TaintDroid is a research prototype and is provided "as is" without warranty or support of any kind, whether expressed or implied. The creators of TaintDroid make no guarantee and hold no responsibility for any damage, injury, loss of property, loss of data, loss of any and all resources, or any negative influence what-so-ever that may result from any and all use of TaintDroid and associated materials. This includes but is not limited to the downloadable software and documentation available from this website. Negative consequences of your usage of TaintDroid and any associated materials are solely your problem and your responsibility.
Bug Reports:
We set up an issue tracker for tracking and reporting bugs with TaintDroid. Please submit a bug report if you find a bug that has not already been reported.
Before you start:
We created a TaintDroid discussion group for those who are interested in building, installing and running TaintDroid. You may want to post related questions there if answers are not found on this webpage.
If you are looking for a previous release: TaintDroid for Android 2.1, Android 2.3, or Android 4.1.
This guide assumes that you have:
- a development computer configured to build the Android source code (see source.android.com for details)
- a Galaxy Nexus, Nexus 4, Nexus 7 (2012), or a Nexus 10 (or you can use the Android emulator)
- and an unlocked bootloader (refer to "Unlocking the bootloader" section in the AOSP building guide. Please note that this will void your warranty.)
It is strongly recommended that you use the nandroid tool provided in a custom recovery firmware such as ClockWorkMod to backup your current system before flashing new images to your device.
Step 1: Get the Android source code
TaintDroid uses the "android-4.3_r1" tag of the Android source code. Follow the instructions on source.android.com for obtaining and building Android. Use the "-b android-4.3_r1" branch option for repo when checking out the source code.
If you are already familiar with getting and building the Android source code, the following commands summarize the steps:
% mkdir -p ~/tdroid/tdroid-4.3_r1 % cd ~/tdroid/tdroid-4.3_r1 % repo init -u https://android.googlesource.com/platform/manifest -b android-4.3_r1 % repo sync ... wait
Note: At this point, it is recommended that you build Android without any modifications. This will ensure that any build errors for your environment are resolved and are not confused with TaintDroid build errors. For example:
% . build/envsetup.sh % lunch 1 % make -j4 ... wait % emulator ... ensure the build works
Step 2: Get the TaintDroid source code
Download the TaintDroid 4.3 local_manifest.xml and place it in ~/tdroid/tdroid-4.3_r1/.repo/local_manifests/ or copy and paste the following content into .repo/local_manifests/local_manifest.xml.
<manifest>
<remote name="github" fetch="git://github.com"/>
<remove-project name="platform/dalvik"/>
<project path="dalvik" remote="github" name="TaintDroid/android_platform_dalvik" revision="taintdroid-4.3_r1"/>
<remove-project name="platform/libcore"/>
<project path="libcore" remote="github" name="TaintDroid/android_platform_libcore" revision="taintdroid-4.3_r1"/>
<remove-project name="platform/frameworks/base"/>
<project path="frameworks/base" remote="github" name="TaintDroid/android_platform_frameworks_base" revision="taintdroid-4.3_r1"/>
<remove-project name="platform/frameworks/native"/>
<project path="frameworks/native" remote="github" name="TaintDroid/android_platform_frameworks_native" revision="taintdroid-4.3_r1"/>
<remove-project name="platform/frameworks/opt/telephony"/>
<project path="frameworks/opt/telephony" remote="github" name="TaintDroid/android_platform_frameworks_opt_telephony" revision="taintdroid-4.3_r1"/>
<remove-project name="platform/system/vold"/>
<project path="system/vold" remote="github" name="TaintDroid/android_platform_system_vold" revision="taintdroid-4.3_r1"/>
<remove-project name="platform/system/core"/>
<project path="system/core" remote="github" name="TaintDroid/android_platform_system_core" revision="taintdroid-4.3_r1"/>
<remove-project name="device/samsung/manta"/>
<project path="device/samsung/manta" remote="github" name="TaintDroid/device_samsung_manta" revision="taintdroid-4.3_r1"/>
<remove-project name="device/samsung/tuna"/>
<project path="device/samsung/tuna" remote="github" name="TaintDroid/android_device_samsung_tuna" revision="taintdroid-4.3_r1"/>
<project path="packages/apps/TaintDroidNotify" remote="github" name="TaintDroid/android_platform_packages_apps_TaintDroidNotify"
revision="taintdroid-4.3_r1"/>
</manifest>
Next, pull the source code and make sure we are working with the right version.
