . pub . acs . hyccups . c o l l e c t o r ;

impor t ro . pub . acs . hyccups . c o l l e c t o r . I c o n I n f o ;

i n t e r f a c e I C o l l e c t o r {S t r i n g name ( ) ;I n t e n t v iew ( ) ;I c o n I n f o i c on ( ) ;v o i d s t a r t ( ) ;v o i d s top ( ) ;

}

package ro . pub . acs . hyccups . c o l l e c t o r ;

p a r c e l a b l e I c o n I n f o ;

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A highly available middleware for contextacquisition

Exposing a collector:

<p r o v i d e rand ro i d : name=” . c o l l e c t o r s . memory . Model”and ro i d : a u t h o r i t i e s=” ro . pub . acs . hyccups . t r a c e r . p r o v i d e r . memory”and ro i d : e xpo r t ed=” t r u e ”and ro i d : w r i t eP e rm i s s i o n=” ro . pub . acs . hyccups . p e rm i s s i o n .WRITE COLLECTOR DATA”

/>

<a c t i v i t y and ro i d : name=” . c o l l e c t o r s . memory . Viewer ”and ro i d : i c on=”@drawable /memory”>

<meta−dataand ro i d : name=” a u t h o r i t y ”and ro i d : v a l u e=” ro . pub . acs . hyccups . t r a c e r . p r o v i d e r . memory” />

</a c t i v i t y>

<s e r v i c eand ro i d : name=” . c o l l e c t o r s . memory . C o n t r o l l e r ”and ro i d : e xpo r t ed=” f a l s e ”and ro i d : p r o c e s s=” : t r a c e r ” ><i n t e n t−f i l t e r >

<a c t i o n and ro i d : name=” ro . pub . acs . hyccups . c o l l e c t o r . I C o l l e c t o r ” />

<c a t e go r y and ro i d : name=” and ro i d . i n t e n t . c a t e go r y .DEFAULT” /></i n t e n t−f i l t e r >

</s e r v i c e>

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A highly available middleware for contextacquisition

Binding anything appropriate:f i n a l L i s t l i s t = new L i s t ( ) ;j a v a . u t i l . L i s t<Re so l v e I n f o> i n f o s =

con t e x t . getPackageManager ( ) . q u e r y I n t e n t S e r v i c e s (new I n t e n t ( I C o l l e c t o r . c l a s s . getName ( ) ) ,

PackageManager .MATCH DEFAULT ONLY) ;f i n a l CountDownLatch b a r r i e r = new CountDownLatch ( i n f o s . s i z e ( ) ) ;

f o r ( R e s o l v e I n f o i n f o : i n f o s ) {// I n s t a n t i a t e a l l c o l l e c t o r snew C o l l e c t o r ( contex t , i n f o , new Reque s t e r ( ) {

@Over r idep u b l i c vo i d onFa i l e d ( S e r v i c e I n f o i n f o ) {l i s t . f a i l e d ( i n f o ) ;b a r r i e r . countDown ( ) ;}

@Over r idep u b l i c vo i d onDi sconnec ted ( C o l l e c t o r c o l l e c t o r ) {l i s t . remove ( c o l l e c t o r ) ;}

@Over r idep u b l i c vo i d onConnected ( C o l l e c t o r c o l l e c t o r ) {// I f the c o l l e c t o r s u c c e s s f u l l y connect s , i t adds i t s e l f to the l i s tl i s t . add ( c o l l e c t o r ) ;b a r r i e r . countDown ( ) ;}}) ;}b a r r i e r . awa i t ( ) ;

r e t u r n l i s t ;

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A highly available middleware for contextacquisition

Displaying all collectors:

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A highly available middleware for contextacquisition

Binding the data to views:

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A highly available middleware for contextacquisition

Exposing additional functionality (1):

i n t e r f a c e IEng i n e {vo i d r e g i s t e r ( IChanne l channe l ) ;v o i d u n r e g i s t e r ( IChanne l channe l ) ;v o i d fo rwa rd ( IChanne l channe l , i n ou t MessageWrapper message ) ;v o i d d i s s em i n a t e ( IChanne l channe l , i n o u t MessageWrapper message ) ;

