Android System Securing, Hardening, & Privacy

From Concept to Code: Implementing & Verifying BTI (Branch Target Identification) in Android NDK Apps

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

The Evolving Landscape of Memory Corruption Exploits

Memory corruption vulnerabilities remain a persistent threat in modern software, particularly in applications developed with C/C++ via the Android NDK. Attackers frequently leverage these vulnerabilities to hijack control flow, executing arbitrary code or manipulating application behavior. Traditional exploit mitigations like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP/NX) have significantly raised the bar for attackers, but they are not foolproof. Techniques like Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) allow attackers to chain together existing code gadgets within a legitimate binary, bypassing DEP and ASLR to construct arbitrary malicious logic.

To counter these advanced attacks, modern processor architectures and operating systems are adopting stricter control flow integrity (CFI) mechanisms. Two prominent examples are Pointer Authentication Codes (PAC) and Branch Target Identification (BTI). While PAC protects indirect calls and jumps by cryptographically signing pointer values, BTI focuses on enforcing valid landing points for indirect branches. This article delves into Branch Target Identification, its role in securing Android NDK applications, and how to implement and verify it.

Understanding Branch Target Identification (BTI)

What is BTI?

Branch Target Identification (BTI) is a security feature introduced in the ARMv8.5-A architecture (and later ARMv9-A). Its primary purpose is to mitigate ROP/JOP attacks by ensuring that all indirect branch instructions (such as BR, BLR, RET) can only land at specific, architecturally designated ‘landing pads’ within the code. If an indirect branch attempts to jump to an address that does not contain a BTI instruction, a hardware exception (typically a SIGILL or an exception that can be caught by the kernel) is triggered, terminating the malicious execution attempt.

How BTI Works

BTI operates by introducing a special instruction, BTI, which acts as a valid target for indirect branches. Compilers, when targeting BTI-enabled architectures and configured appropriately, insert BTI instructions at the entry points of functions or other valid code targets. There are two primary forms:

  • BTI c: Indicates that the instruction is a valid target for indirect calls (BLR) and indirect jumps (BR).
  • BTI j: Indicates that the instruction is a valid target for indirect jumps (BR) only.

When an indirect branch is executed on a CPU with BTI enabled, the hardware checks if the target instruction is a BTI instruction. If it is, execution proceeds normally. If not, a branch target exception is raised. This mechanism severely restricts the pool of viable gadgets for ROP/JOP, forcing attackers to only use function entry points (or other BTI-marked locations) as targets, which are typically much less useful for building arbitrary shellcode.

Prerequisites for BTI in Android NDK Apps

For BTI to be effective in your Android NDK application, several conditions must be met:

  1. Hardware Support: The target Android device’s CPU must be ARMv8.5-A or newer. Many modern flagship Android devices released from 2021 onwards support this architecture.
  2. Android Version: Android 13 (API level 33) and later provide robust support for BTI enforcement within user-space applications. While devices with older Android versions might have the hardware, the OS may not fully enable or enforce BTI for all processes.
  3. Toolchain: You need a sufficiently recent NDK version (r25 or newer is recommended) which bundles Clang 15 or newer. These toolchains understand and emit the necessary BTI instructions and compiler flags.

Implementing BTI in Your Android NDK App

Enabling BTI support in your NDK project primarily involves configuring your build system to pass the correct compiler flags. The compiler will then automatically insert BTI instructions where appropriate.

1. Configure Your Build System (CMake or Android.bp)

Using CMake (for ndk-build projects)

If you’re using CMake, you can add the branch protection flag to your target’s compile options. It’s generally recommended to apply this to all C/C++ source files in your native library.

# In your CMakeLists.txt for a native library
add_library(your_native_lib SHARED
            src/main/cpp/native-lib.cpp
            # ... other source files)

# Enable BTI protection
# Method 1: Use 'standard' which includes BTI on supported architectures
# target_compile_options(your_native_lib PRIVATE -mbranch-protection=standard)

# Method 2: Explicitly enable BTI
target_compile_options(your_native_lib PRIVATE -mbranch-protection=bti)

# You might also explicitly target the architecture
# target_compile_options(your_native_lib PRIVATE -march=armv8.5-a) # or armv8.5-a+bti

The -mbranch-protection=bti flag instructs Clang to emit BTI c instructions at the start of all functions. The standard option typically includes BTI along with other default branch protection features like PAC.

