• Open-source OS based on Linux kernel, developed by Google
• Designed for mobile devices (smartphones, tablets, TVs, wearables, IoT)
• Provides middleware framework, runtime environment, application support
• Development languages: Java, Kotlin, C/C++

Linux Kernel (Base Layer)

• Direct communication with hardware via drivers
• Hardware abstraction, device drivers, power/memory/security management
• Android-specific: Binder IPC driver for inter-process communication
• Handles: security, memory, processes, networking, drivers (camera, display, Wi-Fi, Bluetooth, USB)

Hardware Abstraction Layer (HAL)

• Sits above kernel
• Provides standard interfaces/APIs between Android framework and hardware drivers
• Translator between Java/Kotlin framework and C/C++ hardware drivers
• Ensures apps don't need hardware-specific knowledge

Android Runtime & Native Libraries

• Android Runtime (ART): Executes apps, replaced Dalvik VM from Android 5.0+
• Uses JIT (Just-In-Time) and AOT (Ahead-Of-Time) compilation
• Garbage collection, sandboxed process per app
• Native C/C++ Libraries: SQLite, OpenGL ES, WebKit, SSL, Media Framework

Application Framework

• High-level APIs and services for apps
• Activity Manager: app lifecycles
• Package Manager: installation, permissions
• Resource Manager: layouts, strings, images
• Notification Manager: system notifications
• Location Manager: GPS
• Telephony Manager: calls, SMS
• View System: UI components
• Content Providers: data sharing between apps

Applications Layer

• System apps (Phone, Contacts, Camera)
• User-installed apps
• Built using Java/Kotlin, sometimes C/C++ for native parts

• Declared in AndroidManifest.xml
• Connected by Intents (messaging objects for data/actions)
• Activities: Single screen with UI, manages user interaction
• Services: Runs in background without UI (music player, push notifications)
• Broadcast Receivers: Respond to system-wide messages/events (low battery notifications, incoming SMS, Wi-Fi)
• Content Providers: Manage and share data between apps (contacts, calendar)

WebView

• Android component for displaying web content inside apps
• Mini browser engine (Chromium-based) embedded in Android
• Packaged as: Android System WebView
• API: android.webkit.WebView
• Can load remote webpages, local HTML/JS files
• JavaScript Interfaces: bridge between app code and web code
• Security risks: JavaScript injection, insecure URL loading, XSS, phishing, MITM attacks

• / : Root Directory - Essential Folders:
• /system : Core Android OS files (read-only)
  • /system/app : Pre-installed system apps
  • /system/framework : Android frameworks (.jar files)
  • /system/lib, /system/lib64 : Shared libraries (.so files)
  • /system/bin : Core binaries (sh, toolbox)
• /vendor : Device-specific files (drivers, firmware, HAL)
• /boot : Kernel + ramdisk
• /recovery : Boot partition for system recovery
• /data : User data (writable)
  • /data/app : Installed apps (APK files)
  • /data/data/<package_name> : App-specific data (databases, cache, prefs)
  • /data/dalvik-cache : Compiled code cache
• /cache : Temporary data, OTA updates
• /sdcard or /storage/emulated/0 : User files (media, downloads)
• /dev : Device nodes for hardware
• /proc : Runtime kernel/system info
• /etc : Config files

Bootloader

• First program on device power-on
• Initializes hardware, verifies system integrity, loads OS kernel
• Decides boot mode: Android OS, Recovery, or Fastboot/Download Mode
• Locked: secure, stock firmware only
• Unlocked: allows custom ROMs, kernels, recovery

Fastboot / Download Mode

• Diagnostic and flashing interface before Android boots
• Communicates via ADB/Fastboot commands
• Allows: unlock/lock bootloader, flash system images, repair bricked device
• Samsung uses Download Mode (Odin) instead

Recovery

• Separate lightweight runtime on /recovery partition
• Stock Recovery: limited, official only
• Custom Recovery (TWRP): advanced flashing, backups, root access
• System maintenance: factory reset, OTA updates, custom ROM flashing

Zygote

• A special daemon process, started early by init, that serves as the parent of all app processes
• Loads and initializes Android Runtime (ART/Dalvik), core libraries and system classes once, then forks for new apps
• Without Zygote, every app would initialize the ART runtime separately -> resulting in slow launches and high memory usage -> whereas with Zygote, a single preloaded runtime is forked quickly -> enabling fast app launches and efficient memory use
• Forking model: fast app launches, efficient memory use
• Security: SELinux and sandboxing apply immediately on fork