% cd ~/tdroid/tdroid-4.3_r1
% repo sync
% repo forall dalvik libcore frameworks/base frameworks/native frameworks/opt/telephony system/vold system/core device/samsung/manta device/samsung/tuna \
packages/apps/TaintDroidNotify -c 'git checkout -b taintdroid-4.3_r1 --track github/taintdroid-4.3_r1 && git pull'
Step 3: Get proprietary binaries
The Galaxy Nexus, Nexus 4, Nexus 7, and Nexus 10 require proprietary binaries not included in the AOSP release. Download the correct version of these files for your device: Galaxy Nexus (GSM/HSPA+), Galaxy Nexus (Verizon), Nexus 4, Nexus 7 (2012)(Mobile), Nexus 7 [2012](Wi-Fi), or Nexus 10 . Then extract the files in your source directory.Step 3a (for Galaxy Nexus [maguro] (GSM/HSPA+)):
% cd ~/tdroid/tdroid-4.3_r1 % wget https://dl.google.com/dl/android/aosp/broadcom-maguro-jwr66y-5fa7715b.tgz % tar -zxvf broadcom-maguro-jwr66y-5fa7715b.tgz % ./extract-broadcom-maguro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/imgtec-maguro-jwr66y-b0a4a1ef.tgz % tar -zxvf imgtec-maguro-jwr66y-b0a4a1ef.tgz % ./extract-imgtec-maguro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/invensense-maguro-jwr66y-e0d2e531.tgz % tar -zxvf invensense-maguro-jwr66y-e0d2e531.tgz % ./extract-invensense-maguro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/nxp-maguro-jwr66y-d8ac2804.tgz % tar -zxvf nxp-maguro-jwr66y-d8ac2804.tgz % ./extract-nxp-maguro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/samsung-maguro-jwr66y-fb8f93b6.tgz % tar -zxvf samsung-maguro-jwr66y-fb8f93b6.tgz % ./extract-samsung-maguro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/widevine-maguro-jwr66y-c49927ce.tgz % tar -zxvf widevine-maguro-jwr66y-c49927ce.tgz % ./extract-widevine-maguro.sh # (view the license and then type "I ACCEPT")
Step 3b (for Galaxy Nexus [toro](Verizon)):
% cd ~/tdroid/tdroid-4.3_r1 % wget https://dl.google.com/dl/android/aosp/broadcom-toro-jwr66v-2c5665ea.tgz % tar -zxvf broadcom-toro-jwr66v-2c5665ea.tgz % ./extract-broadcom-toro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/imgtec-toro-jwr66v-5059dce5.tgz % tar -zxvf imgtec-toro-jwr66v-5059dce5.tgz % ./extract-imgtec-toro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/invensense-toro-jwr66v-4d5d5d12.tgz % tar -zxvf invensense-toro-jwr66v-4d5d5d12.tgz % ./extract-invensense-toro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/nxp-toro-jwr66v-9bba5878.tgz % tar -zxvf nxp-toro-jwr66v-9bba5878.tgz % ./extract-nxp-toro.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/samsung-toro-jwr66v-43a2f7f0.tgz % tar -zxvf samsung-toro-jwr66v-43a2f7f0.tgz % ./extract-samsung-toro.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/widevine-toro-jwr66v-7d37828d.tgz % tar -zxvf widevine-toro-jwr66v-7d37828d.tgz % ./extract-widevine-toro.sh # (view the license and then type "I ACCEPT")
Step 3c (for Nexus 4 [mako]):
% cd ~/tdroid/tdroid-4.3_r1 % wget https://dl.google.com/dl/android/aosp/lge-mako-jwr66y-a85ca75e.tgz % tar -zxvf lge-mako-jwr66y-a85ca75e.tgz % ./extract-lge-mako.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/qcom-mako-jwr66y-a5becaf1.tgz % tar -zxvf qcom-mako-jwr66y-a5becaf1.tgz % ./extract-qcom-mako.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/broadcom-mako-jwr66y-137ef66d.tgz % tar -zxvf broadcom-mako-jwr66y-137ef66d.tgz % ./extract-broadcom-mako.sh # (view the license and then type "I ACCEPT")
