0x00 前言
UiAutomator是Android 4.1以上提供的一个UI自动化测试工具,4.3升级到了UiAutomator2.0,实现方式也从UiTestAutomationBridge变成了UiAutomation。
0x01 UiAutomation实现分析
UiAutomation类位于android.app包下面,是API18新增的类。
public final class UiAutomation {private final IAccessibilityServiceClient mClient;private final IUiAutomationConnection mUiAutomationConnection;public void connect();public void disconnect();public final boolean performGlobalAction(int action);public final AccessibilityServiceInfo getServiceInfo();public AccessibilityNodeInfo getRootInActiveWindow();public boolean injectInputEvent(InputEvent event, boolean sync);public boolean setRotation(int rotation);public AccessibilityEvent executeAndWaitForEvent(Runnable command, AccessibilityEventFilter filter, long timeoutMillis);public void waitForIdle(long idleTimeoutMillis, long globalTimeoutMillis);public Bitmap takeScreenshot();public void setRunAsMonkey(boolean enable);}COPY
以上是UiAutomation类中最重要的成员变量和函数,所有的接口基本都是通过调用mClient和mUiAutomationConnection这两个对象实现的。
public UiAutomation(Looper looper, IUiAutomationConnection connection) {if (looper == null) {throw new IllegalArgumentException("Looper cannot be null!");}if (connection == null) {throw new IllegalArgumentException("Connection cannot be null!");}mUiAutomationConnection = connection;mClient = new IAccessibilityServiceClientImpl(looper);}interface IUiAutomationConnection {void connect(IAccessibilityServiceClient client);void disconnect();boolean injectInputEvent(in InputEvent event, boolean sync);boolean setRotation(int rotation);Bitmap takeScreenshot(int width, int height);boolean clearWindowContentFrameStats(int windowId);WindowContentFrameStats getWindowContentFrameStats(int windowId);void clearWindowAnimationFrameStats();WindowAnimationFrameStats getWindowAnimationFrameStats();void executeShellCommand(String command, in ParcelFileDescriptor fd);void grantRuntimePermission(String packageName, String permission, int userId);void revokeRuntimePermission(String packageName, String permission, int userId);// Called from the system process.oneway void shutdown();}COPY
UiAutomation构造函数需要传入两个参数,一个是线程Looper对象,用于发送消息,一个是IUiAutomationConnection接口实例。
public void connect() {if (mHandlerThread.isAlive()) {throw new IllegalStateException("Already connected!");}mHandlerThread.start();mUiAutomation = new UiAutomation(mHandlerThread.getLooper(),new UiAutomationConnection());mUiAutomation.connect();}COPY
这是UiAutomationShellWrapper类中的一个方法,正好可以看到UiAutomation如何初始化。构造函数的第二个参数实际使用的是UiAutomationConnection类实例,这个类也是在android.app包下面,正是继承自IUiAutomationConnection.Stub类。
UiAutomation中一个重要的成员变量是mClient,它的类型是IAccessibilityServiceClient。
oneway interface IAccessibilityServiceClient {void init(in IAccessibilityServiceConnection connection, int connectionId, IBinder windowToken);void onAccessibilityEvent(in AccessibilityEvent event);void onInterrupt();void onGesture(int gesture);void clearAccessibilityCache();void onKeyEvent(in KeyEvent event, int sequence);}COPY
IAccessibilityServiceClient是一个AIDL接口定义,在抽象类AccessibilityService中实现了一个该接口的实现类IAccessibilityServiceClientWrapper。UiAutomation中定义了一个IAccessibilityServiceClientWrapper的子类IAccessibilityServiceClientImpl,主要是重写了onAccessibilityEvent方法,用于获取AccessibilityEvent事件。UiAutomation的构造函数中实例化的正是IAccessibilityServiceClientImpl实例。
UiAutomation的初始化过程主要是在connect方法中。
/*** Connects this UiAutomation to the accessibility introspection APIs.** @hide*/public void connect() {synchronized (mLock) {throwIfConnectedLocked();if (mIsConnecting) {return;}mIsConnecting = true;}try {// Calling out without a lock held.mUiAutomationConnection.connect(mClient);} catch (RemoteException re) {throw new RuntimeException("Error while connecting UiAutomation", re);}synchronized (mLock) {final long startTimeMillis = SystemClock.uptimeMillis();try {while (true) {if (isConnectedLocked()) {break;}final long elapsedTimeMillis = SystemClock.uptimeMillis() - startTimeMillis;final long remainingTimeMillis = CONNECT_TIMEOUT_MILLIS - elapsedTimeMillis;if (remainingTimeMillis <= 0) {throw new RuntimeException("Error while connecting UiAutomation");}try {mLock.wait(remainingTimeMillis);} catch (InterruptedException ie) {/* ignore */}}} finally {mIsConnecting = false;}}}COPY
