在上一篇Activity的插件化已經(jīng)介紹了Android插件化的概念和通過Hook方案實現(xiàn)Activity的插件化。本文接著上文,介紹四大組件中另一個重要成員——Service的插件化。
Service的插件化
Service插件化的原理和Activity插件化的原理有些不同,主要是因為兩者的啟動過程上的差異。以Activity的StartService方法為例,其內(nèi)部會調(diào)用mBase也就是ContextImpl的startService方法。用兩張圖來簡單了解下Service的啟動過程:
ContextImpl到AMS的調(diào)用過程
ActivityThread啟動Service
需要提示的是,以上對Service啟動過程的分析圖示是基于Android 7.0的源碼
首先我們需要了解,在插件化方面Service和Activity有何不同:
- Activity是基于棧管理的,一個棧中的Activity數(shù)量不會太多,因此插件化框架處理的插件Activity數(shù)量是有限的,可以聲明有限的占坑Activity來實現(xiàn)。但Service不同,除去硬件和系統(tǒng)限制,插件化框架處理的插件Service的數(shù)量可以是無限的,無法用有限的占坑Service來實現(xiàn)。
- 在Standard模式下多次啟動同一個占坑Activity可以創(chuàng)建多個Actvity實例,但是多次啟動同一個占坑的Service并不會創(chuàng)建多個Service實例。
- 用戶和界面的交互會影響到Activity的生命周期,所以插件Activity的生命周期需要交由系統(tǒng)管理。Hook IActivityManager方案中在ActivityThread的實際創(chuàng)建和啟動Activity流程(調(diào)用handleLaunchActivity方法)開始之前,還原插件Activity就是為了這一點。而Service的生命周期不受用戶影響,可以由開發(fā)者管理生命周期,沒有必要還原插件。
綜合以上三點區(qū)別,Service的插件化不能用Hook IActivityManager方案來實現(xiàn)。
代理分發(fā)實現(xiàn)
Activity插件化的重點在于要保證它的生命周期交由系統(tǒng)管理,而Service插件化的重點是保證它的優(yōu)先級,這就需要用一個真正的Service來實現(xiàn),而不是像占坑的Activity那樣起到一個占坑的作用,實際上并沒有真的被啟動。當(dāng)啟動插件Service時,就需要先啟動代理Service,這個代理Service運行起來之后,在它的onStartCommand等方法中進(jìn)行分發(fā),創(chuàng)建插件Service的實例,執(zhí)行它的onCreate和onStartCommand方法。這一方案就是代理分發(fā)。下面通過代碼演示:
首先用TargetService表示插件Service,這里省略了插件Service的加載邏輯。代碼如下
public class TargetService extends Service {
private final static String TAG = "TargetService";
@Override
public void onCreate() {
super.onCreate();
Log.e(TAG,"onCreate");
}
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
Log.e(TAG,"onStartCommand");
return super.onStartCommand(intent, flags, startId);
}
@Nullable
@Override
public IBinder onBind(Intent intent) {
return null;
}
}
這里只是用來打印Log,來證明TargetService已啟動。TargetService代表插件Service,沒有在AndroidManifest.xml中注冊,直接啟動無法通過AMS的校驗,需要先啟動代理Service,為了達(dá)到這一目的,我們需要Hook IActivityManager,具體的原理和前文Activity的插件化中提到的類似,定義IActivityManagerProxy替換單例模式的IActivityManager。代碼如下
public class IActivityManagerProxy implements InvocationHandler {
private final static String TAG = "IActivityManagerProxy";
private Object iActivityManager;
public IActivityManagerProxy(Object iActivityManager){
this.iActivityManager = iActivityManager;
}
@Override
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
if(method.getName().equals("startService")){
Intent intent = null;
int index = 0;
for(int i = 0; i <args.length ; i++){
if(args[i] instanceof Intent){
intent = (Intent)args[i];
index = i;
break;
}
}
if(intent.getComponent().getClassName().contains("TargetService")){
Intent proxyIntent = new Intent();
proxyIntent.putExtra(ProxyService.TARGET_SERVICE,intent.getComponent().getClassName());
proxyIntent.setClassName("com.zacky.serviceplugintest","com.zacky.serviceplugintest.ProxyService");
args[index] = proxyIntent;
Log.e(TAG,"HOOK SUCCESS");
}
}
return method.invoke(iActivityManager,args);
}
}
簡單來說就是對iActivityManager的startService進(jìn)行攔截,判斷如果啟動的是TargetService,就用代理ProxyService來替換。接下來就是定義ProxyService。首先要在AndroidManifest.xml中注冊代理Service,代碼如下:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.zacky.serviceplugintest">
<application
android:name=".TestApplication"
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/AppTheme">
<service
android:name=".ProxyService"
android:enabled="true"
android:exported="false"></service>
<activity android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
接著看ProxyService的實現(xiàn)
public class ProxyService extends Service {
private final static String TAG = "ProxyService";
public final static String TARGET_SERVICE = "TargetService";
@Override
public void onCreate() {
super.onCreate();
Log.e(TAG,"onCreate");
}
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
Log.e(TAG,"onStartCommand");
if(intent == null || !intent.hasExtra(TARGET_SERVICE)){
return START_STICKY;
}
String targetServiceName = intent.getStringExtra(TARGET_SERVICE);
Log.e(TAG,"targetServiceName = " + targetServiceName);
if(targetServiceName == null){
return START_STICKY;
}
try {
Class activityThreadClass = Class.forName("android.app.ActivityThread");
Method getApplicationThreadMethod =
activityThreadClass.getDeclaredMethod("getApplicationThread");
getApplicationThreadMethod.setAccessible(true);
Field sCurrentActivityThreadField =
activityThreadClass.getDeclaredField("sCurrentActivityThread");
sCurrentActivityThreadField.setAccessible(true);
Object sCurrentActivityThread = sCurrentActivityThreadField.get(activityThreadClass);
Object applicationThread = getApplicationThreadMethod.invoke(sCurrentActivityThread);
