6. Example IPC Message Flow

6.1. Testing Environment

We used two testing apps running on a virtual device. The first one was an modified example1, which was originally designed to demonstrate an in-app service communication. This is handled quite differently and copes with intercomponent communication, not interprocess communication. It is called SimpleMathService and offers methods for simple mathematical operations.

The second application was self-programmed and simply uses the remote service provided by the first app.

The applications of the testing environment are illustrated as an extended UML class diagram in Figure 6.1. The UML diagramm is extended with a view of the processes, which instantiated nested Java objects. Their classes and objects (shown in yellow) are compiled from the Android AIDL language. The service app has two components, an activity component called Main and a service component called SimpleMathService. The SimpleMathService class holds an extended anonymous inner class implementing the business logic of the service. The inner class is derived from ISimpleMathService.Stub which is generated by Android SDK from the ISimpleMathService.aidl definition file. This file contains the API definition of the service and must be published if other application developers wish to use this service. The stub class extends the Binder class as well as the proxy class. Accordingly, they are the endpoints of the Binder communication progress.

The application manifest declares the service as remote and therefore it is started in an own process by Android. The activity component will hold a proxy object which is a nested class of the interface ISimpleMathService. The activity runs in an own process, too.

The second application contains the Main activity as component only. This main object holds the UI with a button and a text output and a proxy object for the SimpleMathService, that is more related to IPC.

The applications were compiled with Android SDK for Eclipse and were executed in an Android emulator.

6.2. Message Flow and Call Stacks

Due to the limited size of this paper, only an excerpt can be presented. The binding of the service is presented abstractly, and the remote procedure call is presented in detail.

The user app is executed first. It asks the service manager for a Binder of the SimpleMathService. This Binder is implemented as an anonymous class from ISimpleMathService.Stub of the SimpleMathService application. In this example, the stub object implements the business logic of the service. The bindService() method of the Main class of the user app will create a proxy object for the requested service, which communicates with the stub object on the server side.

At this point we describe in detail what happens, when a remote procedure is called after the binding to the service has been established. The listing 6.1 shows a nested anonymous extended class, which is used as callback.

This ServiceConnection object was an argument of the earlier called bindService() method. The onServiceConnected callback method returns a proxy object, which delivers all method calls to the remote service. The user application can now handle the object as if it were a local object and marshal methods.

Listing 6.2 does a method call on the proxy object to add 40 and 2. In the background, following happens: The call is divided by the proxy object in 6.3 into basic data types, which can be written in a parcel. At first, the receiver is written to the parcel, that is a Binder. The arguments are written serialized in the data packet. A user defined int code is assigned to the transaction. This code relates to the intended method name, because the Binder framework at this point permits only to submit an integer value. To avoid misunderstandings, the remote service as the user application must use the same assignment of code and methods.

At this point, the interprocess communication is initiated with the transact method.

The parcel is sent to the JNI interface that sends it to the Binder C++ middleware that sends it to the Binder kernel driver. The Binder kernel driver will send the client process to sleep and map the parcel data and the code from client process to the server process. The parcel is send from Binder driver to C++ middleware and then to JNI and on Java API Wrapper Layer the method ontransact of the stub is called.

In Listing 6.4 the entry point for receiving a message is presented. The code is read first and due to knowledge of the method signature the accurate count of arguments are read from the parcel. Now the method corresponding to the code implementing the business logic is called with extracted arguments. The result is written to a reply parcel.

Again it is routed through the layers to the binder driver, that transfers the parcel and wakes up the sleeping client process and delivers the reply parcel to the proxy object. The relpy is unparceled and returned as the result of the proxy method. Thereafter the result is displayed at the activity window of the client app, refer Figure 6.3.

1. Discussion
   The Binder framework supports basic security features. It ensures that no other application can read or manipulate data by transmitting them over a private channel, namely the Binder kernel module. It acts as mediator and must be trusted by the communicating parties. For identification, the Binder framework provides the UID and PID of the calling Binder. With the UID, an application can check the package signature and identify the app. 7 This is important, because multiple services can be assigned with the same name. The operating system will decide, which service is called, depending on the set priority of the service. However, it is possible for a malicious service to overlap the good service and retrieve information, that is sent by the App believing it is communicating with a trusted service. The application must ensure in security critical situations, e.g. the login to a service, the identity of the service. This is possible and this work could not find a flaw in that system, since the UID and PID are derived from Linux methods, that can be regarded as secure and can not be manipulated by unintended calls or arguments.