这里主要是调用了mUiAutomationConnection.connect(mClient)。
public void connect(IAccessibilityServiceClient client) {if (client == null) {throw new IllegalArgumentException("Client cannot be null!");}synchronized (mLock) {throwIfShutdownLocked();if (isConnectedLocked()) {throw new IllegalStateException("Already connected.");}mOwningUid = Binder.getCallingUid();registerUiTestAutomationServiceLocked(client);storeRotationStateLocked();}}private void registerUiTestAutomationServiceLocked(IAccessibilityServiceClient client) {IAccessibilityManager manager = IAccessibilityManager.Stub.asInterface(ServiceManager.getService(Context.ACCESSIBILITY_SERVICE));AccessibilityServiceInfo info = new AccessibilityServiceInfo();info.eventTypes = AccessibilityEvent.TYPES_ALL_MASK;info.feedbackType = AccessibilityServiceInfo.FEEDBACK_GENERIC;info.flags |= AccessibilityServiceInfo.FLAG_INCLUDE_NOT_IMPORTANT_VIEWS| AccessibilityServiceInfo.FLAG_REPORT_VIEW_IDS;info.setCapabilities(AccessibilityServiceInfo.CAPABILITY_CAN_RETRIEVE_WINDOW_CONTENT| AccessibilityServiceInfo.CAPABILITY_CAN_REQUEST_TOUCH_EXPLORATION| AccessibilityServiceInfo.CAPABILITY_CAN_REQUEST_ENHANCED_WEB_ACCESSIBILITY| AccessibilityServiceInfo.CAPABILITY_CAN_REQUEST_FILTER_KEY_EVENTS);try {// Calling out with a lock held is fine since if the system// process is gone the client calling in will be killed.manager.registerUiTestAutomationService(mToken, client, info);mClient = client;} catch (RemoteException re) {throw new IllegalStateException("Error while registering UiTestAutomationService.", re);}}COPY
UiAutomationConnection.connect函数接着调用了registerUiTestAutomationServiceLocked(client),而registerUiTestAutomationServiceLocked主要是调用了IAccessibilityManager的registerUiTestAutomationService注册了一个Accessibility服务。
由此可见,UiAutomation最终也是使用了AccessibilityManagerService。
0x02 如何使用UiAutomation
UiAutomator的常见使用方式是调用uiautomator命令,或是将uiautomator.jar导入到自己的工程中。为了更加自由地使用UiAutomation提供的能力,可以考虑直接创建UiAutomation对象实例使用。由于UiAutomation的构造函数以及其它一些重要方法设置了@hide,因此无法直接使用,需要用反射的方式获取。
Object connection = null;HandlerThread mHandlerThread = new HandlerThread("UiAutomationThread");mHandlerThread.start();try{Class<?> UiAutomationConnection = Class.forName("android.app.UiAutomationConnection");Constructor<?> newInstance = UiAutomationConnection.getDeclaredConstructor();newInstance.setAccessible(true);connection = newInstance.newInstance();Class<?> IUiAutomationConnection = Class.forName("android.app.IUiAutomationConnection");Constructor<?> newUiAutomation = UiAutomation.class.getDeclaredConstructor(Looper.class, IUiAutomationConnection);UiAutomation mUiAutomation = (UiAutomation)newUiAutomation.newInstance(mHandlerThread.getLooper(), connection);Method connect = UiAutomation.class.getDeclaredMethod("connect");connect.invoke(mUiAutomation);Log.i(TAG, ""+mUiAutomation);mUiAutomation.waitForIdle(1000, 1000 * 10);AccessibilityNodeInfo nodeInfo = mUiAutomation.getRootInActiveWindow();Log.i(TAG, ""+nodeInfo);}catch(Exception e){e.printStackTrace();return;}COPY
这是一段最简单的使用代码,编译到apk里面,运行后报错了。
Caused by: java.lang.SecurityException: You do not have android.permission.RETRIEVE\_WINDOW_CONTENT required to call registerUiTestAutomationService from pid=3676, uid=10040at android.os.Parcel.readException(Parcel.java:1599)at android.os.Parcel.readException(Parcel.java:1552)at android.view.accessibility.IAccessibilityManager$Stub$Proxy.registerUiTestAutomationService (IAccessibilityManager.java:352)at android.app.UiAutomationConnection.registerUiTestAutomationServiceLocked(UiAutomationConnection.java:337)at android.app.UiAutomationConnection.connect(UiAutomationConnection.java:89)at android.app.UiAutomation.connect(UiAutomation.java:197)COPY
看来是需要android.permission.RETRIEVE_WINDOW_CONTENT权限,尝试将该权限添加到AndroidManifest.xml中,但是提示这个是系统权限,普通应用不能申请。因此,应用中不能使用UiAutomation的,同时发现,编译为jar包后使用shell权限执行,是可以正常跑过的。这也是为什么uiautomator工具可以正常运行的原因。
0x03 AccessibilityManagerService
