Involvement of binder driver in Intents (a form of IPC)

Question

I am planning to do an out-of-the-box analysis of android apps. That is, I'll run the app in an Android QEMU emulator and do virtual Machine Introspection (VMI) to monitor the behavior of the app. To this end, I have instrumented the QEMU emulator to monitor the Linux system calls and Binder IPC of the app.

However, I am not sure whether I'll be able to monitor the inter process communication carried out using intents as I am monitoring the low-level operations. Does intent talk with binder driver or intents operate at the Java API level.

Answer 1

Pretty much everything uses the binder driver. startActivity eventually leads us here:

public ActivityResult execStartActivity(
    Context who, IBinder contextThread, IBinder token, Activity target,
    Intent intent, int requestCode) {
    IApplicationThread whoThread = (IApplicationThread) contextThread;
    if (mActivityMonitors != null) {
        synchronized (mSync) {
            final int N = mActivityMonitors.size();
            for (int i=0; i<N; i++) {
                final ActivityMonitor am = mActivityMonitors.get(i);
                if (am.match(who, null, intent)) {
                    am.mHits++;
                    if (am.isBlocking()) {
                        return requestCode >= 0 ? am.getResult() : null;
                    }
                    break;
                }
            }
        }
    }
    try {
        int result = ActivityManagerNative.getDefault()
            .startActivity(whoThread, intent,
                    intent.resolveTypeIfNeeded(who.getContentResolver()),
                    null, 0, token, target != null ? target.mEmbeddedID : null,
                    requestCode, false, false);
        checkStartActivityResult(result, intent);
    } catch (RemoteException e) {
    }
    return null;
}

As you can see, the Java layer passes two binder parameters to the native code that actually starts the activity. The native code will use these parameters to conduct IPC using the binder driver.

Answer 2

Yes, Intent has to go through binder, for examples, startActivity, startService, sendBroadcast.

For example, sendBroadcast, in https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/ContextImpl.java It calls broadcastIntent()

@Override
public void sendBroadcast(Intent intent) {
    warnIfCallingFromSystemProcess();
    String resolvedType = intent.resolveTypeIfNeeded(getContentResolver());
    try {
        intent.prepareToLeaveProcess(this);
        ActivityManager.getService().broadcastIntent(
                mMainThread.getApplicationThread(), intent, resolvedType, null,
                Activity.RESULT_OK, null, null, null, AppOpsManager.OP_NONE, null, false, false,
                getUserId());
    } catch (RemoteException e) {
        throw e.rethrowFromSystemServer();
    }
}

In broadcastIntent() of ActivityManagerNative.Java It calls mRemote.transact() to bother the binder.

public int broadcastIntent(IApplicationThread caller,
        Intent intent, String resolvedType,  IIntentReceiver resultTo,
        int resultCode, String resultData, Bundle map,
        String requiredPermission, boolean serialized,
        boolean sticky, int userId) throws RemoteException
{
    Parcel data = Parcel.obtain();
    Parcel reply = Parcel.obtain();
    data.writeInterfaceToken(IActivityManager.descriptor);
    data.writeStrongBinder(caller != null ? caller.asBinder() : null);
    intent.writeToParcel(data, 0);
    data.writeString(resolvedType);
    data.writeStrongBinder(resultTo != null ? resultTo.asBinder() : null);
    data.writeInt(resultCode);
    data.writeString(resultData);
    data.writeBundle(map);
    data.writeString(requiredPermission);
    data.writeInt(serialized ? 1 : 0);
    data.writeInt(sticky ? 1 : 0);
    data.writeInt(userId);
    mRemote.transact(BROADCAST_INTENT_TRANSACTION, data, reply, 0);
    reply.readException();
    int res = reply.readInt();
    reply.recycle();
    data.recycle();
    return res;
}