AccessibilityService的设计初衷是为了辅助有身体缺陷的群体使用Android应用,它的设计贯穿着Android的控件树View, ViewGroup, ViewRootImpl体系。借助于system_server进程的中转,能够注册Accessibility事件的客户端可以具备通过system_server提供的Accessibility服务来实现监听、操作其它应用视图的功能。这个功能十分强大,可以模拟用户的行为去操作其它APP,常常被用在自动化测试、微信抢红包、自动回复等功能实现中。
写这个的初衷有二:
public class AutoDismissServiceextends AccessibilityService{ @Override public void onAccessibilityEvent(AccessibilityEvent event){ if (event == null) { return; } // 自动将android系统弹出的其它crash dialog取消 dismissAppErrorDialogIfExists(event); } private void dismissAppErrorDialogIfExists(AccessibilityEvent event){ // WINDOW视图变化才进行对应操作 if ((event.getEventType() == AccessibilityEvent.TYPE_WINDOW_CONTENT_CHANGED && event.getPackageName().equals("android")) { // 查找带有"OK"字符的可点击Node AccessibilityNodeInfo nodeInfo = findViewByText("OK", true); if (nodeInfo != null) { // 查找到后执行点击操作 performViewClick(nodeInfo); } } public AccessibilityNodeInfo findViewByText(String text,boolean clickable){ // 获取当前窗口父节点 AccessibilityNodeInfo accessibilityNodeInfo = getRootInActiveWindow(); if (accessibilityNodeInfo == null) { return null; } // 获取到满足字符要求的节点 List<AccessibilityNodeInfo> nodeInfoList = accessibilityNodeInfo.findAccessibilityNodeInfosByText(text); if (nodeInfoList != null && !nodeInfoList.isEmpty()) { for (AccessibilityNodeInfo nodeInfo : nodeInfoList) { if (nodeInfo != null && (nodeInfo.isClickable() == clickable)) { return nodeInfo; } } } return null; } public void performViewClick(AccessibilityNodeInfo nodeInfo){ if (nodeInfo == null) { return; } // 由下至上进行查询,直到寻找到可点击的节点 while (nodeInfo != null) { if (nodeInfo.isClickable()) { nodeInfo.performAction(AccessibilityNodeInfo.ACTION_CLICK); break; } nodeInfo = nodeInfo.getParent(); } } }
以上是一个典型的实现Accessibility功能的JAVA代码,主要涉及三点功能:
onAccessibilityEvent
方法会自动被system_server调用 getRootInActiveWindow
与 findAccessibilityNodeInfosByText
方法,可以获取到节点信息 performAction
方法,最终会在被监听APP中执行对应操作 本篇文章将会围绕着这三点主要功能进行源码分析
序号 | 种类名称 | 触发时机 |
---|---|---|
1 | TYPE_VIEW_CLICKED | 可点击的组件被点击 |
2 | TYPE_VIEW_LONG_CLICKED | 可点击的组件被长按 |
3 | TYPE_VIEW_SELECTED | 组件被选中 |
4 | TYPE_VIEW_FOCUSED | 组件获取到了焦点 |
5 | TYPE_VIEW_TEXT_CHANGED | 组件中的文本发生变化 |
6 | TYPE_VIEW_SCROLLED | 组件被滑动 |
7 | TYPE_WINDOW_STATE_CHANGED | dialog等被打开 |
8 | TYPE_NOTIFICATION_STATE_CHANGED | 通知弹出 |
9 | TYPE_WINDOW_CONTENT_CHANGED | 组件树发生了变化 |
这里以TextView.setText触发事件变化流程为例进行分析
应用组件状态发生变化
frameworks/base/core/java/android/widget/TextView.java
private void setText(CharSequence text, BufferType type, boolean notifyBefore, int oldlen) { ... notifyViewAccessibilityStateChangedIfNeeded(AccessibilityEvent.CONTENT_CHANGE_TYPE_TEXT); ... } public void notifyViewAccessibilityStateChangedIfNeeded(int changeType){ if (!AccessibilityManager.getInstance(mContext).isEnabled() || mAttachInfo == null) { return; } if (mSendViewStateChangedAccessibilityEvent == null) { // 本质上是一个Runnable,意味着这里的流程会进入异步处理 mSendViewStateChangedAccessibilityEvent = new SendViewStateChangedAccessibilityEvent(); } mSendViewStateChangedAccessibilityEvent.runOrPost(changeType); } private class SendViewStateChangedAccessibilityEventimplements Runnable{ ... @Override public void run(){ mPosted = false; mPostedWithDelay = false; mLastEventTimeMillis = SystemClock.uptimeMillis(); if (AccessibilityManager.getInstance(mContext).isEnabled()) { final AccessibilityEvent event = AccessibilityEvent.obtain(); event.setEventType(AccessibilityEvent.TYPE_WINDOW_CONTENT_CHANGED); event.setContentChangeTypes(mChangeTypes); // 最终TYPE_WINDOW_CONTENT_CHANGED事件在这里异步发送 sendAccessibilityEventUnchecked(event); } mChangeTypes = 0; } ... } public void sendAccessibilityEventUnchecked(AccessibilityEvent event){ if (mAccessibilityDelegate != null) { mAccessibilityDelegate.sendAccessibilityEventUnchecked(this, event); } else { sendAccessibilityEventUncheckedInternal(event); } } public void sendAccessibilityEventUnchecked(View host, AccessibilityEvent event){ host.sendAccessibilityEventUncheckedInternal(event); } public void sendAccessibilityEventUncheckedInternal(AccessibilityEvent event){ if (!isShown()) { return; } ... // 此处交由TextView所在父View进行处理,为责任链模式,事件经过层层向上传递,最终交由ViewRootImpl进行处理 ViewParent parent = getParent(); if (parent != null) { getParent().requestSendAccessibilityEvent(this, event); } }