The use of Binder as a security token should be audited, because the binder reference number is not chosen randomly. It is incremented from zero in the Binder driver. It could be possible to increase the possible numbers and guess with good probability the right Binder token. But this must be confirmed in a future work.

A. Bibliography

1. Openhandset Alliance. Android overview, 08 2011. URL http://www. openhandsetalliance.com/android_overview.html.

2. Bornstein. Dalvik vm internals, 2008 google i/o session, 01 2008. URL http://sites.google.com/site/io/dalvik-vm-internals.

3. Brady. Anatomy & physiology of an android, 2008 google i/o, 2008. URL http://sites.google.com/site/io/ anatomy–physiology-of-an-android.

4. Winandy Davi, Sadeghi. Privilege escalation attacks on android, 11 2010. URL http://www.ei.rub.de/media/trust/veroeffentlichungen/2010/ 11/13/DDSW2010_Privilege_Escalation_Attacks_on_Android.pdf.

5. David Ehringer. Dalvik virtual machine, 03 2011. URL http://davidehringer.com/software/android/The_Dalvik_Virtual_ Machine.pdf.

6. Enck. Understanding android security. IEEE S, JanuaryFebruary:50pp, 2009.

7. freyo. Android get signature by uid, 07 2010. URL http://www.xinotes. org/notes/note/1204/.

8. Gartner. Gartner says android to become no. 2 worldwide mobile operating system in 2010 and challenge symbian for no. 1 position by 2014, 10 2010. URL http://www.gartner.com/it/page.jsp?id=1434613.

9. Google. Android java sources, .

10. Google. Android kernel sources, .

11. Google. Android interface definition language (aidl), 08 2011. URL http://developer.android.com/guide/developing/tools/aidl.html.

12. Google. Android documentation - fundamentals, 08 2011. URL http:// developer.android.com/guide/topics/fundamentals.html.

13. Google. The android mainifest xml file, 08 2011. URL http://developer.
    android.com/guide/topics/manifest/manifest-intro.html.

14. Google. Binder java documentation, 08 2011. URL http://developer.
    android.com/reference/android/os/Binder.html.

15. Google. Android documentation - intent, 08 2011. URL http://developer.
    android.com/reference/android/content/Intent.html.

16. Google. Android security, 08 2011. URL http://developer.android.com/
    guide/topics/security/security.html.

17. Goolge. Android documentation - what is android, 08 2011. URL http:
    //developer.android.com/guide/basics/what-is-android.html.

18. Security Engineering Research Group. Android security, a survey. so far so good., 07 2010. URL http://imsciences.edu.pk/serg/2010/07/ android-security-a-survey-so-far-so-good/.

19. Hackborn. Re: [patch 1/6] staging: android: binder: Remove some funny && usage, 06 2009. URL https://lkml.org/lkml/2009/6/25/3.

20. Palmsource Inc. Open binder documentation, 12 2005. URL http://www. angryredplanet.com/~hackbod/openbinder/docs/html/index.html.

21. Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual. Intel, 2011.

22. Oracle. Java native interface, 08 2011. URL http://download.oracle. com/javase/6/docs/technotes/guides/jni/index.html.

23. David A Rusling. The Linux Kernel. 1999.

24. Chin Felt Greenwood Wagner. Analyzing inter-application commu- nication in android, 06 2001. URL www.cs.berkeley.edu/~afelt/ intentsecurity-mobisys.pdf.

25. Wiki. Android memory usage, 08 2011. URL http://elinux.org/Android_ Memory_Usage.

更多相关文章

1. android：定制checkbox 图片
2. android图片缩放手势检测类--ScaleGestureDetector
3. android图片压缩方法
4. android ListView SimpleAdapter 带图片
5. Android之OnGestureListener实现图片的左右滑动
6. 图片压缩保存读取操作
7. Android 圆角图片，基于Glide4.9 的 BitmapTransformation，可任意设
8. 【原创】Android 4.4前后版本读取图库图片方式的变化
9. Android公共库——图片缓存 网络缓存 下拉及底部更多ListView 公

随机推荐

1. 赏析 WIMM 可佩戴式平台，很帅很强大
2. Android属性动画,看完这篇够用了吧
3. Android(安卓)桌面组件【app widget】 进
4. Android(安卓)多主题切换 (theme + style
5. Android传感器概述（二）
6. Android(安卓)-- Parcelable 序列化操作
7. Android(安卓)UI编程进阶——使用Surface
8. Android学习小Demo（5）结合Matrix跟Porperty
9. Android全屏截图的方法，返回Bitmap并且保
10. Data Binding Guide——google官方文档翻