TaintDroid is a research prototype and is provided "as is" without warranty or support of any kind, whether expressed or implied. The creators of TaintDroid make no guarantee and hold no responsibility for any damage, injury, loss of property, loss of data, loss of any and all resources, or any negative influence what-so-ever that may result from any and all use of TaintDroid and associated materials. This includes but is not limited to the downloadable software and documentation available from this website. Negative consequences of your usage of TaintDroid and any associated materials are solely your problem and your responsibility.
Before you start:
We created a TaintDroid discussion group for those who are interested in building, installing and running TaintDroid. You may want to post related questions there if answers are not found on this webpage.
If you are looking for the previous release of TaintDroid based on Android 2.1, click here.
This guide assumes that you have:
- a development computer configured to build the Android source code (see source.android.com for details)
- a Nexus S or a Nexus One running Android 2.3
- and an unlocked bootloader (see guides for unlocking bootloader for Nexus S or Nexus One. Please note that this will void your warranty.)
It is strongly recommended that you use the nandroid tool provided in a custom recovery firmware such as ClockWorkMod (Nexus S or Nexus One) to backup your current system before flashing new images to your device.
Step 1: Get the Android source code
TaintDroid uses the "android-2.3.4_r1" tag of the Android source code. Follow the instructions on source.android.com for obtaining and building Android. Use the "-b android-2.3.4_r1" branch option for repo when checking out the source code.
If you are already familiar with getting and building the Android source code, the following commands summarize the steps:
% mkdir -p ~/tdroid/tdroid-2.3.4_r1 % cd ~/tdroid/tdroid-2.3.4_r1 % repo init -u https://android.googlesource.com/platform/manifest -b android-2.3.4_r1 % repo sync ... wait
Note: At this point, it is recommend that you build Android without any modifications. This will ensure that any build errors for your environment are resolved and are not confused with TaintDroid build errors. For example:
% . build/envsetup.sh % lunch 1 % make -j4 ... wait % emulator ... ensure the build works
Step 2: Get the TaintDroid source code
Download the TaintDroid 2.3 local_manifest.xml and place it in ~/tdroid/tdroid-2.3.4_r1/.repo or copy and paste the following content into .repo/local_manifest.xml.
<manifest> <remote name="github" fetch="git://github.com" /> <remove-project name="platform/dalvik"/> <project path="dalvik" remote="github" name="TaintDroid/android_platform_dalvik" revision="taintdroid-2.3.4_r1" /> <remove-project name="platform/libcore"/> <project path="libcore" remote="github" name="TaintDroid/android_platform_libcore" revision="taintdroid-2.3.4_r1" /> <remove-project name="platform/frameworks/base"/> <project path="frameworks/base" remote="github" name="TaintDroid/android_platform_frameworks_base" revision="taintdroid-2.3.4_r1" /> <remove-project name="platform/system/vold"/> <project path="system/vold" remote="github" name="TaintDroid/android_platform_system_vold" revision="taintdroid-2.3.4_r1" /> <remove-project name="device/samsung/crespo"/> <project path="device/samsung/crespo" remote="github" name="TaintDroid/android_device_samsung_crespo" revision="taintdroid-2.3.4_r1" /> </manifest>
Next, pull the source code and make sure we are working with the right version.
% cd ~/tdroid/tdroid-2.3.4_r1 % repo sync % cd dalvik % git branch --track taintdroid-2.3.4_r1 github/taintdroid-2.3.4_r1 % git checkout taintdroid-2.3.4_r1 % git pull # (just to be safe) % cd .. % cd libcore % git branch --track taintdroid-2.3.4_r1 github/taintdroid-2.3.4_r1 % git checkout taintdroid-2.3.4_r1 % git pull # (just to be safe) % cd .. % cd frameworks/base % git branch --track taintdroid-2.3.4_r1 github/taintdroid-2.3.4_r1 % git checkout taintdroid-2.3.4_r1 % git pull # (just to be safe) % cd ../.. % cd system/vold % git branch --track taintdroid-2.3.4_r1 github/taintdroid-2.3.4_r1 % git checkout taintdroid-2.3.4_r1 % git pull # (just to be safe) % cd ../.. % cd device/samsung/crespo % git branch --track taintdroid-2.3.4_r1 github/taintdroid-2.3.4_r1 % git checkout taintdroid-2.3.4_r1 % git pull # (just to be safe)
Step 3: Get proprietary binariesBoth the Nexus S and Nexus One require proprietary binaries not included in the AOSP release. For the Nexus S, these files can be downloaded from Google. For the Nexus One, they must be pulled from a Nexus One running a stock installation of Android 2.3.
