Android interception AMS request practice

Overview

Following the last requirement of starting an Activity in the background, I followed some methods in Actual Combat | Android Background Start Activity Practice Road to handle it. Although there are still some problems on the Android Q version, the ability to start in the background is basically complete. Later, I unlocked the source code of Xiaomi ROM and found out how they implemented the permission of background start and how to bypass this permission. I found that the result was unexpectedly simple... (I will write a separate article on this part later if I have the opportunity).

[[377520]]

This article was written after the investigation of background startup. If the Activity page we want to start in the background is in a third-party SDK, and the action (startActivity) to start the page also occurs in the third-party SDK, then their direct startActivity method does not have the ability to start in the background. For some reasons, we cannot ask the SDK to modify the method of starting the Activity, so we need to find a way to enable it to have the ability to start in the background without modifying the third-party SDK's call to startActivity code. The first reaction is to intercept the request for startActivity. Referring to the Android system_server process and the Android-Activity startup process, we know that AMS is a thread in the system_server process. It is responsible for the specific work of starting the Activity. After its work is completed, it will call back the life cycle method of the Activity instance in the APP process through Binder. When the APP process calls startActivity, the Binder proxy of AMS will be obtained by Instrumentation, and then the relevant methods of AMS will be called across processes through it. The place where we can do Hook interception is this Binder proxy object!

Next, we will look at the implementation method of this process and how we intercept it in various Android versions. We will mainly look at the source code of Android P. Although the processes of other versions are different, the Hook method is similar.

Android P

The way to obtain the AMS agent in AOSP from Android 8 to Android 9 is the same. After calling context.startActivity, the APP process will come to the relevant method in Instrumentation and call the following code:

 int result = ActivityManager.getService().startActivity(whoThread, who.getBasePackageName(), intent, ...);

Here, we use Binder to call the relevant methods in AMS across processes. Let’s take a look at the implementation of ActivityManager.getService():

 /** @hide */
 public   static IActivityManager getService() {
 return IActivityManagerSingleton.get();
 } 
 
 private static final Singleton<IActivityManager> IActivityManagerSingleton = new Singleton<IActivityManager>() { 
     
 
 
    protected IActivityManager create () {
 // 1...
 }
 };

You can see that IActivityManagerSingleton is an instance of the Singleton type. Obviously, this Singleton is a lazy loaded singleton template class:

 public abstract class Singleton<T> {
 private T mInstance; 
 
    protected abstract T create (); 
 
 public final T get() {
 synchronized (this) {
            if (mInstance == null ) {
                mInstance = create ();
 }
 return mInstance;
 }
 }
 }

So we can know that what IActivityManagerSingleton.get() returns is the instance in the create method. Here is the create method code omitted in the above 1:

 final IBinder b = ServiceManager.getService(Context.ACTIVITY_SERVICE);
 final IActivityManager am = IActivityManager.Stub.asInterface(b);
 return am;

Students who are familiar with Binder can see at a glance that am here is a Binder proxy object. If there is a ServiceManager.getService method, there must be a ServiceManager.addService method. One is to query the Binder service from the ServiceManager, and the other is to register the service in the ServiceManager. The registration time is when the system starts the system_server process. Please refer to the AMS startup process, which will not be described in depth here.

So the ActivityManager.getService() method actually returns a Binder proxy object of AMS, which is used to call AMS related methods across processes. Therefore, we can use the JDK dynamic proxy method to create an am proxy Proxy object through the Proxy.newProxyInstance method, and replace the am object returned by the ActivityManager.getService() method with our Proxy object through reflection. Then, when the App process calls the ActivityManager.getService().XXX method, it will be intercepted by our Proxy and then processed. JDK dynamic proxy is also one of the commonly used design patterns in Java. Students who are not familiar with it can refer to the use of JDK dynamic proxy.

