AOSP Insider
AOSP Expert & Production Engineering
3 min read

Binder Internals Review

Binder IPC Internals

Binder is the cornerstone of Android's Inter-Process Communication (IPC) architecture. It provides high-performance, object-oriented remote procedure calls (RPC) between disparate processes.

The Transaction Lifecycle

A Binder transaction involves user space components (Java/C++ proxies and stubs) and the kernel space Binder driver (/dev/binder).

  1. Client Call: A client application invokes a method on an IBinder proxy object. The proxy marshals the method arguments into a Parcel.
  2. ioctl Command: The proxy uses the ioctl system call to send a BINDER_WRITE_READ command to the /dev/binder kernel driver.
  3. Kernel Routing: The Binder driver identifies the target process holding the real IBinder object. It copies the Parcel data from the client's memory space into the target process's memory space. Binder optimizes this via a single-copy mechanism: the target process's receiving buffer is mapped (mmap) into the kernel's memory space, requiring only one copy from the client to the kernel.
  4. Server Wakeup: The driver wakes up a thread in the target process.
  5. Server Execution: The target process unmarshals the Parcel (via the Stub), executes the requested method, and marshals the result. The result is sent back through the driver to the blocked client thread.

Thread Pool Management

Every process utilizing Binder automatically spawns a thread pool to handle incoming requests. The system maintains a primary thread and dynamically spawns additional threads as concurrent IPC volume increases.

// frameworks/native/libs/binder/ProcessState.cpp
void ProcessState::spawnPooledThread(bool isMain) {
    if (mThreadPoolStarted) {
        String8 name = makeBinderThreadName();
        sp<Thread> t = new PoolThread(isMain);
        t->run(name.string());
    }
}

If a process exhausts its Binder thread pool, new incoming transactions are blocked, potentially causing Application Not Responding (ANR) errors in the caller.

Death Notifications (Link-to-Death)

In a distributed system, components must know if a remote dependency dies. Binder provides linkToDeath().

A client can register a DeathRecipient callback on a remote IBinder reference. If the process hosting that object crashes or is killed by the Out-Of-Memory (OOM) killer, the Binder kernel driver detects the closed file descriptor and signals the client process. This mechanism is critical for the ActivityManagerService to clean up resources when an application crashes.

Binder in the Security Model

Binder is intrinsic to Android's security architecture. During a transaction, the kernel driver firmly attaches the Sender's User ID (UID) and Process ID (PID) to the transaction metadata. The receiving process can call Binder.getCallingUid() to securely identify the caller.

Because the UID is stamped by the kernel driver, it is impossible for a malicious application to spoof its identity. This allows system services to definitively enforce permission checks.

To inspect Binder transactions and thread counts:

adb shell dumpsys binder
Previous Lesson
OTA Update Flow — Full
Next Lesson
SELinux Debugging Mastery