Android Internals Deep Dive — Technical Course Syllabus
Target Audience: Developers, System Engineers, and Security Professionals
Methodology: 25% Focused Theory, 75% Code Investigation and Hands-on Labs
Note: The content and schedule in this syllabus serve as the foundation for the curriculum. Changes may occur based on the pace of the course.
Day 1: Android Architecture, Boot Process, and ROM Structure
Theory
AOSP vs GMS
Understanding the Android Open Source Project and its relationship to Google Mobile Services. How responsibility is distributed among device manufacturers.
The Android Stack
The layered architecture from Hardware and Kernel, through HAL and Native layers, up to the Java Framework and Applications.
The Boot Process
System boot overview with emphasis on the Zygote mechanism — the factory process that creates all app processes.
Android ROM Structure
Understanding the ROM partition layout and how partitions relate to each other:
- boot.img — Kernel and initial ramdisk
- system.img — The Android operating system
- vendor.img — Hardware drivers and HAL implementations
- vbmeta.img — Verified Boot metadata for partition integrity verification
Hands-on Labs
| # | Lab | Duration | Description |
|---|---|---|---|
| 1 | Hardware Investigation | ~1h | Investigating hardware representation in userspace through the Device Tree in /sys |
| 2 | Init Process Analysis | ~1.5-2h | Tracing init.rc files, understanding Triggers and Actions, identifying core services |
| 3 | ROM Extraction & Forensic Analysis | ~2h | Downloading a Factory Image, extracting .img files, opening partitions with 7-Zip, inspecting key system files |
Day 2: Into the System Core — Zygote, System Server, and Services
Theory
AOSP Walk-through
Navigating system directories (Bionic, System, Framework) and the Soong build system.
The Zygote Process
Understanding the fork() mechanism, ART VM runtime loading, and JNI registration.
System Server
Investigating Bootstrap, Core, and Optional services — with emphasis on the Activity Manager architecture.
The Boot Process in Detail
Analyzing the Bootloader, vmlinux loading, and the Init mechanism. Understanding dm-verity (partition verification) and Verified Boot.
Project Treble & Mainline
Framework-hardware separation and FOTA (Firmware Over-The-Air) updates.
Hands-on Labs
| # | Lab | Duration | Description |
|---|---|---|---|
| 1 | Storage Architecture Investigation | ~45min | Using ADB to map system partitions and understand the relationship between /dev/block and mount points |
| 2 | Verified Boot & dm-verity | ~1h | Analyzing Verified Boot structure, identifying dm-verity configuration, using avbtool |
| 3 | Zygote Code Tracing | ~1-1.5h | Following the Zygote code path through system components to app process creation |
| 4 | Activity Manager AOSP Digging | ~1-1.5h | Hands-on investigation of the Activity Manager: internal logic, code structure, and app process management |
Day 3: The Technical Bridge — JNI, Reflection, and Binder
Theory
The Binder IPC Framework
Android's core IPC mechanism. The Binder Framework structure (Proxy, Stub, Parcel), the role of ServiceManager, and the connection to AIDL and system services.
JNI & NDK: The Bridge to Native
The mechanism enabling Java/Kotlin applications to call C/C++ code through JNI. Working with JNIEnv, memory management between ART and native code, and building .so libraries with the NDK.
Reflection: Dynamic Framework Access
Using Java Reflection for dynamic class loading, accessing private fields and methods, and invoking Android's Hidden APIs for system research and debugging.
AIDL: Defining IPC Interfaces
Using Android Interface Definition Language to create inter-process communication interfaces, including Stub/Proxy generation, Parcel data transfer, and operation over the Binder mechanism.
ART (Android Runtime)
Application execution process, AOT/JIT compilation, Zygote, memory management and Garbage Collection, and the impact on performance and security.