ViewRootImpl将事件派发到system_server
frameworks/base/core/java/android/view/ViewRootImpl.java
@Override public boolean requestSendAccessibilityEvent(View child, AccessibilityEvent event){ ... // 本地调用到AccessibilityManager进行事件发送 mAccessibilityManager.sendAccessibilityEvent(event); return true; }
frameworks/base/core/java/android/view/accessibility/AccessibilityManager.java
public void sendAccessibilityEvent(AccessibilityEvent event){ final IAccessibilityManager service; final int userId; synchronized (mLock) { // 获取system_server的Accessibility实名服务 service = getServiceLocked(); ... } try { ... long identityToken = Binder.clearCallingIdentity(); // binder call 到服务端,进行事件分发中转 doRecycle = service.sendAccessibilityEvent(event, userId); Binder.restoreCallingIdentity(identityToken); ... } catch (RemoteException re) { Log.e(LOG_TAG, "Error during sending " + event + " ", re); } finally { ... } }
system_server将事件分发到各个监听组件变化的Service
frameworks/base/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
// binder call 到服务端,触发事件派发 @Override public boolean sendAccessibilityEvent(AccessibilityEvent event,int userId){ synchronized (mLock) { ... if (mSecurityPolicy.canDispatchAccessibilityEventLocked(event)) { ... notifyAccessibilityServicesDelayedLocked(event, false); notifyAccessibilityServicesDelayedLocked(event, true); } ... } return (OWN_PROCESS_ID != Binder.getCallingPid()); } private void notifyAccessibilityServicesDelayedLocked(AccessibilityEvent event, boolean isDefault) { try { UserState state = getCurrentUserStateLocked(); for (int i = 0, count = state.mBoundServices.size(); i < count; i++) { Service service = state.mBoundServices.get(i); if (service.mIsDefault == isDefault) { if (canDispatchEventToServiceLocked(service, event)) { // 调用内部服务,以触发事件派发 service.notifyAccessibilityEvent(event); } } } } catch (IndexOutOfBoundsException oobe) { ... } } class Serviceextends IAccessibilityServiceConnection.Stub implements ServiceConnection, DeathRecipient { public void notifyAccessibilityEvent(AccessibilityEvent event){ synchronized (mLock) { ... if ((mNotificationTimeout > 0) && (eventType != AccessibilityEvent.TYPE_WINDOW_CONTENT_CHANGED)) { ... // 按照惯例,异步分发到客户端进行派发 message = mEventDispatchHandler.obtainMessage(eventType); } else { message = mEventDispatchHandler.obtainMessage(eventType, newEvent); } mEventDispatchHandler.sendMessageDelayed(message, mNotificationTimeout); } } } public Handler mEventDispatchHandler = new Handler(mMainHandler.getLooper()) { @Override public void handleMessage(Message message){ final int eventType = message.what; AccessibilityEvent event = (AccessibilityEvent) message.obj; notifyAccessibilityEventInternal(eventType, event); } }; private void notifyAccessibilityEventInternal(int eventType, AccessibilityEvent event){ IAccessibilityServiceClient listener; ... // mServiceInterface是通过bind客户端的AccessibilityService,在onServiceConnected连接成功后,获取到binder proxy转化来的,以这种方式实现了system_server与客户端的通信 listener = mServiceInterface; ... try { listener.onAccessibilityEvent(event); if (DEBUG) { Slog.i(LOG_TAG, "Event " + event + " sent to " + listener); } } catch (RemoteException re) { Slog.e(LOG_TAG, "Error during sending " + event + " to " + listener, re); } finally { event.recycle(); } }
APP接收到组件变化的事件,并可以选择做出相应的处理
frameworks/base/core/java/android/accessibilityservice/AccessibilityService.java
