TaintDroid is a research prototype and is provided "as is" without warranty or support of any kind, whether expressed or implied. The creators of TaintDroid make no guarantee and hold no responsibility for any damage, injury, loss of property, loss of data, loss of any and all resources, or any negative influence what-so-ever that may result from any and all use of TaintDroid and associated materials. This includes but is not limited to the downloadable software and documentation available from this website. Negative consequences of your usage of TaintDroid and any associated materials are solely your problem and your responsibility.
Before you start:
We created a TaintDroid discussion group for those who are interested in building, installing and running TaintDroid. You may want to post related questions there if answers are not found on this webpage.
If you are looking for a previous release: TaintDroid for Android 2.1 or Android 2.3.
This guide assumes that you have:
- a development computer configured to build the Android source code (see source.android.com for details)
- a Nexus S or a Galaxy Nexus (or you can use the Android emulator)
- and an unlocked bootloader (refer to "Unlocking the bootloader" section in the AOSP building guide. Please note that this will void your warranty.)
It is strongly recommended that you use the nandroid tool provided in a custom recovery firmware such as ClockWorkMod to backup your current system before flashing new images to your device.
Step 1: Get the Android source code
TaintDroid uses the "android-4.1.1_r6" tag of the Android source code. Follow the instructions on source.android.com for obtaining and building Android. Use the "-b android-4.1.1_r6" branch option for repo when checking out the source code.
If you are already familiar with getting and building the Android source code, the following commands summarize the steps:
% mkdir -p ~/tdroid/tdroid-4.1.1_r6 % cd ~/tdroid/tdroid-4.1.1_r6 % repo init -u https://android.googlesource.com/platform/manifest -b android-4.1.1_r6 % repo sync ... wait
Note: At this point, it is recommended that you build Android without any modifications. This will ensure that any build errors for your environment are resolved and are not confused with TaintDroid build errors. For example:
% . build/envsetup.sh % lunch 1 % make -j4 ... wait % emulator ... ensure the build works
Step 2: Get the TaintDroid source code
Download the TaintDroid 4.1 local_manifest.xml and place it in ~/tdroid/tdroid-4.1.1_r6/.repo or copy and paste the following content into .repo/local_manifest.xml.
<manifest> <remote name="github" fetch="git://github.com" /> <remove-project name="platform/dalvik"/> <project path="dalvik" remote="github" name="TaintDroid/android_platform_dalvik" revision="taintdroid-4.1.1_r6"/> <remove-project name="platform/libcore"/> <project path="libcore" remote="github" name="TaintDroid/android_platform_libcore" revision="taintdroid-4.1.1_r6"/> <remove-project name="platform/frameworks/base"/> <project path="frameworks/base" remote="github" name="TaintDroid/android_platform_frameworks_base" revision="taintdroid-4.1.1_r6"/> <remove-project name="platform/frameworks/native"/> <project path="frameworks/native" remote="github" name="TaintDroid/android_platform_frameworks_native" revision="taintdroid-4.1.1_r6"/> <remove-project name="platform/system/vold"/> <project path="system/vold" remote="github" name="TaintDroid/android_platform_system_vold" revision="taintdroid-4.1.1_r6"/> <remove-project name="platform/system/core"/> <project path="system/core" remote="github" name="TaintDroid/android_platform_system_core" revision="taintdroid-4.1.1_r6"/> <remove-project name="device/samsung/crespo"/> <project path="device/samsung/crespo" remote="github" name="TaintDroid/android_device_samsung_crespo" revision="taintdroid-4.1.1_r6"/> <remove-project name="device/samsung/tuna"/> <project path="device/samsung/tuna" remote="github" name="TaintDroid/android_device_samsung_tuna" revision="taintdroid-4.1.1_r6"/> <project path="packages/apps/TaintDroidNotify" remote="github" name="TaintDroid/android_platform_packages_apps_TaintDroidNotify" revision="taintdroid-4.1.1_r6"/> </manifest>
Next, pull the source code and make sure we are working with the right version.