Hands-on Labs
| # | Lab | Duration | Description |
|---|---|---|---|
| 1 | Hidden API Bypass (Reflection) | ~1-1.5h | Using Reflection to access hidden information and attempt invoking hidden ActivityManager methods without system permissions |
| 2 | SDK Bypass via Service Call | ~1-1.5h | Decoding AIDL files from Android source code and executing direct operations through the Terminal, bypassing the Java API layer |
| 3 | JNI Bridge & Native Access | ~1.5-2h | Writing a C++ component (using NDK) that accesses system Internal APIs, understanding the difference between local calls and cross-process Binder calls |
| 4 | End-to-End AIDL Lab | ~1.5-2h | Building a communication infrastructure between two separate applications (Server & Client) and implementing an IPC interface for complex data transfer |
Day 4: Flow Analysis and Code Research
Theory
Binder Internals — Kernel Driver & Transactions
Analyzing Android's IPC mechanism from Framework to Kernel: the Binder Driver structure (/dev/binder), ServiceManager's role, and the Proxy/Stub model. Deconstructing Parcel and Binder Objects and how they transfer between processes. Reviewing the Transaction mechanism including kernel communication via ioctl (such as BINDER_WRITE_READ) and commands like BC_TRANSACTION and BR_TRANSACTION.
The GPS Full-Stack Flow
End-to-end data path analysis — from location sampling in the driver, through the AIDL-based HAL, JNI exposure, to data streaming to LocationManager in the Framework.
Android Kernel vs Linux Kernel
Reviewing differences between standard Linux kernel and Android's customized kernel — dedicated drivers (Binder, Ashmem), Power Management mechanisms, /sys and /dev interfaces, and changes designed to support Android's application model and Sandbox.
Hands-on Labs
| # | Lab | Duration | Description |
|---|---|---|---|
| 1 | Deep Binder Analysis | ~2h | Analyzing Binder data packets in real-time "under the hood," identifying Nodes and References, and tracing the Transaction Stack down to the kernel level |
| 2 | GPS Driver to Framework Integration | ~1.5-2h | Code digging in AOSP to locate native functions responsible for opening drivers and communicating with the HAL in location systems |
| 3 | Full-Stack Development Lab | ~2h | Developing a native C++ component that accesses driver interfaces (through /dev or /sys), exposing it via JNI, and creating a complete value chain that bypasses the standard SDK to the application |
Day 5: Security, SELinux, and Reverse Engineering
Theory
Android Sandbox & Multi-Layered Defense
Deep analysis of the App Sandbox and comparison to the classic Linux user model.
DAC vs MAC
- Discretionary Access Control (DAC): UID/GID-based permission management and system files
- Mandatory Access Control (MAC): Deep dive into SELinux on Android (Enforcing/Permissive), writing Policies and understanding Contexts
Linux Capabilities
Using Capabilities to reduce root's power (Privilege Escalation Prevention).
App Permissions
The Runtime Permissions mechanism, digital signatures (Signature-level permissions), and the connection to Package Manager Service.
Hands-on Labs
| # | Lab | Duration | Description |
|---|---|---|---|
| 1 | The Permissions Detective | ~1-1.5h | Identifying access failures to system resources — diagnosing whether the block comes from DAC (file permissions), MAC (SELinux AVC messages), or a missing Capability |
| 2 | Process Inspection | ~1-1.5h | Using ps -AZ and id to map Security Contexts and Capabilities of core processes vs third-party applications |
| 3 | The Ultimate Malware Hunt (Capstone) | ~2-2.5h | Static and dynamic analysis of a suspicious lab application using JEB and Frida, including identifying exposed components, Reflection and JNI usage, bypassing Root Detection for analysis, and tracing data flow from the application through system services to the exfiltration point |
Course Architecture
Day 1: WHAT'S INSIDE Hardware, boot process, firmware image
↓
Day 2: HOW IT RUNS Storage, boot security, process creation, system services
↓
Day 3: HOW IT COMMUNICATES Reflection, Binder IPC, JNI, AIDL
↓
Day 4: GOING DEEPER Kernel Binder, full HW stack, native device access
↓
Day 5: HOW IT'S PROTECTED Permissions, SELinux, capabilities, reverse engineering
Each day builds on the previous. By Day 5, students understand every layer from silicon to APK — and can analyze, trace, and instrument at every level.
Course Statistics
| Metric | Value |
|---|---|
| Total labs | 17 |
| Investigation labs | 9 |
| Code tracing labs | 3 |
| Coding labs (Kotlin, C++, AIDL) | 4 |
| Capstone lab (JEB + Frida) | 1 |
| Android Studio projects | 5 starter + 5 finished |
| Total hands-on time | ~25 hours |
| Total theory time | ~8 hours |
© 2026 Eran Katsav & Syntax College. All rights reserved.