SlideShare a Scribd company logo

Project meeting: SVMP - Secure Virtual Mobile Platform

Yu-Hsin Hung, profile picture
Yu-Hsin Hung

SVMP is a platform that allows running Android VMs securely in virtual devices on a server. It uses WebRTC for video/audio streaming and a custom protocol for other inputs. The main components are a client app, overseer, server, and SVMP daemon running in each VM. The daemon handles inputs like touch, sensors, notifications which are forwarded from the client. The Android framework and drivers were modified to support virtual sensors and inputs by intercepting and redirecting certain system calls and intents. This allows the VM to behave like a real mobile device controlled remotely by the client.

Software
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
SVMP: Secure Virtual Mobile Platform Yu-Hsin Hung
Introduction • https://svmp.github.io • Configuration: x86 Android VMs on x86 server • VM Platform: support KVM, VirtualBox, VMware… • Cloud Controller: support OpenStack, Amazon EC2… • Remote Protocol: WebRTC + SVMP Wire Protocol • Client: Android/iOS app • Storage (user data) is separated from VM
Components • Client Application: an unprivileged Android/iOS application with WebRTC peer connection and SVMP protocol messages, similar to clients for VNC and RDP • SVMP Overseer: receive login request, perform authentication, and manage VMs on the cloud • SVMP Server: routing input message from client connections to SVMP daemons running inside virtual devices • SVMP daemon: primary entry point of client user input to the virtual device • Virtual Device: Virtual Device Image (SVMP Gold Image) + User Data Volume • Cloud Controller: support OpenStack, Amazon EC2…
Architecture
Virtual Device Structure • The central SVMP daemon • Touch-screen input injection • Virtual sensors • Location update pub/sub • Notification and Intent forwarding and re-broadcast • Virtual frame buffer, video encoding, and streaming
Virtual Device Structure
SVMP Wire Protocol • SVMP/svmp-protocol-def repository • Request: client->server • Response: server->client • JSON Payload: a type attribute and up to one optional attribute associated with that subtype, e.g. {“type”:”ROTATIONINFO”,”rotationInfo":{"rotation":0}} • Protocol Buffers: protocols are defined using “Protocol Buffers” - Google's data interchange format, and Java class definitions are generated by protocol buffer compiler
SVMP daemon • SVMP/android_external_svmp_eventserver repository • An user-level Android background service, launched when BroadcastReceiver catches BOOT_COMPLETED Intent • EventServer: many handlers to handle different events (touch, sensor, notification…) • LogHandler: logcat message forwarding • DatabaseHandler: GPS location service subscription • WifiSpoofer: spoof that Wi-Fi connection is active • details in next few pages…
SVMP daemon • proxy socket: a Java server socket to listen events from client • sensor socket: initialized in init.rc as /dev/socket/svmp_sensors • Handlers: • SensorHandler • LocationHandler • IntentHandler • NotificationHandler • KeyHandler • ConfigHandler: only keyboard configurations • LauncherHandler: for single app mode
Touch&screen injection • EventServer.java • SCREENINFO packet: sync screen resolution • TOUCHEVENT packet: translate coordinates X, Y and inject by Android InputManager (native support) • ROTATION_INFO packet: rotation info is injected by sending custom broadcast ROTATION_CHANGED_ACTION, received by modified framework
IntentHandler • IntentHandler.java • Android Intent: an abstract description of an operation to be performed • Currently support two kinds of intent forwarding • outgoing call: forward ACTION_NEW_OUTGOING_CALL from server to client and dial using client’s SIM card • activity action: forward ACTION_VIEW from client to server and open URL inside the VM
LocationHandler • LocationHandler.java • Android natively support mocked location • Catch custom Intent LOCATION_SUBSCRIBE_ACTION (sent by modified framework) and forward location request to client • Maintain location subscription in DatabaseHandler (single- shot or not) • Inject client’s GPS location to VM by spoofing test provider LocationManager.setTestProviderLocation()
NotificationHandler • NotificationHandler.java • catch custom Intent INTERCEPT_NOTIFICATION_ACTION • use Java Reflection to extract text elements and icons from RemoteViews and forward notification to client
SensorHandler • BaseServer.java • SENSOREVENT packet: forwarded to /dev/socket/ svmp_sensors socket • Client keep listening to all the available sensors • Use delay time mechanism to prevent spammy sensor messages • SVMP HAL module libsensors listens on the svmp_sensors socket then processes the actual sensor events, the HAL interfaces are defined in AOSP hardware/sensors.h
Android client • WebRTC: video & audio streaming • Corresponding handlers to deal with SVMP daemon • TouchHandler • RotationHandler • KeyHandler • ConfigHandler • NotificationHandler • SensorHandler • …
Android Framework modification • InputManagerService.java • Natively support injecting key events (KeyHandler.java in SVMP daemon) • Create a BroadcastReceiver to listen custom intent for hard keyboard, attach two virtual keyboards when hard keyboard attached to client • NotificationManager.java • Intercept notification by preventing enqueue it and send a INTERCEPT_NOTIFICATION broadcast, caught by SVMP daemon
Android Framework modification • WindowOrientationListener.java • Create a BroadcastReceiver to listen custom ROTATION_CHANGED intent and inject the rotation info • LocationManager.java • Intercept location request and send a LOCATION_SUBSCRIBE_ACTION broadcast, caught by SVMP daemon then redirected to client
Android System Core modification • BatteryMonitor.cpp • Battery injection • Battery status is always charging • Battery health is always good • Battery level is always 100%
Android Device Driver • Lots of things, still tracing… • Virtual Frame Buffer • VM write frame to VFB device instead of real video device • Android surfaceflinger library generates a VSYNC event when writing • When VSYNC event occurs, each frame is fed into the WebRTC subsystem • Virtual Sensors: libsensors/sensors.cpp • Re-implement the interface defined by AOSP