Step 3d (for Nexus 7 [tilapia] (Mobile):
% cd ~/tdroid/tdroid-4.3_r1 % wget https://dl.google.com/dl/android/aosp/asus-tilapia-jwr66y-1671e4a8.tgz % tar -zxvf asus-tilapia-jwr66y-1671e4a8.tgz % ./extract-asus-tilapia.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/broadcom-tilapia-jwr66y-b1271a01.tgz % tar -zxvf broadcom-tilapia-jwr66y-b1271a01.tgz % ./extract-broadcom-tilapia.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/elan-tilapia-jwr66y-61ff5ff6.tgz % tar -zxvf elan-tilapia-jwr66y-61ff5ff6.tgz % ./extract-elan-tilapia.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/invensense-tilapia-jwr66y-62642635.tgz % tar -zxvf invensense-tilapia-jwr66y-62642635.tgz % ./extract-invensense-tilapia.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/nvidia-tilapia-jwr66y-b2aa4337.tgz % tar -zxvf nvidia-tilapia-jwr66y-b2aa4337.tgz % ./extract-nvidia-tilapia.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/nxp-tilapia-jwr66y-1ffb1bc2.tgz % tar -zxvf nxp-tilapia-jwr66y-1ffb1bc2.tgz % ./extract-nxp-tilapia.sh # (view the license and then type "I ACCEPT") ... %https://dl.google.com/dl/android/aosp/widevine-tilapia-jwr66y-777880cf.tgz % tar -zxvf widevine-tilapia-jwr66y-777880cf.tgz % ./extract-widevine-tilapia.sh # (view the license and then type "I ACCEPT")
Step 3e (for Nexus 7 [grouper] (Wi-Fi):
% cd ~/tdroid/tdroid-4.3_r1 % https://dl.google.com/dl/android/aosp/asus-grouper-jwr66y-d9ad928d.tgz % tar -zxvf asus-grouper-jwr66y-d9ad928d.tgz % ./extract-asus-grouper.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/broadcom-grouper-jwr66y-af694cc9.tgz % tar -zxvf broadcom-grouper-jwr66y-af694cc9.tgz % ./extract-broadcom-grouper.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/elan-grouper-jwr66y-2ece01e1.tgz % tar -zxvf elan-grouper-jwr66y-2ece01e1.tgz % ./extract-elan-grouper.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/invensense-grouper-jwr66y-f21f0c49.tgz % tar -zxvf invensense-grouper-jwr66y-f21f0c49.tgz % ./extract-invensense-grouper.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/nvidia-grouper-jwr66y-b3b0003e.tgz % tar -zxvf nvidia-grouper-jwr66y-b3b0003e.tgz % ./extract-nvidia-grouper.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/nxp-grouper-jwr66y-f5d295e4.tgz % tar -zxvf nxp-grouper-jwr66y-f5d295e4.tgz % ./extract-nxp-grouper.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/widevine-grouper-jwr66y-a0b9cafc.tgz % tar -zxvf widevine-grouper-jwr66y-a0b9cafc.tgz % ./extract-widevine-grouper.sh # (view the license and then type "I ACCEPT")
Step 3f (for Nexus 10 [manta]):
% cd ~/tdroid/tdroid-4.3_r1 % https://dl.google.com/dl/android/aosp/audience-manta-jwr66y-df20ff6a.tgz % tar -zxvf audience-manta-jwr66y-df20ff6a.tgz % ./extract-audience-manta.sh # (view the license and then type "I ACCEPT") ... % https://dl.google.com/dl/android/aosp/broadcom-manta-jwr66y-054e1061.tgz % tar -zxvf broadcom-manta-jwr66y-054e1061.tgz % ./extract-broadcom-manta.sh # (view the license and then type "I ACCEPT")
Step 4: Build TaintDroid
First, we need to create a buildspec.mk file and define some variables so that TaintDroid will build properly. There are various options that control different optimizations and logging inside of TaintDroid. The following contents should be sufficient unless you care to begin developing TaintDroid. Note that in the below configuration.
