The CommonsBlog


Droidception

The question has popped up on Stack Overflow a few times: how the heck does Parallel Space do what it is doing?

Parallel Space allows the user to have N copies of your app, each with its own portion of internal storage. The user could then register as Foo in one copy and Bar in another, and use each copy of the app independently. This does not require Android for Work, Samsung KNOX, or any other hardware-supplied partitioning system – Parallel Space is just an ordinary Android app.

LBE Tech, the firm behind Parallel Space, has not said much about how they do it, other than it involves “MultiDroid, the first application virtualization engine on Android”. And I have never used Parallel Space personally, let alone attempted to examine it (though others have).

My guess is that this is a commercialization of Boxify, or at least an implementation of the same concept.


If somebody asked us what our Android apps run on, our initial response might be “ummmm… Android?”, as the answer seems obvious.

However, most apps do not really interact much with Android, the OS, directly.

When you get past all the Java, most things in Android eventually hit one of two things:

  • an IPC call using Binder, which covers everything from system services to starting activities

  • a native call to a JNI-style C/C++ library linked into our app, including many such calls that come from framework code

Boxify, in effect, proxies both of those through its own app.

The details are in the Boxify paper. In a nutshell, Boxify:

  • Forks a process

  • Loads your APK into that process

  • Replaces a lot of system service implementations, like ActivityManager and PackageManager, with its own implementations that route the IPC through Boxify

  • Uses “syscall hooking” to replace necessary system calls with others that, again, route through Boxify

  • Runs your tweaked-in-memory app (notably, nothing Boxify does requires modifying the APK itself)

So, for example, let’s think about disk I/O. Usually, we find out where to write by calling methods on Context or Environment. Those, in turn, wind up returning paths supplied by Boxify. When you try to open a FileInputStream or something, the Linux syscalls triggered by that I/O also route through Boxify, as it leverages android:isolatedProcess to carefully manage what capabilities the APK can actually perform, and so your app would not be able to write to disk otherwise.


Boxify, itself, was written as a proof of concept for running apps in dedicated sandboxes, particularly for “untrusted apps”, to use the authors’ term.

However, this sort of virtualization technique – Android apps running inside other Android apps, for an Inception-style experience – requires that you trust the virtualization engine. After all, by definition, it can see all I/O between the app and Android, as it proxies all of that I/O. It is a MITM attack on the app.

I have little doubt that such virtualization can be put to plenty of positive uses. At the same time, I sincerely hope that Google and independent security researchers examine any such virtualization app, to “trust, but verify”, to use the Reagan-era maxim.

However, this illustrates yet another way – on top of custom ROMs, emulators, and related tricks – where a user can arrange to run your app in an environment that the user controls more than they do a standard Android environment. That, on top of standard rooting techniques, further emphasizes that you cannot defend yourself from the user. DRM solutions and related techniques are difficult to secure when the user controls the entire environment around your app. Treating the user as the enemy might work for a majority of users, but those who might really be your enemy may well be able to work around whatever DRM-style protections you add. These protections resemble the Maginot Line: strong defenses against predictable attacks that may prove useless with a nimble adversary. IMHO, you are better served finding a business model that does not require you to treat the user as the enemy.


Need a speaker at your Android development meetup? Mark Murphy is available, in person in the Boston/Pittsburgh/DC triangle, or by remote anywhere in the world! Contact Mark for details!