This process can be divided into three steps:

1. Get the am object through reflection. Since ActivityManager.getService() is a hidden method, you can call it through reflection to get the original am object;
2. Create a proxy object Proxy;
3. Replace the am object with Proxy through reflection;

We can see that the am object is actually the mInstance property in Singleton (whose instance is IActivityManagerSingleton), so the third step is just to set the mInstance property to our Proxy object through reflection. The following AmsHooker is an abstract class with different implementations on different Android platforms. It is mainly used to obtain am objects of different Android platforms and replace am objects through reflection:

 abstract class AmsHooker {
 //Replace am with proxy through reflection
    fun hookAms(proxy: Any ?) {
 try {
            val hookObj = getHookObj()
            val hookField = getHookField()
            if (hookObj != null && hookField != null && proxy != null ) {
                hookField.set (hookObj, proxy)
 }
        } catch (e: Exception) {
            e.printStackTrace()
 }
 } 
 
 // That is, the IActivityManagerSingleton instance
    protected abstract fun getHookObj(): Any ? 
 
 // That is mInstance
    protected abstract fun getHookField(): Field? 
 
 // am
    abstract fun getTarget(): Any ? 
 
 //Interface used to create Proxy
    abstract fun getInterfaces(): Array<Class<*>>
 }

The implementation on the Android P platform is as follows, see the comments for details:

 class AmsPHooker : AmsHooker() {
    override fun getHookObj(): Any ? {
        val amClass = ReflectUtils.getClass( "android.app.ActivityManager" )
 // Get the IActivityManagerSingleton property
 return ReflectUtils.readStaticField(amClass, "IActivityManagerSingleton" )
 } 
 
    override fun getHookField(): Field? {
 // Get mInstance Field
 return ReflectUtils.getField(ReflectUtils.getClass( "android.util.Singleton" ), "mInstance" )
 } 
 
    override fun getTarget(): Any ? {
 // ActivityManager.getService() returns am
 return ReflectUtils.getClass( "android.app.ActivityManager" ).getDeclaredMethod( "getService" ).invoke( null )
 } 
 
 // Get interfaces to create dynamic proxies
    override fun getInterfaces(): Array<Class<*>> {
 return arrayOf(ReflectUtils.getClass( "android.app.IActivityManager" ))
 }
 }

Next, create the proxy class (the code has been deleted):

 public class AMSProxy implements InvocationHandler {
 private AmsHooker hooker; // Return different implementations based on different Android platforms
 private Object origAm; // original am object 
 
    private boolean ensureInit() {
 // ...
 hooker = getHooker();
        origAm = hooker.getTarget();
 } 
 
    private AmsHooker getHooker() {
        if (Build.VERSION.SDK_INT > Build.VERSION_CODES.P) {
 return new AmsQHooker();
        } else if (Build.VERSION.SDK_INT > Build.VERSION_CODES.N_MR1) {
 return new AmsPHooker();
 } else {
 return new AmsNHooker();
 }
 } 
 
     
 
 
 public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
 // ...
 } 
 
 // Create a proxy
    Object proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),
                hooker.getInterfaces(), this);
 //Replace the system am object
 hooker.hookAms(proxy);
 }

In the above, a proxy object Proxy is created with the AMSProxy instance as a parameter, and the am object is replaced by the Proxy object through the hookAms method. In this way, when the process calls the relevant method through ActivityManager.getService(), the above invoke method will be called, and interception can be done here:

 public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
 try {
        if (callback.canIntercept(method, args)) {
            if (callback.autoRemove()) {
 // Restore the am object
 // ...
 }
 //Intercept am's request and do your own business processing
 return callback.intercept(origAm, method, args);
 }
 return method.invoke(origAm, args);
 } catch (Exception e) {
 e.printStackTrace();
 }
 return   null ;
 }

When there is code in this process that tries to call related methods (such as startActivity, etc.) through am, it will be intercepted by the invoke method, and then we will choose whether to intercept it through the interception condition (canIntercept) we set. It is recommended that after completing the interception business needs each time, the original am object should be restored through the hookAms method to prevent continuous interception of system requests in this process. It is emphasized here that this process is always the current process. Obviously, the method of replacing the am object through reflection will only work for this process.