// 抽象方法,模板模式,被系统主动调用 public abstract void onAccessibilityEvent(AccessibilityEvent event); // 该service是被system_server主动绑定的,获取到IAccessibilityServiceClientWrapper的proxy来实现系统的主动调用 @Override public final IBinder onBind(Intent intent){ return new IAccessibilityServiceClientWrapper(this, getMainLooper(), new Callbacks() { ... @Override public void onAccessibilityEvent(AccessibilityEvent event){ AccessibilityService.this.onAccessibilityEvent(event); } ... } } // 收到binder调用后,使用handler异步进行事件的处理 public void onAccessibilityEvent(AccessibilityEvent event){ Message message = mCaller.obtainMessageO(DO_ON_ACCESSIBILITY_EVENT, event); mCaller.sendMessage(message); } @Override public void executeMessage(Message message){ switch (message.what) { case DO_ON_ACCESSIBILITY_EVENT: { AccessibilityEvent event = (AccessibilityEvent) message.obj; if (event != null) { AccessibilityInteractionClient.getInstance().onAccessibilityEvent(event); // 通过回调调用以触发事件 mCallback.onAccessibilityEvent(event); ... } } return; } }
在调用findAccessibilityNodeInfosByText之前,需要通过getRootInActiveWindow方法获取到父节点,才能通过调用父AccessibilityNodeInfo的方法进行其子节点信息查询
frameworks/base/core/java/android/accessibilityservice/AccessibilityService.java
public AccessibilityNodeInfo getRootInActiveWindow(){ // 查找父节点的操作没有在自己的类中实现,而是交由了同一进程的Client管理类进行处理 return AccessibilityInteractionClient.getInstance().getRootInActiveWindow(mConnectionId); }
frameworks/base/core/java/android/view/accessibility/AccessibilityInteractionClient.java
public AccessibilityNodeInfo getRootInActiveWindow(int connectionId){ return findAccessibilityNodeInfoByAccessibilityId(connectionId, AccessibilityNodeInfo.ACTIVE_WINDOW_ID, AccessibilityNodeInfo.ROOT_NODE_ID, false, AccessibilityNodeInfo.FLAG_PREFETCH_DESCENDANTS); } public AccessibilityNodeInfo findAccessibilityNodeInfoByAccessibilityId(int connectionId, int accessibilityWindowId, long accessibilityNodeId, boolean bypassCache, int prefetchFlags) { ... // 尝试binder call到system_server,请求中转到其它APP进程中查询父节点信息,注意的是这里AccessibilityInteractionClient本身是个binder服务端,把this传到system_server后,其它进程可以通过这个引用拿到binder proxy,以实现通信 final boolean success = connection.findAccessibilityNodeInfoByAccessibilityId( accessibilityWindowId, accessibilityNodeId, interactionId, this, prefetchFlags, Thread.currentThread().getId()); Binder.restoreCallingIdentity(identityToken); // If the scale is zero the call has failed. if (success) { // 调用成功后,这里会尝试同步获取结果 List<AccessibilityNodeInfo> infos = getFindAccessibilityNodeInfosResultAndClear( interactionId); finalizeAndCacheAccessibilityNodeInfos(infos, connectionId); if (infos != null && !infos.isEmpty()) { return infos.get(0); } } ... }
注意一下,这里的Service不是Android中的四大组件的Service,取名叫AccessiblitManagerServiceInternal其实更合适
frameworks/base/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
@Override public boolean findAccessibilityNodeInfoByAccessibilityId( int accessibilityWindowId, long accessibilityNodeId, int interactionId, IAccessibilityInteractionConnectionCallback callback, int flags, long interrogatingTid) throws RemoteException { ... // 获取到其他APP的节点获取服务 IAccessibilityInteractionConnection connection = null; ... resolvedWindowId = resolveAccessibilityWindowIdLocked(accessibilityWindowId); ... if (!permissionGranted) { return false; } else { connection = getConnectionLocked(resolvedWindowId); if (connection == null) { return false; } } ... // 这里的callback为之前应用的服务proxy句柄,将它传入是为了之后的信息通信不再需要经过system_server中转,而是直接可以APP对APP的进行通信 connection.findAccessibilityNodeInfoByAccessibilityId(accessibilityNodeId, partialInteractiveRegion, interactionId, callback, mFetchFlags | flags, interrogatingPid, interrogatingTid, spec); ... }
这里调用到了APP端,其实同onAccessibilityEvent调用流程一样,是APP->SYSTEM->APP的调用顺序
frameworks/base/core/java/android/view/ViewRootImpl.java
