Dr.

Ayoub Alsarhan
Faculty of Information Technology
The Hashemite University
[email protected]

© McGraw Hill, LLC 2

 The evolution of Android
• Back in 2005, Google started investing money in start-up
companies that it thought would be profitable in the future.
Android Inc., founded in 2003 by Andy Rubin, Rich Miner, Nick
Sears, and Chris White, was one such company acquired by
Google that later turned out to be the best deal ever. During its
first two years, Android Inc. operated under secrecy. It described
itself as a company making software for mobile phones. Rubin
later stayed with Google to pioneer Android as an operating
system that revolutionized the way mobile handsets operate.
With this acquisition, it was clear that Google was eyeing the
mobile phone market.

© McGraw Hill, LLC 3

 The evolution of Android
• At Google, Rubin, along with his team, developed a powerful
and flexible operating system built on a Linux kernel. There was
speculation everywhere about what Google was trying to do.
Some reported that Google was trying to incorporate search and
other applications into mobile handsets. A few others reported
that Google was developing its own mobile handset..

© McGraw Hill, LLC 4

 The Android model
• To effectively understand the forensic concepts of Android, it
would be helpful to have a basic understanding of the Android
architecture. Just like a computer, any computing system that
interacts with the user and performs complicated tasks requires
an operating system to handle the tasks effectively. This
operating system (whether it's a desktop operating system or a
mobile phone operating system) takes the responsibility of
managing the resources of the system and to provide a way for
the applications to talk to the hardware or physical components
to accomplish certain tasks. Android is currently the most
popular mobile operating system designed to power mobile
devices.

© McGraw Hill, LLC 5

 The Android model
• As with any other platform, Android consists of a stack of layers
running one above the other. To understand the Android
ecosystem, it's essential to have a basic understanding of what
these layers are and what they do. The following figure
summarizes the various layers involved in the Android software
stack:.

© McGraw Hill, LLC 6

 The Linux kernel layer
• Android OS is built on top of the Linux kernel, with some
architectural changes made by Google. There are several
reasons for choosing the Linux kernel. Most importantly, Linux
is a portable platform that can be compiled easily on different
hardware. The kernel acts as an abstraction layer between the
software and hardware present on the device. Consider the case
of a camera click. What happens when you take a photo using
the camera button on your device? At some point, the hardware
instruction (pressing a button) has to be converted to a software
instruction (to take a picture and store it in the gallery). The
kernel contains drivers to facilitate this process. When the user
presses on the button, the instruction goes to the corresponding
camera driver in the kernel, which sends the necessary
commands to the camera hardware, similar to what occurs when
a key is pressed on a keyboard.

© McGraw Hill, LLC 7

 The Linux kernel layer
• . In simple words, the drivers in the kernel command control the
underlying hardware. As shown in the preceding figure, the
kernel contains drivers related to Wi-Fi, Bluetooth, USB, audio,
display, and so on. The Linux kernel is responsible for managing
the core functionality of Android, such as process management,
memory management, security, and networking. Linux is a
proven platform when it comes to security and process
management. Android has taken leverage of the existing Linux
open source OS to build a solid foundation for its ecosystem.
Each version of Android has a different version of the underlying
Linux kernel.

© McGraw Hill, LLC 8

 The Hardware Abstraction Layer
• The device hardware capabilities are exposed to the high-level
Java framework through the Hardware Abstraction Layer
(HAL). The HAL consists of several library modules that
implement interfaces for a specific type of hardware component.
This allows hardware vendors to implement functionality
without changing the higher-level system.

© McGraw Hill, LLC 9

 Libraries
• The next layer in the Android architecture consists of Android's
native libraries. The libraries are written in the C or C++
language and help the device to handle different kinds of data.
For example, the SQLite libraries are useful for storing and
retrieving the data from a database. Other libraries include
Media Framework, WebKit, Surface Manager, and SSL. The
Media Framework library acts as the main interface to provide
a service to the other underlying libraries. The WebKit library
provides web pages in web browsers, and the surface manager
maintains the graphics. In the same layer, we have Android
Runtime and core libraries. The Android runtime is responsible
for running applications on Android devices. The term runtime
refers to the lapse in time from when an application is launched
until it is shut down.

© McGraw Hill, LLC 10

 Dalvik virtual machine
• All the applications that you install on the Android device are
written in the Java programming language. When a Java
program is compiled, we get bytecode. A virtual machine is an
application that acts as an operating system, that is, it is
possible to run a Windows OS on a Mac or vice versa using a
virtual machine. JVM is one such virtual machine that can
execute the previously mentioned bytecode. But, Android
versions before use something called Dalvik virtual machine
(DVM) to run their applications.

© McGraw Hill, LLC 11

 Dalvik virtual machine
• VM runs Dalvik bytecode, which is Java bytecode converted by
the Dex compiler. Thus, the .class files are converted to dex files
using the dx tool. Dalvik bytecode, when compared with Java
bytecode, is more suitable for low-memory and low-processing
environments. Also, note that JVM's bytecode consists of one or
more .class file depending on the number of Java files that are
present in an application, but Dalvik bytecode is composed of
only one dex file. Each Android application runs its own
instance of DVM. This is a crucial aspect of Android security,
Android Forensic Setup and Pre-Data Extraction Techniques.

© McGraw Hill, LLC 12

 Android Runtime (ART)
• From Android 5.0 Lollipop version onward, Dalvik was replaced
by Android Runtime (ART). As discussed previously, earlier
versions of Android used trace-based just-in-time (JIT)
compilation with Dalvik. In trace-based JIT, frequently executed
operations are identified and dynamically compiled to native
machine code. This native execution of these frequently used
bytecodes, called traces, provides significant performance
improvements. Unlike Dalvik, ART uses ahead-of-time (AOT)
compilation, which compiles entire applications into native
machine code upon their installation. This would automatically
increase the install time for an application.

© McGraw Hill, LLC 13

 Android Runtime (ART)
• Dalvik's interpretation and trace-based JIT compilation, and
thereby increases efficiency and reduces power consumption.
ART uses a utility called dex2oat that accepts DEX files as input
and generates a compiled app executable for the target device.
With ART, the optimised dex (.odex) files are replaced with the
Executable and Linkable Format (ELF) executables.

© McGraw Hill, LLC 14

 The Java API framework layer
The application framework is the layer responsible for handling the
basic functioning of a phone, such as resource management,
handling calls, and so on. This is the block with which the
applications installed on the device directly talk to it. The following
are some of the important blocks in the application framework
layer:
• Telephony manager: This block manages all the voice calls
• Content provider: This block manages the sharing of data
between different applications
• Resource manager: This block helps manage various resources
used in applications.

© McGraw Hill, LLC 15

 The system apps layer
This is the topmost layer where the user can interact directly with
the device. There are two kinds of application—preinstalled
applications and user-installed applications. Preinstalle
applications, such as dialer, web browser, contacts, and more, come
along with the device.
User-installed applications can be downloaded from different
places, such as Google Play Store, Amazon Marketplace, and so
on. Everything that you see on your phone (contacts,mail, camera,
and so on) is an application.

© McGraw Hill, LLC 16