1 of 21

Mobile Systems and Smartphone Security(MOBISEC 2020)

Prof: Yanick Fratantonio�EURECOM

1

More on Key Android Aspects

2 of 21

More info on important Android aspects

  • Activity, Service, Broadcast Receivers, Content Providers

  • Intents, Bundle

  • PackageManager

  • Native Code

2

3 of 21

More on Activity

  • To start an activity
    • startActivity(intent)
    • intent can be either explicit or implicit

  • New: activities can also get an "answer" / "result"

3

4 of 21

Get replies from activities

Intent i = new Intent(...);

int requestCode = 400;

startActivityForResult(i, requestCode);

onCreate() {

Intent resInt = new Intent();

...

setResult(Activity.RESULT_OK, resInt);

finish();

}

4

A.X

B.Y

5 of 21

Get replies from activities

Intent i = new Intent(...);

int requestCode = 400;

startActivityForResult(i, requestCode);

onActivityResult(int requestCode, int resultCode, Intent data) {

// check requestCode and resultCode

...

}

onCreate() {

Intent resInt = new Intent();

...

setResult(Activity.RESULT_OK, resInt);

finish();

}

5

A.X

B.Y

Caller can use requestCode to distinguish replies from different requests

6 of 21

More on Service

  • To start a service
    • Intent i = new Intent(...);
    • // intent MUST be an explicit intent (for security reasons)
    • startService(i)

  • How to get back a reply?
    • No analogous of startActivityForResult
    • There are some ways, but the easiest is via broadcast intents

6

Why not a problem for activities?�Chooser dialog!

7 of 21

Services: The Full Story

  • Three types of services:
    • Background
    • Foreground
    • Bound

  • Full docs: link

7

8 of 21

Background Service

  • It performs an operation that isn't directly noticeable by the user

  • Start with startService()

  • startService() → S.onCreate() → S.onStartCommand()

8

9 of 21

Foreground Service

  • It performs an operation that is noticeable to the user

  • Start with startService() + startForeground() (from the service's onCreate)

  • startService() → S.onCreate() → S.onStartCommand()

9

10 of 21

Bound Services (doc)

  • A service is bound when an app binds to it by calling bindService()

  • You can have client/server IPC-based interaction

  • bindService() → S.onCreate() → S.onBind()

10

11 of 21

Three ways of implementing them

  • Local Service (intra-app)
    • Quite easy...

  • Using a Messenger
    • Quite complicated...

  • Using AIDL
    • Also complicated...

11

12 of 21

Inter-Process Services via Messengers

public IBinder onBind(Intent intent) {

mMessenger = new Messenger(new IncomingHandler(this));

return mMessenger.getBinder();

}

static class IncomingHandler extends Handler {

IncomingHandler(Context context) { ... }

@Override

public void handleMessage(Message msg) {

switch (msg.what) {

case MSG_SAY_HELLO:

...

}

}

12

The service returns an Handler (wrapped in a Messenger)

13 of 21

Inter-Process Services via Messengers

private ServiceConnection mConnection = new ServiceConnection() {

public void onServiceConnected(ComponentName className, IBinder service) {

mService = new Messenger(service);

mBound = true;

}

...

};

13

14 of 21

Inter-Process Services via Messengers

private ServiceConnection mConnection = new ServiceConnection() {

public void onServiceConnected(ComponentName className, IBinder service) {

mService = new Messenger(service);

mBound = true;

}

...

};

bindService(new Intent(...), mConnection, Context.BIND_AUTO_CREATE);

14

15 of 21

Inter-Process Services via Messengers

private ServiceConnection mConnection = new ServiceConnection() {

public void onServiceConnected(ComponentName className, IBinder service) {

mService = new Messenger(service);

mBound = true;

}

...

};

bindService(new Intent(...), mConnection, Context.BIND_AUTO_CREATE);

Message msg = Message.obtain(null, MessengerService.MSG_SAY_HELLO, 0, 0);

mService.send(msg);

15

16 of 21

Bound Services

  • This example only allows client → service communications

  • If the service needs to send back a message, the client needs to create a Messenger in the client.

  • Have fun: link

16

17 of 21

Broadcast Intents and Receivers

  • To send an intent around the system aka "broadcast"
    • sendBroadcast(intent)

  • Relevant broadcast receivers will be woken up

17

18 of 21

Broadcast Receiver "registration"

  • Via manifest + intent filter
    • Note: apps targeting API level > 26 can no longer do this!

  • At run-time (only for broadcast receivers!)

MyReceiver customRec = new MyReceiver();�IntentFilter intFil = new IntentFilter("com.some.action");�registerReceiver(customRec, intFil);

18

19 of 21

More info on Bundles

  • That's how actual data is passed around via Intents

  • A Bundle is a wrapper around a key/value store
    • The key's type is String
    • The value's type can be any class that can be serialized
    • bundle.putString("flag", "hereismyflag");
    • bundle.putInt("num", 42)

19

20 of 21

More info on Bundles

  • Intent objects have a number of wrappers around the Bundle they contain

  • intent.putExtra("flag", "flagvalue");
  • intent.putExtra("num", 42);

  • intent.getExtras() ~> Bundle object

20

21 of 21

Which app can do what?

  • Example: which app can reply to a given implicit intent?

  • The PackageManager has all the answers

PackageManager pm = context.getPackageManager();

List<ResolveInfo> list = pm.queryIntentServices(implicitIntent, 0);

ResolveInfo serviceInfo = list.get(0); // if any

ComponentName component = new ComponentName(� serviceInfo.serviceInfo.packageName,� serviceInfo.serviceInfo.name);

21