Section 36: Mobile Operating Systems
Purpose and Scope
Mobile operating systems run on devices that are simultaneously the most constrained (battery, thermal budget, limited RAM) and the most security-sensitive (full of biometric data, location, communications, payment credentials) computing platforms in widespread use. Android and iOS together run on over four billion active devices. This section covers Android's layered architecture from the Linux kernel through HAL, ART, Binder IPC, Zygote, and system services; iOS and XNU internals; the security models of both platforms (sandboxing, entitlements, code signing, Secure Enclave); mobile power management; the Android boot chain; OTA update systems; and mobile virtualization. Understanding mobile OS internals is essential for platform engineers, security researchers, and anyone building performance-critical applications.
Prerequisites
- Linux kernel fundamentals (Section 03, 04)
- Process management and IPC concepts (Section 07)
- Operating system security concepts (Section 26)
- Virtual memory fundamentals (Section 11)
- Java/Kotlin or Objective-C/Swift for application-level context
Learning Objectives
By the end of this section, you will be able to:
- Describe Android's full software stack from kernel to application framework
- Explain Binder IPC: how a transaction crosses from client process to server process at the driver level
- Explain how Zygote accelerates app launch and what it pre-forks
- Describe Android's security model: UID-per-app, SELinux policies, permission model
- Describe iOS/XNU architecture and the Mach message-passing foundation
- Explain iOS's security model: sandbox profiles, entitlements, code signing chain, Secure Enclave
- Describe how mobile power management (governors, device wakelock, Doze) interacts with applications
- Trace the Android verified boot chain from bootloader to system partition
Architecture Overview
Android Software Stack
+---------------------------------------------------------------+
| Applications |
| Calculator | Gmail | Maps | Camera | Third-party apps |
+---------------------------------------------------------------+
| Application Framework |
| ActivityManager | PackageManager | WindowManager |
| ContentProvider | TelephonyManager | LocationManager |
+---------------------------------------------------------------+
| Android Runtime (ART) | Native Libraries |
| DEX bytecode compilation | libc (Bionic) |
| AOT (dex2oat), JIT, PGO | libandroid_runtime |
| GC: Concurrent Copying | OpenGL ES / Vulkan |
| Class loading | SQLite, WebKit, OpenSSL |
+---------------------------------------------------------------+
| Hardware Abstraction Layer (HAL) |
| Camera HAL | Audio HAL | Sensor HAL | Bluetooth HAL |
| (HIDL / AIDL interfaces, run in separate HAL processes) |
+---------------------------------------------------------------+
| Linux Kernel (Android-specific patches) |
| Binder IPC driver | ION/DMA-BUF memory allocator |
| Wakelocks | Low-Memory Killer (LMK) |
| Ashmem (shared mem)| FUSE overlay (sdcardfs) |
| SELinux | eBPF for network/power accounting |
+---------------------------------------------------------------+
Binder IPC Mechanism
Client Process Server Process (System Service)
+------------------+ +------------------+
| App calls | | ActivityManager |
| startActivity() | | handles request |
| | | | ^ |
| Java Proxy | | Java Stub |
| | | | | |
| Binder Proxy | | Binder Stub |
| | | | | |
+--+--+------------+ +-------+----------+
| ^
| ioctl(binder_fd, BINDER_WRITE_READ) |
v |
+-----------+ Binder Driver |
| /dev/ | (kernel module) |
| binder |--->copies transaction data |
| | to target's buffer |
| |--->wakes target thread |
+-----------+ (thread pool) |
+-- ioctl returns with data
Key: only ONE copy of transaction data (kernel copies from
client's buffer to server's mapped memory region via mmap).
Most IPC mechanisms require TWO copies.
Binder transaction components:
- Transaction code (method ID)
- Marshalled arguments (Parcel)
- File descriptors (passed by reference, not copy)
- Binder tokens (capability references, unforgeable)
Zygote Process Model
Boot:
init -> zygote64 (preloads 40MB of framework classes/resources)
-> system_server (all system services: AMS, PMS, WMS...)
