Using HOOK to achieve response speed test in seconds

Author: Jin Jianchao, Yang Chen, Unit: China Mobile Smart Home Operation Center

Labs Guide

With the rapid development of mobile Internet technology, the number of mobile application users and usage is increasing day by day. Users have higher requirements for the performance of mobile applications. The current performance testing technology cannot keep up with the development speed of mobile applications, the test efficiency is low, and the test results cannot reflect the real user experience. This paper uses Hook technology to implement Android application response speed test in seconds, aiming to provide new ideas for mobile application performance testing.

os: Testing is dead! Product is dead!

Part 01 Hook technology on Android platform

The Android operating system has its own event distribution mechanism. Applications, application triggering events, and background logic processing are all executed step by step according to the event flow. Hook is to intercept and monitor the transmission of events before the events are transmitted to the end point, just like a hook hooking an event, and it can handle some specific events when hooking an event. Its essence is to hijack function calls.

1.1 Android Hook Workflow

The principle of Hook is to change the direction of the target function. Android is an operating system based on the Linux kernel. Each Android process has its own independent process space. To implement Hook, you first need to inject the code into the target process space so that the code has a corresponding address in the target process space, and finally modify the register to execute the function address.

In Android, the ptrace function is often used to attach to the process, the mmap function allocates temporary memory to store the code, and the dlopen function loads the dynamic link library file to implement Hook. The specific process is as follows:

• Use ptrace attach to attach to the target process;
• Call mmap to allocate memory and write the injected so file into the memory;
• Call dlopen to open the injected so file and get the entry function address through dlsym;
• Use ptrace_call to call the entry function;
• Use ptrace detach to release the target process;

Figure 1 The process of injecting code into the target process

1.2 Common Hook Technologies on Android Platform

The Android system provides two development modes: Java language development based on Android SDK and Native C/C++ language development based on Android NDK. According to the API Hook corresponding to the API, Android Hook is divided into two types, one is the Java layer Hook and the other is the Native layer Hook.

Java layer Hook mainly changes the way the Android virtual machine calls functions by injecting the Android platform's virtual machine and Java reflection, thereby achieving the purpose of Java function redirection. Common frameworks include Xposed, Cydia Substrate, etc.

Native layer Hook is mainly for so library files developed using NDK, including the redirection of Linux functions at the bottom of the Android operating system, by modifying the global offset table GOT table or symbol table SYM table in the so library file (ELF format file) to achieve function redirection. Common frameworks include DeXposed, AndFix, etc.

1.3 Xposed Framework

Xposed is the most widely used open source Hook framework for the Android platform. This framework controls the Zygote process by replacing the /system/bin/app_process program, causing the system to load the XposedBridge.jar file during startup, thereby hijacking the Zygote process and the Dalvik virtual machine it creates.

The main function of the Xposed framework is to establish a module installation platform. After installing the Xposed framework, developers can customize and develop various functional modules and add them to the xposed installer to implement the function of modifying the target application, such as modifying the mobile phone serial number, GPS coordinates, phone number, operator and other information. When other applications try to read this information, they return the modified value or random number.

Part 02 Test tool design and implementation

During the running process, Android applications will call the API provided by the system. By hooking the system API, obtaining its call information, and then analyzing the API call relationship and call time, the call time statistics between system APIs can be realized. Based on this principle, this paper designs a set of Android application response time testing tools.

2.1 Design

The overall architecture of the Android application response time test tool implemented in this paper is shown in Figure 2, which includes the xposed module and the analysis module. The xposed module is responsible for event acquisition and information output. Its main function is to obtain click event information and drawing event information during the operation of the Android system and output them to logcat. The analysis module monitors the logcat log, analyzes the collected information and calculates the response time.

Figure 2 Response time test tool architecture

2.2 Click event HOOK implementation

Android applications interact with users in an event-driven manner. When a user touches the screen, a click event (MotionEvent) is generated, which is then passed to specific services for related processing through event distribution. The click event distribution process is mainly implemented by the following three functions: dispatchTouchEvent(), onInterceptTouchEvent(), and onTouchEvent().

A complete workflow of user click screen operation is as follows: the user touches the screen to generate a click event, and Activity.dispatchTouchEvent() is called to pass it to the Activity. After receiving the event, the Activity calls ViewGroup.dispatchTouchEvent() to pass it to the ViewGroup. After ViewGroup receives the event, it calls ViewGroup.onInterceptTouchEvent() to confirm whether the event is intercepted. If not, it searches for the child View that is currently clicked, calls the View's dispatchTouchEvent() to implement event delivery, and after View receives the event, it calls View.onTouchEvent() to process it, and finally completes the consumption of the click event.

