Fix Binder IPC side-channel detection in CallBooleanMethodV hook

JingMatrix · JingMatrix · commit 8f9d34d3c909 · 2026-04-12T12:05:42.000+02:00
This side-channel attack is obvious from the repeating logs: An isolated service (`com.reveny.nativecheck.app.isolated.IsolatedService`) intentionally spams Binder transactions to trigger our IPC hook.

In the previous implementation, if a transaction failed, the caller's ID was stored in `g_last_failed_id`. However, the state was immediately cleared on the caller's next transaction. This created a predictable, alternating loop (Intercept -&gt; Fail -&gt; Bypass/Clear -&gt; Intercept) that allowed the isolated process to detect the presence of the hook via timing/behavioral observation.

We fix the flaw by keeping the failing caller in a persistent bypassed state. `g_last_failed_id` is now only reset when a different caller attempts a transaction. This effectively breaks the loop and silences the side-channel leak against continuous transaction spam.

Additionally, this commit includes minor fixes discovered during debugging:
- module.cpp: Fix invalid fmt placeholder (`%d` -&gt; `{}`) in isolated process log.
- ManagerService.kt: Fix logical order to save verbose logging preference before applying the LogcatMonitor state.
diff --git a/daemon/src/main/kotlin/org/matrix/vector/daemon/ipc/ManagerService.kt b/daemon/src/main/kotlin/org/matrix/vector/daemon/ipc/ManagerService.kt
@@ -239,8 +239,8 @@ object ManagerService : ILSPManagerService.Stub() {
   override fun isVerboseLog() = PreferenceStore.isVerboseLogEnabled() || BuildConfig.DEBUG
 
   override fun setVerboseLog(enabled: Boolean) {
-    if (isVerboseLog()) LogcatMonitor.startVerbose() else LogcatMonitor.stopVerbose()
     PreferenceStore.setVerboseLog(enabled)
+    if (isVerboseLog()) LogcatMonitor.startVerbose() else LogcatMonitor.stopVerbose()
   }
 
   override fun getVerboseLog() =
diff --git a/zygisk/src/main/cpp/ipc_bridge.cpp b/zygisk/src/main/cpp/ipc_bridge.cpp
@@ -492,9 +492,10 @@ jboolean JNICALL IPCBridge::CallBooleanMethodV_Hook(JNIEnv *env, jobject obj, jm
         // If this caller is the one that just failed,
         // skip interception and go straight to the original function.
         if (current_caller_id == last_failed) {
-            // We "consume" the failed state by resetting it, so the *next* call is not skipped.
-            g_last_failed_id.store(~0, std::memory_order_relaxed);
             return GetInstance().call_boolean_method_v_backup_(env, obj, methodId, args);
+        } else if (last_failed != ~0) {
+            // Consume the failed state by resetting it, so the next call is not skipped.
+            g_last_failed_id.store(~0, std::memory_order_relaxed);
         }
     }
 
diff --git a/zygisk/src/main/cpp/module.cpp b/zygisk/src/main/cpp/module.cpp
@@ -288,7 +288,7 @@ void VectorModule::preAppSpecialize(zygisk::AppSpecializeArgs *args) {
     if ((app_id >= FIRST_ISOLATED_UID && app_id <= LAST_ISOLATED_UID) ||
         (app_id >= FIRST_APP_ZYGOTE_ISOLATED_UID && app_id <= LAST_APP_ZYGOTE_ISOLATED_UID) ||
         app_id == SHARED_RELRO_UID) {
-        LOGV("Skipping injection for '{}': is an isolated process (UID: %d).", nice_name_str.get(),
+        LOGV("Skipping injection for '{}': is an isolated process (UID: {}).", nice_name_str.get(),
              app_id);
         return;
     }

Original file line number	Diff line number	Diff line change
`@@ -239,8 +239,8 @@ object ManagerService : ILSPManagerService.Stub() {`
`239`	`239`	`override fun isVerboseLog() = PreferenceStore.isVerboseLogEnabled() \|\| BuildConfig.DEBUG`
`240`	`240`
`241`	`241`	`override fun setVerboseLog(enabled: Boolean) {`
`242`		`- if (isVerboseLog()) LogcatMonitor.startVerbose() else LogcatMonitor.stopVerbose()`
`243`	`242`	`PreferenceStore.setVerboseLog(enabled)`
	`243`	`+ if (isVerboseLog()) LogcatMonitor.startVerbose() else LogcatMonitor.stopVerbose()`
`244`	`244`	`}`
`245`	`245`
`246`	`246`	`override fun getVerboseLog() =`
Original file line number	Diff line number	Diff line change
`@@ -492,9 +492,10 @@ jboolean JNICALL IPCBridge::CallBooleanMethodV_Hook(JNIEnv *env, jobject obj, jm`
`492`	`492`	`// If this caller is the one that just failed,`
`493`	`493`	`// skip interception and go straight to the original function.`
`494`	`494`	`if (current_caller_id == last_failed) {`
`495`		`- // We "consume" the failed state by resetting it, so the next call is not skipped.`
`496`		`- g_last_failed_id.store(~0, std::memory_order_relaxed);`
`497`	`495`	`return GetInstance().call_boolean_method_v_backup_(env, obj, methodId, args);`
	`496`	`+ } else if (last_failed != ~0) {`
	`497`	`+ // Consume the failed state by resetting it, so the next call is not skipped.`
	`498`	`+ g_last_failed_id.store(~0, std::memory_order_relaxed);`
`498`	`499`	`}`
`499`	`500`	`}`
`500`	`501`
Original file line number	Diff line number	Diff line change
`@@ -288,7 +288,7 @@ void VectorModule::preAppSpecialize(zygisk::AppSpecializeArgs *args) {`
`288`	`288`	`if ((app_id >= FIRST_ISOLATED_UID && app_id <= LAST_ISOLATED_UID) \|\|`
`289`	`289`	`(app_id >= FIRST_APP_ZYGOTE_ISOLATED_UID && app_id <= LAST_APP_ZYGOTE_ISOLATED_UID) \|\|`
`290`	`290`	`app_id == SHARED_RELRO_UID) {`
`291`		`- LOGV("Skipping injection for '{}': is an isolated process (UID: %d).", nice_name_str.get(),`
	`291`	`+ LOGV("Skipping injection for '{}': is an isolated process (UID: {}).", nice_name_str.get(),`
`292`	`292`	`app_id);`
`293`	`293`	`return;`
`294`	`294`	`}`