Android Internals

• Strong knowledge of Android development or implementation.
• Experience in reverse engineering or security research.
• A rooted Android device (recommended Android 10 or higher) and a Linux host (VMs can be provided).
• Familiarity with Linux and Android systems.

Target Audience

• Experienced Android developers or implementers.
• Security researchers interested in the internals of the Android OS.

This course is not suitable for user-mode developers focused on Android GUI applications, but it serves as an excellent follow-up for those already familiar with the Android SDK.

• Describe the architecture of the Android operating system.
• Understand the similarities and differences between Linux and Android.
• Trace the core architectural changes from Android Froyo (2.2) to Android 13.0.
• Understand the functions and architecture of the Android kernel.
• Reverse engineer Android applications.
• Monitor, trace, and intercept inter-process communication (IPC) in Android.
• Gain a deep understanding of DEX, ART, and OAT formats.
• Learn to use free tools such as Dextra, bindump, and jtrace.
• Analyse Android security, its evolution, and weaknesses.

The course covers the following modules, with hands-on exercises and guided demos:

Introduction to Android Architecture (5-6 hours)

• Overview of Android features and comparison with Linux.
• Filesystem layout, runtime environment, and frameworks.
• Dalvik and ART architecture, from Android 1.5 through Android 13.0.
• User-mode and kernel-mode differences.
• Kernel modifications and recompilation.

Hardware Abstraction Layer (HAL) (1 hour)

• HAL overview and abstraction of basic devices (camera, sensors, GPS, etc.).
• Project Treble and HAL modifications.

Partitions & Filesystems (2 hours)

• Android partition layout, UFS vs. eMMC, vendor-specific partitions.
• Tour of standard Android filesystems (/system, /vendor, /data).

Booting (6 hours)

• System startup and initialisation, from bootloader to kernel and user-mode processes.
• Techniques for unlocking bootloaders and rooting devices.

Native Services (2 hours)

• Examination of Android services initiated by init (adbd, servicemanager, healthd, etc.).

Android IPC Mechanisms (2 hours)

• Detailed breakdown of Binder IPC and alternative communication mechanisms.
• Exercises: Debugging and tracing Binder IPC.

The Input Architecture (2 hours)

• Understanding Android’s input stack: Kernel input model, EventHub, InputReader, and InputDispatcher.
• Exercises: Monitoring and capturing input events.

Dalvik Virtual Machine (2 hours)

• Dalvik VM architecture, DEX file format, and reverse engineering techniques.
• Exercises: Reverse engineering Dalvik APK’s classes.dex to Java source.

Android Runtime (ART) (1 hour)

• ART evolution and its memory management, profiling, and JIT compilation.
• Exercises: Reversing ART.

Android Kernel Modifications (1 hour)

• Overview of Android-specific kernel tweaks: ASHmem, PMem, low memory killer, wakelocks, RAM console, etc.
• Exercises: Kernel-level debugging and tracing.

Android Security (4 hours)

• Analysis of Android’s security mechanisms, including SELinux, digital signatures, AVB, and buffer overflow protection.
• Android exploitation techniques and common security failures.

Connectivity (Optional) (2 hours)

• Overview of Android’s network stack, Bluetooth, RILd, and VPN mechanisms.