Class iInterfaceClass = Class.forName("android.os.IInterface");
Method asbinderMethod = iInterfaceClass.getDeclaredMethod("asBinder");
asbinderMethod.setAccessible(true);
Object token = asbinderMethod.invoke(applicationThread);
Class serviceClass = Class.forName("android.app.Service");
Method attachMethod = serviceClass.getDeclaredMethod("attach",
Context.class,activityThreadClass,String.class,IBinder.class, Application.class,Object.class);
attachMethod.setAccessible(true);
Object defaultSingleton = null;
if(Build.VERSION.SDK_INT >= 26){
Class activityManagerClass = Class.forName("android.app.ActivityManager");
Field activityManagerSinletonField = activityManagerClass.getDeclaredField("IActivityManagerSingleton");
activityManagerSinletonField.setAccessible(true);
defaultSingleton = activityManagerSinletonField.get(activityManagerClass);
} else {
Class activityManagerClass = Class.forName("android.app.ActivityManagerNative");
Field activityManagerSinletonField = activityManagerClass.getDeclaredField("gDefault");
activityManagerSinletonField.setAccessible(true);
defaultSingleton = activityManagerSinletonField.get(activityManagerClass);
}
Class singletonClass = Class.forName("android.util.Singleton");
Field mInstanceField = singletonClass.getDeclaredField("mInstance");
mInstanceField.setAccessible(true);
Object iActivityManager = mInstanceField.get(defaultSingleton);
Service TargetService = (Service)Class.forName(targetServiceName).newInstance();
attachMethod.invoke(TargetService,this,sCurrentActivityThread,
targetServiceName, token,getApplication(),iActivityManager);
TargetService.onCreate();
TargetService.onStartCommand(intent,flags,startId);
} catch (Exception e) {
e.printStackTrace();
return START_STICKY;
}
return START_STICKY;
}
@Override
public IBinder onBind(Intent intent) {
// TODO: Return the communication channel to the service.
throw new UnsupportedOperationException("Not yet implemented");
}
}
在onStartCommand方法中進(jìn)行分發(fā),其中主要做了三件事:
- ProxyService需要長時間對Service進(jìn)行分發(fā)處理,所以在參數(shù)條件不滿足、出現(xiàn)異常和代碼執(zhí)行完畢時需要返回START_STICKY,這樣ProxyService會被重新創(chuàng)建并執(zhí)行onStartCommand方法。
- 創(chuàng)建TargetService的實例并通過反射調(diào)用TargetService實例的attach方法
- 進(jìn)行代理分發(fā),執(zhí)行TargetService實例的onCreate方法和onStartCommand方法
其中因為調(diào)用Service的attach方法需要ActivityThread、IBinder、Application等參數(shù),所以除了需要通過反射獲取attach方法外,還需要獲取相應(yīng)的參數(shù)。對這段代碼不熟悉的同學(xué),可以看看ActivityThread的handleCreateService方法的相關(guān)源碼,這里就不多說了。
接下來需要做的就是,用我們定義的IActivityManagerProxy替換IActivityManager,這里我選擇在Application的onCreate方法中執(zhí)行替換,代碼如下:
public class TestApplication extends Application {
@Override
public void onCreate() {
super.onCreate();
try {
initHook();
} catch (Exception e) {
e.printStackTrace();
}
}
private void initHook() throws Exception {
Object defaultSingleton = null;
if(Build.VERSION.SDK_INT >= 26) {
Class activityManagerClass = Class.forName("android.app.ActivityManager");
Field songletonField = activityManagerClass.getDeclaredField("IActivityManagerSingleton");
songletonField.setAccessible(true);
defaultSingleton = songletonField.get(activityManagerClass);
}else{
Class activityManagerClass = Class.forName("android.app.ActivityManagerNative");
Field songletonField = activityManagerClass.getDeclaredField("gDefault");
songletonField.setAccessible(true);
defaultSingleton = songletonField.get(activityManagerClass);
}
Class singletonClass = Class.forName("android.util.Singleton");
Field mInstanceField = singletonClass.getDeclaredField("mInstance");
mInstanceField.setAccessible(true);
Class iActivityManagerClass = Class.forName("android.app.IActivityManager");
Object iActivityManager = mInstanceField.get(defaultSingleton);
Object iActivityManagerProxy = Proxy.newProxyInstance(getClassLoader(),
new Class[]{iActivityManagerClass},new IActivityManagerProxy(iActivityManager));
mInstanceField.set(defaultSingleton,iActivityManagerProxy);
}
}
代碼也和Activity的插件化中講到過的非常相似。最后就是在MainActivity中啟動TargetService:
public class MainActivity extends AppCompatActivity implements View.OnClickListener {
Button startBtn;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
startBtn = findViewById(R.id.startBtn);
startBtn.setOnClickListener(this);
}
@Override
public void onClick(View v) {
Intent intent = new Intent(this,TargetService.class);
startService(intent);
}
}
運行項目,點擊按鈕,可以通過打印log看出ProxyService和TargetService都啟動了。
總結(jié)
Service的插件化和Activity的插件化原理不同,不能采用Activity的插件化中提到的Hook Instrumentation和Hook IActivityManager方案。因此選擇采用代理分發(fā)方案,即通過先啟動代理Service,然后在其onStartCommand方法中啟動插件Service,實現(xiàn)分發(fā)處理。