% cd ~/tdroid/tdroid-4.1.1_r6 % repo sync % repo forall dalvik libcore frameworks/base frameworks/native system/vold system/core device/samsung/crespo device/samsung/tuna \ packages/apps/TaintDroidNotify -c 'git checkout -b taintdroid-4.1.1_r6 --track github/taintdroid-4.1.1_r6 && git pull'
Step 3: Get proprietary binaries
Both the Nexus S and Galaxy Nexus require proprietary binaries not included in the AOSP release. Download the correct version of these files for your device: Nexus S, Nexus S 4G, Galaxy Nexus (GSM/HSPA+), or Galaxy Nexus (Verizon). Then extract the files in your source directory.Step 3a (for Nexus S):
% cd ~/tdroid/tdroid-4.1.1_r6 % wget https://dl.google.com/dl/android/aosp/akm-crespo-jro03r-f3ebfd11.tgz % tar -zxvf akm-crespo-jro03r-f3ebfd11.tgz % ./extract-akm-crespo.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/broadcom-crespo-jro03r-66056a98.tgz % tar -zxvf broadcom-crespo-jro03r-66056a98.tgz % ./extract-broadcom-crespo.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/imgtec-crespo-jro03r-3d5b7fdf.tgz % tar -zxvf imgtec-crespo-jro03r-3d5b7fdf.tgz % ./extract-imgtec-crespo.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/nxp-crespo-jro03r-09e29a1a.tgz % tar -zxvf nxp-crespo-jro03r-09e29a1a.tgz % ./extract-nxp-crespo.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/samsung-crespo-jro03r-b1655da2.tgz % tar -zxvf samsung-crespo-jro03r-b1655da2.tgz % ./extract-samsung-crespo.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/widevine-crespo-jro03r-449f921c.tgz % tar -zxvf widevine-crespo-jro03r-449f921c.tgz % ./extract-widevine-crespo.sh # (view the license and then type "I ACCEPT")
Step 3b (for Galaxy Nexus (GSM/HSPA+)):
% cd ~/tdroid/tdroid-4.1.1_r6 % wget https://dl.google.com/dl/android/aosp/broadcom-maguro-jro03r-e25b131d.tgz % tar -zxvf broadcom-maguro-jro03r-e25b131d.tgz % ./extract-broadcom-maguro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/imgtec-maguro-jro03r-c7f638f1.tgz % tar -zxvf imgtec-maguro-jro03r-c7f638f1.tgz % ./extract-imgtec-maguro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/invensense-maguro-jro03r-1b803782.tgz % tar -zxvf invensense-maguro-jro03r-1b803782.tgz % ./extract-invensense-maguro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/samsung-maguro-jro03r-2cd099ee.tgz % tar -zxvf samsung-maguro-jro03r-2cd099ee.tgz % ./extract-samsung-maguro.sh # (view the license and then type "I ACCEPT")
Step 3c (for Nexus S 4G):
% cd ~/tdroid/tdroid-4.1.1_r6 % wget https://dl.google.com/dl/android/aosp/akm-crespo4g-jro03r-68feb96f.tgz % tar -zxvf akm-crespo4g-jro03r-68feb96f.tgz % ./extract-akm-crespo4g.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/broadcom-crespo4g-jro03r-3268837f.tgz % tar -zxvf broadcom-crespo4g-jro03r-3268837f.tgz % ./extract-broadcom-crespo4g.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/imgtec-crespo4g-jro03r-b0114517.tgz % tar -zxvf imgtec-crespo4g-jro03r-b0114517.tgz % ./extract-imgtec-crespo4g.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/nxp-crespo4g-jro03r-4fe8447c.tgz % tar -zxvf nxp-crespo4g-jro03r-4fe8447c.tgz % ./extract-nxp-crespo4g.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/samsung-crespo4g-jro03r-839e8d9c.tgz % tar -zxvf samsung-crespo4g-jro03r-839e8d9c.tgz % ./extract-samsung-crespo4g.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/widevine-crespo4g-jro03r-06313185.tgz % tar -zxvf widevine-crespo4g-jro03r-06313185.tgz % ./extract-widevine-crespo4g.sh # (view the license and then type "I ACCEPT")
Step 3d (for Galaxy Nexus (Verizon)):
% cd ~/tdroid/tdroid-4.1.1_r6 % wget https://dl.google.com/dl/android/aosp/broadcom-toro-jro03r-1bf94b7c.tgz % tar -zxvf broadcom-toro-jro03r-1bf94b7c.tgz % ./extract-broadcom-toro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/imgtec-toro-jro03r-3cb69577.tgz % tar -zxvf imgtec-toro-jro03r-3cb69577.tgz % ./extract-imgtec-toro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/invensense-toro-jro03r-8f1588ba.tgz % tar -zxvf invensense-toro-jro03r-8f1588ba.tgz % ./extract-invensense-toro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/samsung-toro-jro03r-c5fc800d.tgz % tar -zxvf samsung-toro-jro03r-c5fc800d.tgz % ./extract-samsung-toro.sh # (view the license and then type "I ACCEPT")
Step 4: Build TaintDroid
First, we need to create a buildspec.mk file and define some variables so that TaintDroid will build properly. There are various options that control different optimizations and logging inside of TaintDroid. The following contents should be sufficient unless you care to begin developing TaintDroid. Note that in the below configuration.
