fix(native): block attestation leak when interceptor is dead

[Enginex0]

When the Java interceptor process dies, callback->transact() returns DEAD_OBJECT but execution falls through to the real keystore, exposing genuine TEE attestation state to requesting apps.

This is a security-critical path — any app polling attestation during the window between interceptor death and restart receives authentic device state.

Fix

Added pingBinder() liveness check before forwarding. If the interceptor is confirmed dead, return DEAD_OBJECT to the caller instead of forwarding to real hardware. Apps see a transient service error rather than actual device attestation.

---

Scope: 1 file, 12 insertions, 4 deletions

[JingMatrix]

Who has ever experienced such interceptor death ? Could you trigger it?

Don't base your code on imaginary scenario. It has the potential of introducing more bugs and confusions in the future.

[Enginex0]

Yes , I experienced this scenario twice as it leaked , that's why I added an external daemon watcher to automatically restart service.sh if for any reason it dies , it's just an harm watcher with no race conditions

[JingMatrix]

Could you please upload your logs when you were experiencing this ?

I don't want to hide a potentially deeper issue.

[JingMatrix]

@Enginex0 Maybe your crashes were related to #122 ?

[Enginex0]

Thanks for merging #119 — the KeyUsage mapping is correct now.

Reproduced the leak scenario you asked about. Here's what I found:

Test setup:

• Device: Xiaomi Redmi 14C, Android 14, KSU Next
• Upstream build: v3.1-62-3a5002e (includes Correct strong reference leak in ioctl hook #122, no fix(native): block attestation leak when interceptor is dead #120)
• Test app: Key Attestation 1.8.4

Reproduction steps:

1. Kill TEESimulator process (kill -9)
2. Launch Key Attestation immediately
3. Capture result before daemon restarts

Results:

Build	Daemon state	Attestation result
Upstream (no guard)	dead	"Bootloader is unlocked" — real TEE state exposed
Fork (with guard)	dead	"Unable to attest" — fails gracefully

The window is short (~2-5s before restart), but any app polling attestation during that gap gets authentic device state.

Why I prefer this approach:

On a real device, unexpected daemon death happens — OOM killer, ANR watchdog, low memory pressure, or even a user debugging with kill. The question is: what should happen when the interceptor isn't there?

Two options:

1. Fall through to real hardware — attestation succeeds but leaks genuine state
2. Fail closed — return error, app retries later when daemon is back

I'd rather have apps see a transient error than expose the real bootloader/TEE state even once. Belt and suspenders. The pingBinder() check is cheap and the failure mode is recoverable (app just retries).

#122 fixes the ref counting crash — solid fix. But this is a separate path. Both issues can exist independently.

[Enginex0]

Evidence screenshots:

Upstream v3.1-62-3a5002e (no guard) — TEESimulator dead:

Real device state exposed: "Bootloader is unlocked"

---

Fork with pingBinder() guard — TEESimulator dead:

Fails gracefully: "Unable to attest" — no leak, app retries when daemon returns.

[ale5000-git]

Why closing this?