More Related Content

PDF
Nokia Qt SDK in action - Qt developer days 2010
Nokia
 
PPTX
Real time websites and mobile apps with SignalR
Roy Cornelissen
 
PDF
Iñaki Baz - CommCon 2018 | Building multy-party video apps with mediasoup
Iñaki Baz Castillo
 
PPTX
signalr
Owen Chen
 
PPTX
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Christian Heindel
 
PDF
FRED: A Hosted Data Flow Platform for the IoT
Michael Blackstock
 
PPTX
Realtime web experience with signalR
Ran Wahle
 
PPTX
Supporting Hyper-V 3.0 on Apache CloudStack
Donal Lafferty
 
Nokia Qt SDK in action - Qt developer days 2010
Nokia
 
Real time websites and mobile apps with SignalR
Roy Cornelissen
 
Iñaki Baz - CommCon 2018 | Building multy-party video apps with mediasoup
Iñaki Baz Castillo
 
signalr
Owen Chen
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Christian Heindel
 
FRED: A Hosted Data Flow Platform for the IoT
Michael Blackstock
 
Realtime web experience with signalR
Ran Wahle
 
Supporting Hyper-V 3.0 on Apache CloudStack
Donal Lafferty
 

Similar to Project meeting: SVMP - Secure Virtual Mobile Platform (20)