App Launch:
ActivityManagerService decides to launch com.example.app
|
v (socket connection to Zygote)
Zygote.fork() -> child process
|
v (in child)
Set UID/GID to app's UID (e.g., 10234)
Apply SELinux domain
Load app's APK classes on top of pre-loaded framework
Call Application.onCreate() -> Activity.onCreate()
Benefit: fork() copies Zygote's address space with COW.
Pre-loaded classes/resources shared as read-only pages.
App cold start ~100-300ms instead of ~1-2s without Zygote.
iOS / XNU Architecture
iOS Software Stack:
+---------------------------------------------------------------+
| Applications (App Sandbox) |
+---------------------------------------------------------------+
| Cocoa Touch / UIKit / SwiftUI |
+---------------------------------------------------------------+
| Core Services: CoreData, CoreLocation, CloudKit |
| Core OS: Security, CFNetwork, IOKit |
+---------------------------------------------------------------+
| XNU Kernel |
| +------------------+ +------------------+ |
| | Mach Microkernel| | BSD (FreeBSD) | |
| | IPC messages | | POSIX API | |
| | VM management | | VFS | |
| | Task/thread | | Networking | |
| +------------------+ +------------------+ |
| IOKit (C++ device driver framework) |
+---------------------------------------------------------------+
| Hardware (Apple Silicon: M-series, A-series) |
| Secure Enclave Processor (SEP) | Neural Engine |
+---------------------------------------------------------------+
Android Verified Boot Chain
Power On
|
v
+----+------+
| Bootloader| Immutable (BootROM)
| (BootROM) | Verifies next stage signature
+----+------+
| (verify)
v
+----+------+
| Bootloader| ABL (Android Bootloader) / LK / U-Boot
| Stage 2 | Verifies boot partition dm-verity root hash
+----+------+
| (verify kernel + ramdisk)
v
+----+------+
| Kernel | Loaded and verified
| + init | dm-verity enabled for system partition
+----+------+
| (runtime verification via dm-verity)
v
+----+------+
| /system | Block-level integrity check on every read
| /vendor | Hash tree in separate partition
+----------+
Compromise at any level: device shows "orange" or "red" boot state
avbtool (Android Verified Boot 2.0) manages signing
Key Concepts
- Binder: Android's custom IPC mechanism, implemented as a kernel driver. Passes messages between processes with a single kernel copy (vs two for pipe/socket). Provides object references, file descriptor passing, and identity (UID/PID visible to server). The backbone of all Android service calls.
- Zygote: A pre-forked "template" process that has already loaded the Android framework classes. All apps are forked from Zygote, inheriting its mapped pages copy-on-write. Dramatically reduces app startup time and memory usage through shared page frames.
- ART (Android Runtime): Replaced Dalvik in Android 5.0. Compiles DEX bytecode to native code via dex2oat (AOT), JIT (profiling-guided), and profile-guided optimization (PGO). Uses concurrent copying garbage collector. Apps ship as DEX, compiled to OAT on device.
- HAL (Hardware Abstraction Layer): HIDL/AIDL-defined interfaces separating Android framework from vendor-specific hardware drivers. HALs run in isolated processes with their own SELinux domain. Enables Android upgrades independent of vendor BSP.
- SELinux (Android): Mandatory Access Control enforced in kernel. Every process, file, and socket has a security label. Policy defines allowed operations. Denials logged to audit. Android uses "neverallow" rules to prevent policy violations at build time.
- Secure Enclave (iOS): A separate processor (ART processor in Apple Silicon) with its own boot ROM, encrypted memory, and OS. Handles biometric authentication (Face ID, Touch ID), device encryption keys, and Apple Pay. Never exposes private keys to the main CPU.
