BinderFilter is a Linux kernel message firewall for Android. It is written as a kernel driver that implements reading, blocking, and modifying Android IPC messages. Our BinderFilter kernel driver hooks Android Binder's kernel driver in /drivers/staging/android/binder.c.
Android's Binder IPC system completely mediates all inter-application messages, including requests by applications for private user data. We give users control and visibility over all such IPC messages, including dynamic permission blocking, with our open source BinderFilter project. This includes userland filtering, blocking, and logging of any IPC message in Android. Userland policy can be informed by the system's context, i.e. environmental data such as GPS location and wifi network, which addresses the current lack of native Android support for context-based security policies.
BinderFilter parses kernel IPC messages, which are often unencrpyted and assumed by applications to be secure - as demonstrated here. These messages include Intents sent to system services, and Intents to start new activities. An example IPC message from the GPS system service is shown below.
{(0)@(29)(0)android.content.IIntentSender(0)(0)(0)(1)(0)(255)(255)(255)(255)(0)(0)(255)(255)(255)(255)(0)(0)(255)(255)(255)(255)(255)(255)(255)(255)(0)(0)(0)(0)(0)(0)(0)(0)(254)(255)(255)(255)(224)(4)(0)BNDL(3)(0)8(0)com.google.android.location.internal.EXTRA_LOCATION_LIST(0)(0)(11)(0)(1)(0)(4)(0)(25)(0)android.location.Location(0)(7)(0)network(0)(192)(191)(187)(145)T(1)(0)@(165)R(132)\(0)(177)(237)(254)(194)(60)(218)(69)(64)(121)(189)(234)(183)(101)(18)(82)(192)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(1)(0)u(19)(...}
The GPS coordinates of interest are re-cast below.
*(double*)({177,237,254,194,60,218,69,64}) = 43.704979
*(double*)({121,189,234,183,101,18,82,192}) = -72.287458
See the wiki for documentation. For the writeup and slides, see http://binderfilter.org/.
See https://github.com/dxwu/BinderFilter/wiki/Usage
Because we hook an existing Linux driver, BinderFilter code requires a recompilation of the Linux source tree and flashing this new kernel onto an Android phone. We have tested and verified this method on a Google Nexus 7 (2013- flo). For development setup, see the related documentation. To install the pre-compiled kernel image:
-
Root your Android phone
-
Enable USB debugging
-
Unlock bootloader
-
Download fastboot and adb
-
Connect your phone to the laptop with USB debugging enabled
adb reboot bootloader
fastboot flash boot ./resources/kernel-image.img
- Press start
- Phone will reboot, then install picky apk (adb install picky.apk) or the command line tools.
This is a complex process. Please see "Compile linux kernel for android" in ./documentation/cross-compiling/cross_compiling.txt and https://github.com/dxwu/BinderFilter/wiki/Setup
Picky is the Android application that allows users to set firewall policy. See github.com/dxwu/Picky.
This project has been presented at Summercon 2016 and Shmoocon 2017.
This project started as a Senior Honors Thesis at Dartmouth College. Sergey Bratus advised and designed the project, and David Wu is the main contributer. Ionic Security has provided funding for testing phones and tablets.