Step 3a (for Nexus S):
% cd ~/tdroid/tdroid-2.3.4_r1 % wget https://dl.google.com/dl/android/aosp/broadcom-crespo-grj22-4c9cc3e2.tgz % tar -zxvf broadcom-crespo-grj22-4c9cc3e2.tgz % ./extract-broadcom-crespo.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/imgtec-crespo-grj22-f1fb16c7.tgz % tar -zxvf imgtec-crespo-grj22-f1fb16c7.tgz % ./extract-imgtec-crespo.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/nxp-crespo-grj22-f3474ea3.tgz % tar -zxvf nxp-crespo-grj22-f3474ea3.tgz % ./extract-nxp-crespo.sh # (view the license and then type "I ACCEPT") ... % wget https://dl.google.com/dl/android/aosp/samsung-crespo-grj22-74ab249a.tgz % tar -zxvf samsung-crespo-grj22-74ab249a.tgz % ./extract-samsung-crespo.sh # (view the license and then type "I ACCEPT")
Step 3b (for Nexus One):
Use the extract-files.sh script to pull the files from a stock installation. With a Nexus One running Android 2.3 connected via USB, do:
% cd ~/tdroid/tdroid-2.3.4_r1/device/htc/passion % ./extract-files.sh
Step 4: Build TaintDroid
First, we need to create a buildspec.mk file and define some variables so that TaintDroid will build properly. There are various options that control different optimizations and logging inside of TaintDroid. The following contents should be sufficient unless you care to begin developing TaintDroid. Note that in the below configuration.
% cd ~/tdroid/tdroid-2.3.4_r1 % edit/create buildspec.mk # Enable core taint tracking logic (always add this) WITH_TAINT_TRACKING := true # Enable taint tracking for ODEX files (always add this) WITH_TAINT_ODEX := true # Enable taint tracking in the "fast" (aka ASM) interpreter (recommended) WITH_TAINT_FAST := true # Enable additional output for tracking JNI usage (not recommended) #TAINT_JNI_LOG := true
Now we can build TaintDroid.
Step 4a (for Nexus S):
% . build/envsetup.sh % lunch full_crespo-eng % make clean % make -j4
Step 4b (for Nexus One):
% . build/envsetup.sh % lunch full_passion-eng % make clean % make -j4
Step 5: Flash the device
In order to flash new images, the phone must be connected to the development PC via USB and booted in fastboot mode. Start with the phone powered down, then hold down the "volume up" button (Nexus S) or trackball (Nexus One) while pressing the power button to turn on the phone. If you have problems using fastboot to flash your device, please refer to the documentation at source.android.com.
If you have not already unlocked your bootloader, first issue the following command to unlock the bootloader:
% fastboot oem unlock
Then, follow the on-screen instructions on the phone to unlock the bootloader. Please note that this will void your warranty.
Before flashing images to your device, we reiterate our previous recommendation: It is strongly recommended that you use the nandroid tool provided in a custom recovery firmware such as ClockWorkMod (Nexus S or Nexus One) to backup your current system before flashing new images to your device.
Next, flash the images that we have built:
Step 5a (for Nexus S):
% cd out/target/product/crespo % fastboot flash boot boot.img % fastboot flash system system.img % fastboot flash userdata userdata.img
Step 5b (for Nexus One):
% cd out/target/product/passion % fastboot flash boot boot.img % fastboot flash system system.img % fastboot flash userdata userdata.img
Additionally, if you want to test a kernel without flashing, you can do:
% fastboot boot boot.img
Step 6 (optional): Install Google apps
Due to licensing restrictions, we cannot distribute proprietary Google applications such as Gmail or the Android Market with the TaintDroid build. If you want to use these apps, you must install them separately from another web site. Installing these apps is optional; they are not required to use TaintDroid.
First, download the Google apps installer from a site such as CyanogenMod and save it on your SDcard.
Then boot the recovery firmware on the device by selecting "RECOVERY" from the boot menu, and install the Google apps by selecting "install zip from sdcard" then "choose zip from sdcard" then gapps-gb-20110613-signed.zip.
Step 7: Format the SDcard as ext2
The SDcard needs to be formatted as either ext2 or ext3 for TaintDroid to track information across files stored to it. Connect the phone to a Linux computer and mount the SDcard by clicking the USB storage notification. Determine the /dev entry for the SDcard (/dev/sdb in our example, but may be different in your case). Use mke2fs command to make the file system. The TaintDroid phone will automatically recognize the SDcard formatted as ext2/ext3. However, a Windows or Mac computer will not be able to read the SDcard contents.
For example, if the SDcard is attached as /dev/sdb:
% sudo umount /dev/sdb1 % sudo mke2fs /dev/sdb1
Step 8: Install the TaintDroid UI
The TaintDroidNotify application enables TaintDroid to post notifications to the status bar. To install: boot the device, download the apk, then install using adb.
... boot device % wget http://www.appanalysis.org/files/taintdroid_2.3/TaintDroidNotify.apk % adb install TaintDroidNotify.apk
To enable notifications: on the device, tap the "TaintDroid Notify" icon, and then tap the button labeled "Start".