Using Android.bp (for AOSP projects)

For projects within the Android Open Source Project (AOSP) build system (using Android.bp files), you can enable BTI within your cc_library or cc_binary module definition:

cc_library {
    name: "your_native_lib",
    srcs: [
        "src/main/cpp/native-lib.cpp",
        // ... other source files
    ],
    // Enable BTI
    branch_protection: {
        bti: true,
    },
    // Required if you're not targeting armv8.5-a by default
    arch: {
        arm64: {
            instruction_set: "armv8.5-a", // Or a higher version
        },
    },
    // ... other properties
}

2. Recompile Your Native Library

After modifying your build configuration, rebuild your NDK project. The compiler will now generate machine code that includes BTI instructions at function entry points.

Verifying BTI Protection

Once your application is built, you can verify that BTI instructions have been correctly inserted into your native library’s binary.

1. Extract the Native Library

First, obtain the compiled native library (e.g., libyour_native_lib.so) from your APK. You can typically find it within apk_file/lib/arm64-v8a/.

2. Disassemble the Library

Use llvm-objdump (available in your NDK’s toolchains directory) to disassemble the shared library. This will allow you to inspect the raw machine code.

# Navigate to your NDK toolchain bin directory
# e.g., NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin/

# Assuming you have an arm64-v8a library:
./llvm-objdump -d --no-show-raw-insn path/to/libyour_native_lib.so > disassembly.txt

3. Inspect Function Entry Points

Open the disassembly.txt file and look for function entry points. You should see a bti instruction immediately at the start of functions. For example, if you have a function named Java_com_example_app_NativeLib_stringFromJNI:

000000000000xxxx <Java_com_example_app_NativeLib_stringFromJNI>:
        xxxx:   bti     c               // Branch Target Identification (Call)
        xxxx:   sub     sp, sp, #0x40
        xxxx:   stp     x29, x30, [sp, #0x30]
        xxxx:   add     x29, sp, #0x30
        ...

The presence of bti c (or bti j) at the very beginning of a function indicates that BTI has been successfully enabled and applied to that function. This means that any indirect branch attempting to jump into this function must land on this specific bti instruction; otherwise, a hardware exception will occur.

Impact and Benefits

By enforcing that indirect branches can only target designated BTI landing pads, Branch Target Identification significantly raises the bar for exploit developers. ROP/JOP chains become much harder to construct because attackers are limited to genuine function entry points, drastically reducing the number of usable gadgets. This makes it more difficult to find short, useful sequences of instructions that end in an indirect branch and align with a BTI instruction, thereby enhancing the overall security posture of your Android NDK application against memory corruption exploits.

BTI works in conjunction with other mitigations like PAC and CFI to form a layered defense strategy. While PAC protects against the forging of control flow pointers, BTI protects against indirect branches to arbitrary code locations, even if the pointer itself is legitimate but the target isn’t a valid entry point. Together, these features make control flow hijacking significantly more challenging, leading to more resilient applications.

Conclusion

Branch Target Identification (BTI) represents a crucial advancement in the fight against memory corruption exploits, particularly ROP and JOP. By enabling and verifying BTI in your Android NDK applications, you leverage modern ARM hardware features to create a more secure execution environment. This proactive measure strengthens your app’s defenses against sophisticated attacks, contributing to a more robust and trustworthy Android ecosystem. As hardware and software evolve, embracing such low-level security mitigations becomes essential for developing truly secure applications.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #ARMv8.5-A #BTI #Memory Corruption #NDK

Related Technical Guides

Mastering Ghidra for Android OEM Firmware Analysis: A Step-by-Step Tutorial

May 30, 2026

Unpacking Key Attestation: Verifying Android Enterprise Device Integrity & Trust

May 30, 2026

Beyond Root: Detecting ART Method Hooking with Runtime Memory Scanning Techniques

May 29, 2026