% cd ~/tdroid/tdroid-4.3_r1 % edit/create buildspec.mk # Enable core taint tracking logic (always add this) WITH_TAINT_TRACKING := true # Enable taint tracking for ODEX files (always add this) WITH_TAINT_ODEX := true # Enable taint tracking in the "fast" (aka ASM) interpreter (recommended) WITH_TAINT_FAST := true # Enable additional output for tracking JNI usage (not recommended) #TAINT_JNI_LOG := true # Enable byte-granularity tracking for IPC parcels WITH_TAINT_BYTE_PARCEL := true
Next, we need to add the TaintDroidNotify application to the build. Open build/target/product/core.mk and add TaintDroidNotify to the end of the PRODUCT_PACKAGES list.
PRODUCT_PACKAGES += \
BasicDreams \
...
voip-common \
TaintDroidNotify
Now we can build TaintDroid. For the "lunch" command, replace <target> with the correct value for your device: full_maguro-eng for Galaxy Nexus (GSM/HSPA+), full_toro-eng for Galaxy Nexus (Verizon), full_mako-eng for Nexus 4, full_tilapia-eng for Nexus 7 [2012] (Mobile), full_grouper-eng for Nexus 7 [2012] (Wi-Fi), full_manta-eng for Nexus 10, or full-eng for the Android emulator.
% . build/envsetup.sh % lunch <target> # (replace <target> with correct value for your device) % make clean % make -j4
Step 5: Flash the device
In order to flash new images, the phone must be connected to the development PC via USB and booted in fastboot mode. Start with the phone powered down, then hold down the "volume down" (Nexus 4, Nexus 7, Nexus 10), or both "volume up" and "volume down" buttons (Galaxy Nexus, Nexus 10), and press the power button. If you have problems using fastboot to flash your device, please refer to the documentation at source.android.com.
If you have not already unlocked your bootloader, first issue the following command to unlock the bootloader:
% fastboot oem unlock
Then, follow the on-screen instructions on the phone to unlock the bootloader. Please note that this will void your warranty.
Before flashing images to your device, we reiterate our previous recommendation: It is strongly recommended that you use the nandroid tool provided in a custom recovery firmware such as ClockWorkMod to backup your current system before flashing new images to your device.
Next, flash the images that we have built. Replace <device> with the correct value for your device: maguro for Galaxy Nexus (GSM/HSPA+), toro for Galaxy Nexus (Verizon), mako for Nexus 4, tilapia for Nexus 7 [2012] (Mobile), grouper for Nexus 7 [2012] (Wi-Fi), or manta for Nexus 10.
% cd out/target/product/<device> # (replace <device> with correct value for your device) % fastboot flash boot boot.img % fastboot flash system system.img % fastboot flash userdata userdata.img
Step 6 (optional): Install Google apps
Due to licensing restrictions, we cannot distribute proprietary Google applications such as Gmail or the Android Market with the TaintDroid build. If you want to use these apps, you must install them separately from another web site. Installing these apps is optional; they are not required to use TaintDroid.
First, download the Google apps installer from a site such as CyanogenMod (Link 1, Link 2, Link 3, Torrent) and save it on your SDcard.
http://goo.im/gapps/gapps-jb-20130813-signed.zip (Link 1) http://itvends.com/gapps/gapps-jb-20130813-signed.zip (Link 2) http://www.androidfilehost.com/?fid=23060877490000124 (Link 3) http://itvends.com/gapps/gapps-jb-20130813-signed.zip.torrent (Torrent)
Next, flash your device with a custom recovery firmware which provides the ability to install .zip updates from an SDcard, for example ClockWorkMod.
Then boot the recovery firmware on the device by selecting "RECOVERY" from the boot menu, and install the Google apps by selecting "install zip from sdcard" then "choose zip from sdcard" then gapps-jb-20120726-signed.zip.
Step 7: Obtain a kernel with YAFFS2 XATTR support (emulator only)
A custom kernel with XATTR support for the YAFFS2 filesystem is needed for file taint propagation in the emulator. Download the prebuilt kernel:
% cd ~ % wget http://www.appanalysis.org/files/kernel-goldfish-xattr-2.6.29
To boot the emulator with the custom kernel:
% cd ~ % emulator -kernel kernel-goldfish-xattr-2.6.29