BusyBox

• Lightweight package with Unix/Linux utilities in single executable
• Often called the "Swiss Army Knife of Embedded Linux"
• Designed for systems with limited resources (Android, routers, IoT devices)
• Android lacks many standard Linux utilities by default, but BusyBox fills the gap by providing a wide set of Linux commands in a compact form.
• Combines many commands (ls, cat, grep, find, ifconfig) into one binary
• Enables: advanced file operations (find, cp, mv), network utilities (ifconfig, netstat, ping), system admin commands (top, ps), custom shell scripts
• Essential for rooting, custom ROMs, pentesting
• Common in custom recoveries (TWRP) and rooted environments

Android Verified Boot (AVB)

• Ensures device boots only trusted software by verifying the integrity of each stage of the boot process
• Evolution of dm-verity (introduced Android 4.4), standardized as AVB 2.0 in Android 7.0+
• Root of Trust: starts with bootloader (signed by the device manufacturer)
• Chain of Trust: each stage verifies the integrity and authenticity of the next stage using cryptographic signatures (bootloader -> kernel -> system -> vendor)
• Rollback Protection: prevents downgrading to vulnerable OS versions
• Prevents persistent malware, rootkits, system partition tampering
• Modified blocks fail verification -> device refuses to boot or shows warning

DM-Verity (Device-Mapper Verity)

• Kernel feature for verified boot (AVB implementation)
• Block-level integrity checker for /system, /vendor partitions
• Uses hash tree (Merkle tree) of cryptographic checksums in boot image
• Each block checked against expected hash
• Mismatch -> device refuses to boot (bootloop) or replaces block with zeros
  • On boot, the kernel initiates dm-verity, which verifies each block of the verified partition by hashing it and comparing it against a precomputed hash tree.
  • The root hash of that tree is signed by the manufacturer and verified during Verified Boot.
  • If corruption is detected, the device either fails to boot (boot loop) or replaces bad data with zeros (the device runs, but with corrupted or missing functionality).
• Prevents: malware persistence, system file tampering, backdoors
• Obstacle for root/custom ROMs: must disable dm-verity for modifications
• Rooting with system modifications (e.g., SuperSU) breaks dm-verity by altering the verified partition, causing hash mismatches that lead to boot loops or zeroed data
• Magisk achieves systemless root by keeping /system intact, modifying /boot

SELinux (Security-Enhanced Linux)

• Kernel-level security module, enforces Mandatory Access Control (MAC)
• Introduced in Android 4.3 (2013) and default enforcing since Android 5.0 (2014)
• Unlike traditional Linux Discretionary Access Control (DAC), where the owner of a resource decides who can access it, SELinux enforces centralized, mandatory rules that define exactly which processes can access which resources.
• Every process, file, resource has security context (label)
• Policies define allowed actions between contexts
• Even root apps must respect SELinux policies (in enforcing mode)
• Prevents root malware from complete takeover
• Confines compromised apps within defined boundaries
• Even if an app like untrusted_app is compromised, SELinux confines it -> blocking access to sensitive areas like /data/system/ and kernel memory
• Modes: Permissive (logs violations), Enforcing (blocks violations)

Google Mobile Services (GMS)

• Proprietary Google apps & APIs on top of Android
• Includes: Play Store, Play Services, Firebase, FCM, Play Integrity API, Maps, Gmail, YouTube

Generic System Image (GSI)

• Pure AOSP implementation for Project Treble devices (Android 8.0+)
• A system image with unmodified AOSP code (no OEM customizations)
• Used for: testing, pentesting, device validation

Rooting

• Gaining privileged (root/administrator) access to Android OS
• Unlocks root user (superuser) account (UID 0)
• Usually requires unlocked bootloader first
• Root vs Bootloader Unlock: bootloader unlock allows flashing, root gives admin control
• Allows: modify system files, remove bloatware, install custom ROMs/kernels, system access apps, performance tweaks
• Risks: security vulnerabilities, malicious apps could gain full control, warranty void, OTA updates blocked, bricking, SafetyNet/Play Integrity fail

Root Binary (su)

• Root account disabled by default in Android
• No su binary in /system/bin or /system/xbin
• Apps run sandboxed with own UID, managed by Zygote + SELinux
• Rooting installs su binary (switch user) in system
• su binary lets processes switch to UID 0 (root)
• Superuser Manager (SuperSU/Magisk) intercepts su calls, prompts user for permission

Rooting Methods

System Modifying Root (Older):

• Tools like SuperSU modified /system partition
• Inserted su binary directly in system
• Risks: permanently changed system, broke OTA updates, easily detected

Systemless Root - Magisk (Modern):

• Modern systemless rooting framework by topjohnwu
• Systemless Root: patches boot image (boot.img), not /system and loads root at boot
• Provides: root access (su) and modules system
• Magisk Modules: plugins for features (ad-block, theming, performance)
• Zygisk: runs inside Zygote for finer control
• DenyList: hide modifications/root from specific apps
• Supports OTA updates, minimal system modification, and easy to undo
• Steps: unlock bootloader -> extract boot.img -> patch with Magisk -> flash patched boot.img