USENIX Association 2015 USENIX Annual Technical Conference 567
does not result in a crash. Alarms, services and broadcast
receivers all run asynchronously. Wakelock requests, on
the other hand, are synchronous and their denial will result
in a sleeping system when a waiting task is expected to run.
Still,thetaskisneveraborted,butrunsinchunkswhen
the system wakes up. Our method prevents the triggering
of unwanted events. When it is not possible, we abort the
event continuation at the earliest opportunity to reduce the
energy cost of the e vent payload.
To drive the implementation of our system, we establish
a few requisites and considerations:
Comprehensive support for events.
e control system
should be inclusive. While app-specic solutions are eec-
tive, they do not scale to other programs. e stage pipeline
should monitor and, if necessary, actuate on every event
instance. Particulars about a specied event should be con-
ned to its policy and not aect the controller. It is the
responsibility of the policy designer to dene a sane event
frequency, considering, perhaps, the context and the im-
pact of an event hijack. To implement an all-encompassing
monitor system, we target an OS-level solution.
Support for power-oblivious applications.
Users shoul d
not abstain from using their favorite apps even if they are
power hogs. Uninstal ling or suggesting alternative apps
for the same purp ose should not be acceptable. e system
should cope with the existence of ill-behaved apps and act
upon their misbehavior if directed by the policy designer.
Compatibility.
Many solutions that rely on deep sys-
tem introspection require extensive rewr ites of system
components [
11
,
14
,
6
] or even wr iting systems from
scr atch [
43
]. Although tempting, stray ing from the main-
line can severely limit the userbase, espe cially in the case of
consumer-oriented OSes. With that in mind, our solution
should exhibit high compatibility and keep a minimum
amount of changes to the underlying OS.
Eciency.
Mobile apps must cope with limited computa-
tional and energy resources. e control system should
avoid high computational overhead to prevent high battery
drain and system slowdown.
4.2 Implementation
To avoid reimplementing OS components to regulate event
handling, Tamer uses the Xposed framework [
42
] to en-
able system modications at runtime.
While requiring the device to be rooted, Xposed enables
deep system modications with no need to decompile ap-
plications nor ash the device
2
. Xpos ed intercepts Java
methods and temporarily diverts the execution ow to
function-hook callbacks for inspection and modication.
Developers dene these callbacks and compile them as sep-
arate modules. Function-call hooking happens by match-
ingthemethod’snameandsignatureofthedeclaredcall-
2
For brevity reasons, we refer readers to [41]foranexplanationonhow
such thing is p ossible.
back with the running code. Callb acks run on the context
of the intercepted application. Xposed allows for changing
the parameters of a method call, modifying its return value
or terminating it early. We leverage the hooking mecha-
nism to intercept function calls originating from or di-
rected at our events of interest. Finally, function hooks can
be distributed as separate programs in self-contained APK
les. ey are not bound to a specic Android version and
work wit hout changes on the majority of customized An-
droid releases, including those from Samsung, HTC, Sony,
LG, and the CyanogenMod open-source community [
10
].
Figure 4 shows how Tamer relates to the Android OS.
Tamer sits, along with Xposed, between user applications
and the Java-based application framework, which serves
as the foundation for the Android SDK. Events have direc-
tions, which helps us dene how to write the interception
payload. While service and wakelock calls originate from
appsandareforwardedtotheframework,alarmsand
broadcast receivers work in the opposite direction.
Tamer consists of a series of function hooks that inter-
pose on the background-processing interface and act as
a controller mechanism to enforce user-dened policies.
To implement Tamer’s event-canceling mechanism, we
leverage Xposed’s introspection API to explore, monitor,
intercept and modify public and pr ivate classes, methods
and members of the framework (Table 2). We used our
knowledge on the Android SDK aligned with t he source
code of Android’s framework stack to decide where to
place the instrumentation points that would constitute
our controller. We analyzed the source code stemming
from each event call on the SDK’s public interface. Model-
ing the relationships between subroutines as a call graph,
we considered each interface function as a leaf node. In
some occasions, we had to backtrack the call graph to nd
a proper instrumentation point. is was necessary for
three reasons: (1) the public interface did not oer enough
context to feed our monitoring system (e.g., missing re-
ceiver name, unclear caller-callee relationship, etc.); (2) in
the case of receiving events, it was better to interpose on a
call as early as possible to avoid unnecessary operat ions
beforeacancellation;(3)aneventcallmayhavemorethan
one function signature, therefore we lo oked for a converg-
ing function node. We found one exception to the last rule
when handling broadcast receivers. Applications can de-
clare receivers in two ways: statically via a
Manifest
le
or dynamically using the Android SDK API. Since the An-
droid framework keeps separate dat a structures for each
case, we had to instrument them separately.
Tamer’s interception can suppress wakeups due to ser-
vice invocations, wakelock acquires, and intent broadcasts.
Because of the way Android handles alarms, our imple-
mentation can only curtail the alarm’s callback payload.
e system will still periodically wake up according to the
alarm’s schedule, but will immediately return to sleep. Our