Android Q

On Android Q, the call in the above Instrumentation becomes as follows:

 int result = ActivityTaskManager.getService().startActivity(whoThread, who.getBasePackageName(), intent, ...);

This becomes ActivityTaskManager.getService():

 /** @hide */
 public   static IActivityTaskManager getService() {
 return IActivityTaskManagerSingleton.get();
 } 
 
 private static final Singleton<IActivityTaskManager> IActivityTaskManagerSingleton = new Singleton<IActivityTaskManager>() { 
     
 
 
    protected IActivityTaskManager create () {
        final IBinder b = ServiceManager.getService(Context.ACTIVITY_TASK_SERVICE);
 return IActivityTaskManager.Stub.asInterface(b);
 }
 };

You can see that on Android Q, the class has changed from ActivityManager to ActivityTaskManager series, so our AmsQHooker is implemented as follows:

 class AmsQHooker : AmsHooker() {
    override fun getHookObj(): Any ? {
        val amClass = ReflectUtils.getClass( "android.app.ActivityTaskManager" )
 // Get the IActivityTaskManagerSingleton property
 return ReflectUtils.readStaticField(amClass, "IActivityTaskManagerSingleton" )
 } 
 
    override fun getHookField(): Field? {
 return ReflectUtils.getField(ReflectUtils.getClass( "android.util.Singleton" ), "mInstance" )
 } 
 
    override fun getTarget(): Any ? {
        // Reflective access to getService is forbidden when targeting API 29 and above
        // val getServiceMethod = amClass.getDeclaredMethod( "getService" )
 return ReflectUtils.getClass( "android.util.Singleton" ).getDeclaredMethod( "get" ).invoke(getHookObj())
 } 
 
    override fun getInterfaces(): Array<Class<*>> {
 return arrayOf(ReflectUtils.getClass( "android.app.IActivityTaskManager" ))
 }
 }

The other steps are the same as Android P.

Android N

On Android 7.1 and below, the Instrumentation call is different:

 int result = ActivityManagerNative.getDefault().startActivity(whoThread, who.getBasePackageName(), intent, ...);

This becomes ActivityManagerNative.getDefault():

 static   public IActivityManager getDefault() {
 return gDefault.get();
 } 
 
 private static final Singleton<IActivityManager> gDefault = new Singleton<IActivityManager>() {
    protected IActivityManager create () {
        IBinder b = ServiceManager.getService( "activity" );
        IActivityManager am = asInterface(b);
 return am;
 }
 };

You can see that although the class name and method have changed, the Singleton class is still used, so you only need to inherit AmsHooker and rewrite the relevant methods:

 class AmsNHooker : AmsHooker() {
    override fun getHookObj(): Any ? {
        val amNativeClass = ReflectUtils.getClass( "android.app.ActivityManagerNative" )
 // Get the gDefault instance
 return ReflectUtils.readStaticField(amNativeClass, "gDefault" )
 } 
 
    override fun getHookField(): Field? {
 return ReflectUtils.getField(ReflectUtils.getClass( "android.util.Singleton" ), "mInstance" )
 } 
 
    override fun getTarget(): Any ? {
 return getHookField()?.get(getHookObj())
 } 
 
    override fun getInterfaces(): Array<Class<*>> {
 return arrayOf(ReflectUtils.getClass( "android.app.IActivityManager" ))
 }
 }

The others also reuse the logic on Android P.

Summarize

Through the above method, it is possible to intercept the related methods called by the Binder proxy of AMS in this process, which can be used to implement some unconventional functions. Although the recent requirements are relatively unconventional (liumang), putting aside the requirements, it is still interesting for developers to investigate these technologies..ha~

Blogging is an interesting, rewarding, and difficult thing. You need to try to sort out the context and logic of the article and know how to write it in a clearer and easier to understand way. It's been a long time since I updated. I've been too busy recently and haven't had time to do these things. When I thought about the possibility that my articles might be liked, I instantly became motivated. So I wrote one in my busy schedule. The content is not very deep, so just treat it as your usual development notes.