- WakeLock: Android mechanism allowing applications to prevent CPU sleep or screen off. Must be held only as long as necessary. Wakelock abuse is a leading cause of battery drain.
dumpsys powerreveals holders. - Doze Mode: Android 6.0+ power management: when device is stationary and unplugged, defers network access, JobScheduler, alarms to maintenance windows. Reduces standby drain by 50-80%.
Major Historical Milestones
| Year | Milestone |
|---|---|
| 2007 | iPhone OS 1.0 — iOS first shipped; no third-party apps initially |
| 2008 | iPhone OS 2.0 — App Store; third-party apps with signed entitlements |
| 2008 | Android 1.0 — Linux-based, Dalvik VM, first OHA phone (HTC Dream) |
| 2010 | Android 2.2 (Froyo) — Dalvik JIT compiler; performance breakthrough |
| 2010 | iOS 4 — multitasking, background modes |
| 2012 | Android 4.0 (ICS) — hardware-accelerated rendering (Project Butter) |
| 2013 | iOS 7 — visual redesign; 64-bit iPhone 5s (first 64-bit mobile CPU) |
| 2014 | Android 5.0 (Lollipop) — ART replaces Dalvik; Material Design |
| 2015 | Android 6.0 — runtime permissions; Doze mode |
| 2016 | Android 7.0 — Vulkan API; direct boot; file-based encryption |
| 2017 | Android 8.0 — Project Treble; HAL isolation with HIDL |
| 2017 | iOS 11 — HEIF, ARKit, APFS default on iOS |
| 2018 | Android 9 (Pie) — Neural Networks API; App Standby Buckets |
| 2019 | Android 10 — Scoped storage; APEX modular system components |
| 2020 | Android 11 — Scoped storage enforced; one-time permissions |
| 2020 | Apple Silicon M1 — iOS/macOS unified, ARM64, Secure Enclave in Mac |
| 2021 | Android 12 — Privacy dashboard; Material You |
| 2022 | Android 13 — per-app language; granular media permissions |
| 2023 | iOS 17 — NameDrop, offline maps; AirDrop improvements |
Modern Relevance
Four billion mobile devices run either Android or iOS. The security models pioneered here (app sandboxing, permission grants, code signing) have influenced server container security and browser process isolation. Android's Binder IPC influenced Chrome's Mojo IPC. The HAL isolation model of Project Treble solved the "Android fragmentation" update problem at the OS architecture level — a systems engineering lesson applicable to any platform with heterogeneous hardware vendors. Apple Silicon's Secure Enclave architecture is a reference design for hardware-rooted security that has influenced server Trusted Execution Environments (Intel TDX, AMD SEV-SNP). Understanding mobile OS internals is essential for security researchers, performance engineers, and platform teams.
File Map
36-mobile-operating-systems/
├── 00-overview.md <- This file
├── 01-android-architecture.md
├── 02-binder-ipc.md
├── 03-zygote-and-app-launch.md
├── 04-art-and-dalvik.md
├── 05-android-hal.md
├── 06-android-security-model.md
├── 07-ios-xnu-internals.md
├── 08-ios-security-model.md
├── 09-ios-secure-enclave.md
├── 10-mobile-power-management.md
├── 11-mobile-gpu-scheduling.md
├── 12-mobile-networking-stack.md
├── 13-ota-update-systems.md
├── 14-android-boot-chain.md
└── 15-mobile-virtualization.md
Cross-References
- Section 04 (Kernel Architecture): Android's Linux kernel with custom patches; SELinux integration
- Section 07 (Process Management): Zygote fork model, UID-per-app isolation
- Section 08 (Threading): Android Looper/Handler thread model; iOS GCD (Grand Central Dispatch)
- Section 26 (Security): Mobile security models inform OS security design broadly
- Section 37 (Browser Architecture): Chrome on Android uses Binder; WebView is an Android system component
- Section 19 (Virtualization): Android Virtualization Framework (AVF), pKVM for mobile isolation