% cd ~/tdroid/tdroid-4.1.1_r6 % edit/create buildspec.mk # Enable core taint tracking logic (always add this) WITH_TAINT_TRACKING := true # Enable taint tracking for ODEX files (always add this) WITH_TAINT_ODEX := true # Enable taint tracking in the "fast" (aka ASM) interpreter (recommended) WITH_TAINT_FAST := true # Enable additional output for tracking JNI usage (not recommended) #TAINT_JNI_LOG := true # Enable byte-granularity tracking for IPC parcels #WITH_TAINT_BYTE_PARCEL := true
Now we can build TaintDroid. For the "lunch" command, replace <target> with the correct value for your device: full_crespo-eng for Nexus S, full_crespo4g-eng for Nexus S 4G, full_maguro-eng for Galaxy Nexus (GSM/HSPA+), full_toro-eng for Galaxy Nexus (Verizon), or full-eng for the Android emulator.
% . build/envsetup.sh % lunch <target> # (replace <target> with correct value for your device) % make clean % make -j4
Step 5: Flash the device
In order to flash new images, the phone must be connected to the development PC via USB and booted in fastboot mode. Start with the phone powered down, then hold down the "volume up" button (Nexus S) or both "volume up" and "volume down" buttons (Galaxy Nexus) and press the power button. If you have problems using fastboot to flash your device, please refer to the documentation at source.android.com.
If you have not already unlocked your bootloader, first issue the following command to unlock the bootloader:
% fastboot oem unlock
Then, follow the on-screen instructions on the phone to unlock the bootloader. Please note that this will void your warranty.
Before flashing images to your device, we reiterate our previous recommendation: It is strongly recommended that you use the nandroid tool provided in a custom recovery firmware such as ClockWorkMod to backup your current system before flashing new images to your device.
Next, flash the images that we have built. Replace <device> with the correct value for your device: crespo for Nexus S, crespo4g for Nexus S 4G, maguro for Galaxy Nexus (GSM/HSPA+), or toro for Galaxy Nexus (Verizon).
% cd out/target/product/<device> # (replace <device> with correct value for your device) % fastboot flash boot boot.img % fastboot flash system system.img % fastboot flash userdata userdata.img
Step 6 (optional): Install Google apps
Due to licensing restrictions, we cannot distribute proprietary Google applications such as Gmail or the Android Market with the TaintDroid build. If you want to use these apps, you must install them separately from another web site. Installing these apps is optional; they are not required to use TaintDroid.
First, download the Google apps installer from a site such as CyanogenMod and save it on your SDcard.
http://einprogress.io/static/android/cm/gapps/gapps-jb-20120726-signed.zip
Next, flash your device with a custom recovery firmware which provides the ability to install .zip updates from an SDcard, for example ClockWorkMod.
Then boot the recovery firmware on the device by selecting "RECOVERY" from the boot menu, and install the Google apps by selecting "install zip from sdcard" then "choose zip from sdcard" then gapps-jb-20120726-signed.zip.
Step 7: Format the SDcard as ext4 (Nexus S only)
On the Nexus S, the SDcard partition needs to be formatted as ext4 for TaintDroid to track information across files stored to it. Connect the phone to a Linux computer and mount the SDcard by clicking the USB storage notification. Determine the /dev entry for the SDcard (/dev/sdb in our example, but may be different in your case). Use the mkfs.ext4 command to make the file system. The TaintDroid phone will automatically recognize the SDcard formatted as ext4. However, a Windows or Mac computer will not be able to read the SDcard contents.
For example, if the SDcard is attached as /dev/sdb:
% sudo umount /dev/sdb % sudo mkfs.ext4 /dev/sdb
Step 8: Obtain a kernel with YAFFS2 XATTR support (emulator only)
A custom kernel with XATTR support for the YAFFS2 filesystem is needed for file taint propagation in the emulator. Download the prebuilt kernel:
% cd ~ % wget http://www.appanalysis.org/files/kernel-goldfish-xattr-2.6.29
To boot the emulator with the custom kernel:
% cd ~ % emulator -kernel kernel-goldfish-xattr-2.6.29