Android Internals Training in Switzerland

This 5-day course, based on Jonathan Levin's Android Internals books, delves into the architecture and implementation of Android. Participants will explore Android’s features, its relationship to Linux, and how it diverges with its own unique 'Android-isms.' The course covers Android subsystems like the Dalvik Virtual Machine, Android Runtime (ART), Binder IPC, Hardware Abstraction Layer (HAL), and more. It combines theory with hands-on exercises to provide a deep understanding of Android’s architecture from both the user-mode and kernel-mode levels.

• Strong knowledge of Android development or implementation.
• Experience in reverse engineering or security research.
• A rooted Android device (recommended Android 10 or higher) and a Linux host (VMs can be provided).
• Familiarity with Linux and Android systems.

Target Audience

• Experienced Android developers or implementers.
• Security researchers interested in the internals of the Android OS.

This course is not suitable for user-mode developers focused on Android GUI applications, but it serves as an excellent follow-up for those already familiar with the Android SDK.

• Describe the architecture of the Android operating system.
• Understand the similarities and differences between Linux and Android.
• Trace the core architectural changes from Android Froyo (2.2) to Android 13.0.
• Understand the functions and architecture of the Android kernel.
• Reverse engineer Android applications.
• Monitor, trace, and intercept inter-process communication (IPC) in Android.
• Gain a deep understanding of DEX, ART, and OAT formats.
• Learn to use free tools such as Dextra, bindump, and jtrace.
• Analyse Android security, its evolution, and weaknesses.

The course covers the following modules, with hands-on exercises and guided demos:

Introduction to Android Architecture (5-6 hours)

• Overview of Android features and comparison with Linux.
• Filesystem layout, runtime environment, and frameworks.
• Dalvik and ART architecture, from Android 1.5 through Android 13.0.
• User-mode and kernel-mode differences.
• Kernel modifications and recompilation.

Hardware Abstraction Layer (HAL) (1 hour)

• HAL overview and abstraction of basic devices (camera, sensors, GPS, etc.).
• Project Treble and HAL modifications.

Partitions & Filesystems (2 hours)

• Android partition layout, UFS vs. eMMC, vendor-specific partitions.
• Tour of standard Android filesystems (/system, /vendor, /data).

Booting (6 hours)

• System startup and initialisation, from bootloader to kernel and user-mode processes.
• Techniques for unlocking bootloaders and rooting devices.

Native Services (2 hours)

• Examination of Android services initiated by init (adbd, servicemanager, healthd, etc.).

Android IPC Mechanisms (2 hours)

• Detailed breakdown of Binder IPC and alternative communication mechanisms.
• Exercises: Debugging and tracing Binder IPC.

The Input Architecture (2 hours)

• Understanding Android’s input stack: Kernel input model, EventHub, InputReader, and InputDispatcher.
• Exercises: Monitoring and capturing input events.

Dalvik Virtual Machine (2 hours)

• Dalvik VM architecture, DEX file format, and reverse engineering techniques.
• Exercises: Reverse engineering Dalvik APK’s classes.dex to Java source.

Android Runtime (ART) (1 hour)

• ART evolution and its memory management, profiling, and JIT compilation.
• Exercises: Reversing ART.

Android Kernel Modifications (1 hour)

• Overview of Android-specific kernel tweaks: ASHmem, PMem, low memory killer, wakelocks, RAM console, etc.
• Exercises: Kernel-level debugging and tracing.

Android Security (4 hours)

• Analysis of Android’s security mechanisms, including SELinux, digital signatures, AVB, and buffer overflow protection.
• Android exploitation techniques and common security failures.

Connectivity (Optional) (2 hours)

• Overview of Android’s network stack, Bluetooth, RILd, and VPN mechanisms.