From the above event distribution process, we can see that the distribution of click events starts with Activity.dispatchTouchEvent(), so we choose this function as the start time of the click. Use the Xposed framework to implement the Hook of Activity.dispatchTouchEvent(), and output the corresponding log information before the function is executed, including the event tag and event timestamp. The specific implementation code is as follows:

 /**
 * Function: Hook dispatchTouchEvent, get the click event timestamp
 */
 findAndHookMethod("android.app.Activity
 , loadPackageParam.classLoader,"dispatchTouchEvent", MotionEvent.class,new XC_MethodHook() {
 @Override
 protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
 super.beforeHookedMethod(param);
 // Log output click event timestamp
 Log.d("speedtest", "Touch Timestamp: " + System.currentTimeMillis() + " ms");
 }
 @Override
 protected void afterHookedMethod(MethodHookParam param) throws Throwable {
 super.afterHookedMethod(param);
 }
 });

2.3 Drawing event HOOK implementation

The display process of the Android system can be simply summarized as measurement, layout, and drawing at the application layer. After completion, the Surface data is stored in anonymous shared memory. SurfaceFlinger synthesizes multiple Surface cache data and submits them to the back buffer of the screen. The data is then updated to the screen through Android's refresh mechanism. Continuous drawing at the application layer and continuous screen refresh ultimately display frames of the picture.

The display process of Android applications includes two parts: application-side drawing and system-side rendering. According to the scope of application of the Xposed framework and the difficulty of Hook, we choose application-side drawing as the Hook target. Any layout or any control in Android is actually directly or indirectly inherited from View. All Views follow the same drawing process, using Measure and Layout to determine the size and position of the View that needs to be drawn, and then drawing (Draw) to Surface.

The drawing process of View can be broken down into the following parts:

• Draw the background: drawBackground(canvas);
• Draw itself: onDraw(canvas);
• Draw the child View: onDraw(canvas);
• Draw the foreground color and scroll bars: onDrawForeground(canvas).

Based on the above analysis, we choose View.onDrawForeground() as the target function and implement Hook through the Xposed framework. The corresponding log information is output before and after the execution of this function, including the event tag and event timestamp. The specific implementation code is as follows:

 /**
 * Function: Hook dispatchDraw, get the drawing event timestamp
 */
 findAndHookMethod("android.view.View", loadPackageParam.classLoader,"onDrawForeground", Canvas.class,new XC_MethodHook() {
 @Override
 protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
 super.beforeHookedMethod(param);
 // Log output drawing start timestamp
 Log.d("speedtest", "Draw Timestamp Start: " + System.currentTimeMillis() + " ms");
 }
 @Override
 protected void afterHookedMethod(MethodHookParam param) throws Throwable {
 super.afterHookedMethod(param);
 // Log output drawing end timestamp
 Log.d("speedtest", "Draw Timestamp End: " + System.currentTimeMillis() + " ms");
 }
 });

2.4 Analysis module implementation

The core functions of this module are log monitoring and page time calculation, which can realize the output of timestamp information of click events and drawing events, extract the corresponding event stamps, and calculate the page loading time through analysis.

Logcat is a command tool of the Android operating system. Its main function is to obtain the log information of the application. After the mobile phone is connected to ADBShell via USB, it can be viewed through the "adb Logcat" command in the command line window. The log monitoring of this module is mainly completed through the command "adb logcat -s Tag", which realizes log collection and Tag filtering.

This module also uses Python regular matching to extract event timestamp information from log information and calculates the page loading time. The execution process of this module is as follows:

• Start log monitoring;
• Collect logcat information in real time, extract event information and timestamp information and store them in the local database;
• Click Page Time Analysis to calculate the page time. The calculation formula is: Time = Last Draw Timestamp End timestamp - Start Touch Timestamp timestamp
• Stop log monitoring and the test ends;

Part 03 Test tool application analysis

In order to verify the accuracy of the tool, we chose to conduct actual tests on the activity startup time and screen recording analysis to obtain the response time as a comparison. The test phone model was Xiaomi 9, Android system version 7.1.2, the screen recording device was Logitech C920 (recording frame rate 20fps), and the test page was the community announcement page. The detailed test records are as follows:

Table 1. Test record of page loading time in different ways

We conducted a statistical analysis on the results of 15 tests (see Figure 3) and found that the page loading time obtained through the Hook method is basically consistent with the page loading time obtained through screen recording analysis, which proves that this tool can be used in Android application response speed testing and can provide feedback on users' real experience.

Figure 3 Statistics of page loading time in different ways

Part 04 Conclusion

This article designs and implements an Android application response time test tool based on Hook technology. The core of this tool is to use Hook API technology to collect key event information and implement response time testing. It has the characteristics of accurate test results and test results output in seconds. In addition to being used on response time, Hook technology can also be used for other performance tests, such as crash information acquisition and traffic statistics. This article takes the response time test tool as an example to describe the specific implementation process, aiming to provide a reference for other test tools based on Hook technology.