PDF
Docker's Killer Feature: The Remote API
bcantrill
 
PPTX
ASP.NET MVC 5 and SignalR 2
Jaliya Udagedara
 
PPTX
Real time Communication with Signalr (Android Client)
Deepak Gupta
 
PDF
Actors or Not: Async Event Architectures
Yaroslav Tkachenko
 
PPTX
virtualization basic hypervisor vmm.pptx
naveendaniel2004
 
PPTX
Ovations AWS pop-up loft 2019 Technical presentation
GeanBoegman
 
PDF
Terence Barr - beyond smartphones - 24mai2011
Agora Group
 
PPT
Under The Hood
tdesaintmartin
 
PPTX
SignalR powered real-time x-plat mobile apps!
Sam Basu
 
PPTX
20150531 virtualizatino station 2.0 partner's day
qnapivan
 
PPTX
Virtualization, A Concept Implementation of Cloud
Nishant Munjal
 
PPTX
Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...
Damir Dobric
 
PPT
DOC-20250426-WA0035hjdydhhrhhehrhhrh..ppt
workfromhome0246
 
KEY
20120306 dublin js
Richard Rodger
 
PPTX
Secure Multi Tenant Cloud with OpenContrail
Priti Desai
 
PDF
Xtopia2010 wp7
Dr. Frank Prengel
 
PPTX
Developing for Chromecast on Android
Kurt Mbanje
 
PDF
Wcf Overview
Amit Narula
 
PDF
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
confluent
 
PPT
Wifi direct p2p app
geniushkg
 
Docker's Killer Feature: The Remote API
bcantrill
 
ASP.NET MVC 5 and SignalR 2
Jaliya Udagedara
 
Real time Communication with Signalr (Android Client)
Deepak Gupta
 
Actors or Not: Async Event Architectures
Yaroslav Tkachenko
 
virtualization basic hypervisor vmm.pptx
naveendaniel2004
 
Ovations AWS pop-up loft 2019 Technical presentation
GeanBoegman
 
Terence Barr - beyond smartphones - 24mai2011
Agora Group
 
Under The Hood
tdesaintmartin
 
SignalR powered real-time x-plat mobile apps!
Sam Basu
 
20150531 virtualizatino station 2.0 partner's day
qnapivan
 
Virtualization, A Concept Implementation of Cloud
Nishant Munjal
 
Realtime Messaging und verteilte Systeme mit SharePoint und Windows Azure Ser...
Damir Dobric
 
DOC-20250426-WA0035hjdydhhrhhehrhhrh..ppt
workfromhome0246
 
20120306 dublin js
Richard Rodger
 
Secure Multi Tenant Cloud with OpenContrail
Priti Desai
 
Xtopia2010 wp7
Dr. Frank Prengel
 
Developing for Chromecast on Android
Kurt Mbanje
 
Wcf Overview
Amit Narula
 
Modern Cloud-Native Streaming Platforms: Event Streaming Microservices with K...
confluent
 
Wifi direct p2p app
geniushkg
 
Ad

More from Yu-Hsin Hung (8)

PDF
IoT/M2M Security
Yu-Hsin Hung
 
PDF
Android Binder IPC for Linux
Yu-Hsin Hung
 
PDF
Project meeting: Android Graphics Architecture Overview
Yu-Hsin Hung
 
PDF
Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...
Yu-Hsin Hung
 
PDF
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Yu-Hsin Hung
 
PDF
Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...
Yu-Hsin Hung
 
PDF
Group meeting: Identifying Information Disclosure in Web Applications with Re...
Yu-Hsin Hung
 
PDF
DockerVC Hackathon Presentation
Yu-Hsin Hung
 
IoT/M2M Security
Yu-Hsin Hung
 
Android Binder IPC for Linux
Yu-Hsin Hung
 
Project meeting: Android Graphics Architecture Overview
Yu-Hsin Hung
 
Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...
Yu-Hsin Hung
 
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Yu-Hsin Hung
 
Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...
Yu-Hsin Hung
 
Group meeting: Identifying Information Disclosure in Web Applications with Re...
Yu-Hsin Hung
 
DockerVC Hackathon Presentation
Yu-Hsin Hung
 
Ad

Recently uploaded (20)

PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
AI in Product Development-omnex systems
omnex systems
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
System and Network Administration Chapter 2
jaramharo
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 