}

i n t e r f a c e IChanne l {S t r i n g getName ( ) ;oneway vo i d onReg i s t e r e d ( ) ;oneway vo i d onDi sconnec ted ( S t r i n g e r r o r ) ;oneway vo i d onPeerConnected ( i n ou t Peer pee r ) ;oneway vo i d onPee rD i sconnec ted ( i n ou t Peer pee r ) ;oneway vo i d onMessageRece ived ( i n ou t MessageWrapper message ) ;oneway vo i d onD i s s em ina t i onRec e i v ed ( i n ou t MessageWrapper message ) ;

}

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

A highly available middleware for contextacquisition

Exposing additional functionality (2):

<s e r v i c eand ro i d : name=” . c o l l e c t o r s . o p p o r t u n i s t i c . C o n t r o l l e r ”and ro i d : e xpo r t ed=” f a l s e ”and ro i d : p r o c e s s=” : t r a c e r ” ><i n t e n t−f i l t e r >

<a c t i o n and ro i d : name=” ro . pub . acs . hyccups . c o l l e c t o r . I C o l l e c t o r ” />

<c a t e go r y and ro i d : name=” and ro i d . i n t e n t . c a t e go r y .DEFAULT” /></i n t e n t−f i l t e r ><i n t e n t−f i l t e r >

<a c t i o n and ro i d : name=” ro . pub . acs . hyccups . o p p o r t u n i s t i c . I Eng i n e ” />

<c a t e go r y and ro i d : name=” and ro i d . i n t e n t . c a t e go r y .DEFAULT” /></i n t e n t−f i l t e r >

</s e r v i c e><s e r v i c e

and ro i d : name=” . c o l l e c t o r s . o p p o r t u n i s t i c . Con t r o l l e r $T r a c i n gChann e l ”and ro i d : e xpo r t ed=” f a l s e ”and ro i d : p r o c e s s=” : t r a c e r ” ><i n t e n t−f i l t e r >

<a c t i o n and ro i d : name=” ro . pub . acs . hyccups . o p p o r t u n i s t i c . IHos t ” />

<c a t e go r y and ro i d : name=” and ro i d . i n t e n t . c a t e go r y .DEFAULT” /></i n t e n t−f i l t e r >

</s e r v i c e>

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

1 Introduction

2 Implementation

3 Learn by doing

4 Improvements

5 Conclusions

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Exploit #1

Keylogger (Binder in the middle attack):

Binder service tokens were allocated incrementally

Attacker would identify the desired service token and killit’s process (InputManagerService)

Before the service would have time to recover → registeran infected version with the same token number

All input would then pass through the attacker’s code

Fixed by allocating token numbers randomly (still notimpossible for hackers).

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Exploit #2

Playing with in app data:

hack the linker to bypass binder flow and read buffers (onrooted device)programmers send sensitive data through Binder (betweenActivities)hacker reads the sensitive data by parsing thecommand/reply bufferhacker decompiles application to see how data is usedhacker uses non-privileged Binder call back into theapplication using the sensitive data

Fixes:

nothing much that Android can do in this situationprogrammers should always obfuscate their code (make lifeharder for hackers)programmers should never send sensitive data in the clearover Binder (rather have overhead than security breach)

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Improvements

Binder is not yet a stable API and keeps on evolving

Currently uses SELinux for securing Binder calls

Does not block all cores when carrying out Bindertransaction (initial designs did...)

Rumours about switching to ADSP

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

1 Introduction

2 Implementation

3 Learn by doing

4 Improvements

5 Conclusions

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

Conclusions

Good:

unique IPC mechanism supporting object oriented systemservices over traditional kernels (i.e. Linux)

extends Linux with the ability to send file descriptorsacross processes

optimized for both local and remote execution; nativebinary marshalling

simplified, object-oriented APIs

focused on scalability, stability, flexibility, low-latency, easyto use

Bad:

ioctl() path is not optimal

Use it wisely and only when needed!

Never send sensitive data through Binder!

Java UserGroup

Radu Marin

Introduction

Implementation

Learn by doing

Improvements

Conclusions

The end

Thank you !