Fix Binder IPC side-channel detection in CallBooleanMethodV hook (#655)

This side-channel attack is obvious from the repeating logs: An isolated service (`com.reveny.nativecheck.app.isolated.IsolatedService`) of `Android-Native-Root-Detector` v7.7.0 intentionally spams Binder transactions to trigger our IPC hook.

In the previous implementation, if a transaction failed, the caller's ID was stored in `g_last_failed_id`. However, the state was immediately cleared on the caller's next transaction. This created a predictable, alternating loop (Intercept -> Fail -> Bypass/Clear -> Intercept) that allowed the isolated process to detect the presence of the hook via timing/behavioral observation.

We fix the flaw by keeping the failing caller in a persistent bypassed state. `g_last_failed_id` is now only reset when when the brigde approves the last connection. This effectively breaks the loop and silences the side-channel leak against continuous transaction spam.

Additionally, this commit includes minor fixes discovered during debugging:
- module.cpp: Fix invalid fmt placeholder (`%d` -> `{}`) in isolated process log.
- ManagerService.kt: Fix logical order to save verbose logging preference before applying the LogcatMonitor state.

Author: JingMatrix

daemon/src/main/kotlin/org/matrix/vector/daemon/ipc/ManagerService.kt

@@ -239,8 +239,8 @@ object ManagerService : ILSPManagerService.Stub() {
   override fun isVerboseLog() = PreferenceStore.isVerboseLogEnabled() || BuildConfig.DEBUG
 
   override fun setVerboseLog(enabled: Boolean) {
-    if (isVerboseLog()) LogcatMonitor.startVerbose() else LogcatMonitor.stopVerbose()
     PreferenceStore.setVerboseLog(enabled)
+    if (isVerboseLog()) LogcatMonitor.startVerbose() else LogcatMonitor.stopVerbose()
   }
 
   override fun getVerboseLog() =

zygisk/src/main/cpp/ipc_bridge.cpp

@@ -476,8 +476,11 @@ jboolean IPCBridge::ExecTransact_Replace(jboolean *res, JNIEnv *env, jobject obj
         if (*res == JNI_FALSE) {
             uint64_t caller_id = BinderCaller::GetId();
             if (caller_id != 0) {
+                // LOGV("Caller {} rejected by bridge service.", caller_id);
                 g_last_failed_id.store(caller_id, std::memory_order_relaxed);
             }
+        } else {
+            g_last_failed_id.store(~0, std::memory_order_relaxed);
         }
         return true;  // Return true to indicate we handled the call.
     }
@@ -486,23 +489,17 @@ jboolean IPCBridge::ExecTransact_Replace(jboolean *res, JNIEnv *env, jobject obj
 
 jboolean JNICALL IPCBridge::CallBooleanMethodV_Hook(JNIEnv *env, jobject obj, jmethodID methodId,
                                                     va_list args) {
-    uint64_t current_caller_id = BinderCaller::GetId();
-    if (current_caller_id != 0) {
-        uint64_t last_failed = g_last_failed_id.load(std::memory_order_relaxed);
-        // If this caller is the one that just failed,
-        // skip interception and go straight to the original function.
-        if (current_caller_id == last_failed) {
-            // We "consume" the failed state by resetting it, so the *next* call is not skipped.
-            g_last_failed_id.store(~0, std::memory_order_relaxed);
-            return GetInstance().call_boolean_method_v_backup_(env, obj, methodId, args);
-        }
-    }
-
     // Check if the method being called is the one we want to intercept: Binder.execTransact()
     if (methodId == GetInstance().exec_transact_backup_method_id_) {
+        uint64_t current_caller_id = BinderCaller::GetId();
+
         jboolean res = false;
         // Attempt to handle the transaction with our replacement logic.
-        if (ExecTransact_Replace(&res, env, obj, args)) {
+        if (current_caller_id != 0 &&
+            // If this caller is the one that just failed,
+            // skip interception and go straight to the original function.
+            current_caller_id != g_last_failed_id.load(std::memory_order_relaxed) &&
+            ExecTransact_Replace(&res, env, obj, args)) {
             return res;  // If we handled it, return the result directly.
         }
         // If not handled, fall through to call the original method.

zygisk/src/main/cpp/module.cpp

@@ -288,7 +288,7 @@ void VectorModule::preAppSpecialize(zygisk::AppSpecializeArgs *args) {
     if ((app_id >= FIRST_ISOLATED_UID && app_id <= LAST_ISOLATED_UID) ||
         (app_id >= FIRST_APP_ZYGOTE_ISOLATED_UID && app_id <= LAST_APP_ZYGOTE_ISOLATED_UID) ||
         app_id == SHARED_RELRO_UID) {
-        LOGV("Skipping injection for '{}': is an isolated process (UID: %d).", nice_name_str.get(),
+        LOGV("Skipping injection for '{}': is an isolated process (UID: {}).", nice_name_str.get(),
              app_id);
         return;
     }