Extending Android's binder as a basis for application monitoring

Abstract

Android is an operating system for mobile devices, and comes with diagnostic and application debugging tools for performance. Android also makes use of a permission model in order to grant applications access to device services such as messaging and camera. We are currently missing an os-centric monitoring feature related to the services being accessed. Any work related to malware detection and permission monitoring will benefit from such an enhancement to Android. Despite of being Linux based, Android implements a customised binder framework, rather than utilizing the system V IPC, providing a remote procedure call mechanism which is abstracted to the developer through simple Java APIs. The first part of this work focuses on studying the Android Binder, the choke-point of all IPC that takes place in Android, to identify candidate patch points that may provide the required monitoring. An AIDL example (Android Interface Definition Language) is created and used as a running example to further understand the ow of IPC. The Binder framework is patched at the Java level, and the data is intercepted as soon as a transaction is made by client. A string representation of the data is printed using Logcat. The data is also sent to a tailored monitoring application using Intents. The second part of this project focuses on the creation of a prototype monitoring application which is capable of receiving the data sent by the Android binder framework. The data proceeds to be decomposed and parsed into primitive data types, in order for the monitoring application to display the information accordingly. This is achieved using an intermediate representation of the AIDL files related to the services being monitored. Applications accessing different services were used as case studies in order to demonstrate the effectiveness of the monitoring functionality achieved. These were showcased on an Android emulator running the modified Android image. .