@Override public void findAccessibilityNodeInfoByAccessibilityId(long accessibilityNodeId, Region interactiveRegion, int interactionId, IAccessibilityInteractionConnectionCallback callback, int flags, int interrogatingPid, long interrogatingTid, MagnificationSpec spec) { ViewRootImpl viewRootImpl = mViewRootImpl.get(); if (viewRootImpl != null && viewRootImpl.mView != null) { // 这里也只是委托给控制类进行细节操作的处理 viewRootImpl.getAccessibilityInteractionController() .findAccessibilityNodeInfoByAccessibilityIdClientThread(accessibilityNodeId, interactiveRegion, interactionId, callback, flags, interrogatingPid, interrogatingTid, spec); } else { ... } }
frameworks/base/core/java/android/view/AccessibilityInteractionController.java
private void findAccessibilityNodeInfoByAccessibilityIdUiThread(Message message){ ... // 初始化将会返回的节点 List<AccessibilityNodeInfo> infos = mTempAccessibilityNodeInfoList; infos.clear(); try { if (mViewRootImpl.mView == null || mViewRootImpl.mAttachInfo == null) { return; } mViewRootImpl.mAttachInfo.mAccessibilityFetchFlags = flags; View root = null; if (accessibilityViewId == AccessibilityNodeInfo.UNDEFINED_ITEM_ID) { root = mViewRootImpl.mView; } else { root = findViewByAccessibilityId(accessibilityViewId); } ... } finally { try { ... adjustIsVisibleToUserIfNeeded(infos, interactiveRegion); // 通过callback binder proxy句柄,将节点信息binder回应用 callback.setFindAccessibilityNodeInfosResult(infos, interactionId); infos.clear(); } catch (RemoteException re) { /* ignore - the other side will time out */ } ... } }
frameworks/base/core/java/android/view/accessibility/AccessibilityInteractionClient.java
public void setFindAccessibilityNodeInfosResult(List<AccessibilityNodeInfo> infos, int interactionId) { synchronized (mInstanceLock) { if (interactionId > mInteractionId) { if (infos != null) { ... // 设置应用的返回节点信息 if (!isIpcCall) { mFindAccessibilityNodeInfosResult = new ArrayList<>(infos); } else { mFindAccessibilityNodeInfosResult = infos; } } else { mFindAccessibilityNodeInfosResult = Collections.emptyList(); } mInteractionId = interactionId; } // 释放锁,停止等待,节点信息已经取回 mInstanceLock.notifyAll(); } }
找到父节点信息后,就可以通过父节点获取对应的子节点信息了
frameworks/base/core/java/android/view/accessibility/AccessibilityNodeInfo.java
public List<AccessibilityNodeInfo> findAccessibilityNodeInfosByText(String text) { ... // 一样的流程,通过AccessibilityInteractionClient去获取信息 AccessibilityInteractionClient client = AccessibilityInteractionClient.getInstance(); return client.findAccessibilityNodeInfosByText(mConnectionId, mWindowId, mSourceNodeId, text); } ``` 以下的代码流程同getRootInActiveWindow大概一致,就不详细分析了 #### AccessibilityNodeInfo.performAction 获取到对应子节点后,通过performAction可以执行对应的操作了,如常用的点击 最终回调用到AccessibilityInteractionController,获取到AccessibilityProvier后就可以执行performAction的最终操作了 frameworks/base/core/java/android/view/AccessibilityInteractionController.java ```java private void performAccessibilityActionUiThread(Message message) { View target = null; if (accessibilityViewId != AccessibilityNodeInfo.UNDEFINED_ITEM_ID) { target = findViewByAccessibilityId(accessibilityViewId); } else { target = mViewRootImpl.mView; } if (target != null && isShown(target)) { AccessibilityNodeProvider provider = target.getAccessibilityNodeProvider(); if (provider != null) { if (virtualDescendantId != AccessibilityNodeInfo.UNDEFINED_ITEM_ID) { // 在客户端执行performAction操作 succeeded = provider.performAction(virtualDescendantId, action, arguments); } else { succeeded = provider.performAction(AccessibilityNodeProvider.HOST_VIEW_ID, action, arguments); } } else if (virtualDescendantId == AccessibilityNodeInfo.UNDEFINED_ITEM_ID) { succeeded = target.performAccessibilityAction(action, arguments); } } }
frameworks/base/core/java/android/view/View.java
public boolean performAccessibilityActionInternal(int action, Bundle arguments){ ... switch (action) { case AccessibilityNodeInfo.ACTION_CLICK: { if (isClickable()) { // 最终调用到我们熟悉的View.performClick方法 performClick(); return true; } } break; ... }
分析到这里可以看到,Accessibility服务框架类似于hook在Android View组件树中的一套实现,它并不是独立的一套机制,而是”寄生”在View的显示、事件分发的流程中。