awesome-ocap icon indicating copy to clipboard operation
awesome-ocap copied to clipboard
verified publisher icon dckc

Android's Binder

Open dckc opened this issue 3 months ago • 2 comments

On Fri, Sep 26, 2025 at 11:57 AM Kenton Varda wrote:

... Android's Binder and Chrome's Mojo (foundational parts of these respective systems) are capability systems.

dckc avatar Oct 13 '25 22:10 dckc

at the platform level there is another important security model implemented on top of the binder infrastructure. This is the permission/uid-based system, where services can check the uid of incoming calls to verify them against their allowed permissions.

-- https://stackoverflow.com/a/10590957

dckc avatar Oct 14 '25 00:10 dckc

It seems that in cases such as Activities, Binder stuff is used to implement capability security.

But for app permissions, not so much. An LLM summarized it this way:

The Two-Step Security Model

The Android system treats the process of getting and using a service like a two-step authentication:

Step 1: Discovery (The Forgeable Part)

The client process asks the Service Manager for the Binder object.

  • Request: "Give me the Binder object for 'media.camera'."

  • Result: The Service Manager simply returns the object reference (the IBinder proxy) to any caller. This is intentional; it allows any app to try to use the service.

  • Forgeability Status: Forgeable. You can ask for any service name, and if it exists, you'll get the object. At this point, you have the capability reference, but no actual capability to invoke it.

Step 2: Enforcement (The Unforgeable Part)

The client now attempts to call a method on the Binder object (e.g., takePicture()). This is where the security check occurs.

  • Binder Driver Action: When the call hits the kernel, the Binder driver automatically attaches the caller's kernel-level, unforgeable PID/UID credentials to the transaction data.

  • Camera Service Action: The remote Camera Service (the server) receives the transaction, and before executing the method, it calls the enforcePermission() system API.

  • Security Check: The Camera Service asks the core Android security system: "Does the UID attached to this transaction have the android.permission.CAMERA permission?"

  • Unforgeability Status: Unforgeable. The UID is a kernel property of the calling process, assigned at app launch and cannot be manipulated by the unprivileged app.

In this model, the Binder object reference is not a security token; it's just a routing handle. The UID is the unforgeable security identity.

dckc avatar Oct 14 '25 01:10 dckc