Project meeting: SVMP - Secure Virtual Mobile Platform

  • 1. SVMP: Secure Virtual Mobile Platform Yu-Hsin Hung
  • 2. Introduction • https://svmp.github.io • Configuration: x86 Android VMs on x86 server • VM Platform: support KVM, VirtualBox, VMware… • Cloud Controller: support OpenStack, Amazon EC2… • Remote Protocol: WebRTC + SVMP Wire Protocol • Client: Android/iOS app • Storage (user data) is separated from VM
  • 3. Components • Client Application: an unprivileged Android/iOS application with WebRTC peer connection and SVMP protocol messages, similar to clients for VNC and RDP • SVMP Overseer: receive login request, perform authentication, and manage VMs on the cloud • SVMP Server: routing input message from client connections to SVMP daemons running inside virtual devices • SVMP daemon: primary entry point of client user input to the virtual device • Virtual Device: Virtual Device Image (SVMP Gold Image) + User Data Volume • Cloud Controller: support OpenStack, Amazon EC2…
  • 5. Virtual Device Structure • The central SVMP daemon • Touch-screen input injection • Virtual sensors • Location update pub/sub • Notification and Intent forwarding and re-broadcast • Virtual frame buffer, video encoding, and streaming
  • 7. SVMP Wire Protocol • SVMP/svmp-protocol-def repository • Request: client->server • Response: server->client • JSON Payload: a type attribute and up to one optional attribute associated with that subtype, e.g. {“type”:”ROTATIONINFO”,”rotationInfo":{"rotation":0}} • Protocol Buffers: protocols are defined using “Protocol Buffers” - Google's data interchange format, and Java class definitions are generated by protocol buffer compiler
  • 8. SVMP daemon • SVMP/android_external_svmp_eventserver repository • An user-level Android background service, launched when BroadcastReceiver catches BOOT_COMPLETED Intent • EventServer: many handlers to handle different events (touch, sensor, notification…) • LogHandler: logcat message forwarding • DatabaseHandler: GPS location service subscription • WifiSpoofer: spoof that Wi-Fi connection is active • details in next few pages…
  • 9. SVMP daemon • proxy socket: a Java server socket to listen events from client • sensor socket: initialized in init.rc as /dev/socket/svmp_sensors • Handlers: • SensorHandler • LocationHandler • IntentHandler • NotificationHandler • KeyHandler • ConfigHandler: only keyboard configurations • LauncherHandler: for single app mode
  • 10. Touch&screen injection • EventServer.java • SCREENINFO packet: sync screen resolution • TOUCHEVENT packet: translate coordinates X, Y and inject by Android InputManager (native support) • ROTATION_INFO packet: rotation info is injected by sending custom broadcast ROTATION_CHANGED_ACTION, received by modified framework
  • 11. IntentHandler • IntentHandler.java • Android Intent: an abstract description of an operation to be performed • Currently support two kinds of intent forwarding • outgoing call: forward ACTION_NEW_OUTGOING_CALL from server to client and dial using client’s SIM card • activity action: forward ACTION_VIEW from client to server and open URL inside the VM
  • 12. LocationHandler • LocationHandler.java • Android natively support mocked location • Catch custom Intent LOCATION_SUBSCRIBE_ACTION (sent by modified framework) and forward location request to client • Maintain location subscription in DatabaseHandler (single- shot or not) • Inject client’s GPS location to VM by spoofing test provider LocationManager.setTestProviderLocation()
  • 13. NotificationHandler • NotificationHandler.java • catch custom Intent INTERCEPT_NOTIFICATION_ACTION • use Java Reflection to extract text elements and icons from RemoteViews and forward notification to client
  • 14. SensorHandler • BaseServer.java • SENSOREVENT packet: forwarded to /dev/socket/ svmp_sensors socket • Client keep listening to all the available sensors • Use delay time mechanism to prevent spammy sensor messages • SVMP HAL module libsensors listens on the svmp_sensors socket then processes the actual sensor events, the HAL interfaces are defined in AOSP hardware/sensors.h
  • 15. Android client • WebRTC: video & audio streaming • Corresponding handlers to deal with SVMP daemon • TouchHandler • RotationHandler • KeyHandler • ConfigHandler • NotificationHandler • SensorHandler • …
  • 16. Android Framework modification • InputManagerService.java • Natively support injecting key events (KeyHandler.java in SVMP daemon) • Create a BroadcastReceiver to listen custom intent for hard keyboard, attach two virtual keyboards when hard keyboard attached to client • NotificationManager.java • Intercept notification by preventing enqueue it and send a INTERCEPT_NOTIFICATION broadcast, caught by SVMP daemon
  • 17. Android Framework modification • WindowOrientationListener.java • Create a BroadcastReceiver to listen custom ROTATION_CHANGED intent and inject the rotation info • LocationManager.java • Intercept location request and send a LOCATION_SUBSCRIBE_ACTION broadcast, caught by SVMP daemon then redirected to client
  • 18. Android System Core modification • BatteryMonitor.cpp • Battery injection • Battery status is always charging • Battery health is always good • Battery level is always 100%
  • 19. Android Device Driver • Lots of things, still tracing… • Virtual Frame Buffer • VM write frame to VFB device instead of real video device • Android surfaceflinger library generates a VSYNC event when writing • When VSYNC event occurs, each frame is fed into the WebRTC subsystem • Virtual Sensors: libsensors/sensors.cpp • Re-implement the interface defined by AOSP