如前所述,UiAutomation底层使用的还是AccessibilityManagerService,这里简单分析一下AccessibilityManagerService的实现。
该类内部包含了一个Service类:
/*** This class represents an accessibility service. It stores all per service* data required for the service management, provides API for starting/stopping the* service and is responsible for adding/removing the service in the data structures* for service management. The class also exposes configuration interface that is* passed to the service it represents as soon it is bound. It also serves as the* connection for the service.*/class Service extends IAccessibilityServiceConnection.Stub implements ServiceConnection, DeathRecipient;COPY
从描述上看,每个Service实例代表了一个Accessibility服务,同时它实现了ServiceConnection接口,因此它也是一个Service客户端。
Service类中定义了一个bool类型的变量mIsAutomation,表示当前服务是否是UiAutomation。在AccessibilityManagerService的registerUiTestAutomationService方法中,将当前服务的组件名称设置为sFakeAccessibilityServiceComponentName,而mIsAutomation就是通过组件名称来判断是否是UiAutomation。
accessibilityServiceInfo.setComponentName(sFakeAccessibilityServiceComponentName);mIsAutomation = (sFakeAccessibilityServiceComponentName.equals(componentName));COPY
由于UiAutomation与AccessibilityService实现方式不同,因此,AccessibilityManagerService在很多地方都会根据mIsAutomation执行不同的逻辑。
根据前面的分析,在UiAutomation发起connect请求后,会进入AccessibilityManagerService的registerUiTestAutomationService。然后经过一系列的函数调用,进到Service的bindLocked函数。
/*** Binds to the accessibility service.** @return True if binding is successful.*/public boolean bindLocked() {UserState userState = getUserStateLocked(mUserId);if (!mIsAutomation) {if (mService == null && mContext.bindServiceAsUser(mIntent, this,Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE_WHILE_AWAKE,new UserHandle(mUserId))) {userState.mBindingServices.add(mComponentName);}} else {userState.mBindingServices.add(mComponentName);mService = userState.mUiAutomationServiceClient.asBinder();mMainHandler.post(new Runnable() {@Overridepublic void run() {// Simulate asynchronous connection since in onServiceConnected// we may modify the state data in case of an error but bind is// called while iterating over the data and bad things can happen.onServiceConnected(mComponentName, mService);}});userState.mUiAutomationService = this;}return false;}COPY
bindLocked会发送一个异步消息,调到onServiceConnected回调。
@Overridepublic void onServiceConnected(ComponentName componentName, IBinder service) {synchronized (mLock) {mService = service;mServiceInterface = IAccessibilityServiceClient.Stub.asInterface(service);UserState userState = getUserStateLocked(mUserId);addServiceLocked(this, userState);if (userState.mBindingServices.contains(mComponentName) || mWasConnectedAndDied) {userState.mBindingServices.remove(mComponentName);mWasConnectedAndDied = false;try {mServiceInterface.init(this, mId, mOverlayWindowToken);onUserStateChangedLocked(userState);} catch (RemoteException re) {Slog.w(LOG_TAG, "Error while setting connection for service: "+ service, re);binderDied();}} else {binderDied();}}}COPY
这里的mServiceInterface其实就是UiAutomation构造函数中实例化的mClient的远程对象。接着,调用了IAccessibilityServiceClient的init函数,该函数的实现位于AccessibilityService.IAccessibilityServiceClientWrapper类中。
public void init(IAccessibilityServiceConnection connection, int connectionId,IBinder windowToken) {Message message = mCaller.obtainMessageIOO(DO_INIT, connectionId,connection, windowToken);mCaller.sendMessage(message);}case DO_INIT: {mConnectionId = message.arg1;SomeArgs args = (SomeArgs) message.obj;IAccessibilityServiceConnection connection =(IAccessibilityServiceConnection) args.arg1;IBinder windowToken = (IBinder) args.arg2;args.recycle();if (connection != null) {AccessibilityInteractionClient.getInstance().addConnection(mConnectionId,connection);mCallback.init(mConnectionId, windowToken);mCallback.onServiceConnected();} else {AccessibilityInteractionClient.getInstance().removeConnection(mConnectionId);mConnectionId = AccessibilityInteractionClient.NO_ID;AccessibilityInteractionClient.getInstance().clearCache();mCallback.init(AccessibilityInteractionClient.NO_ID, null);}} return;COPY
这样,初始化完成后,AccessibilityInteractionClient实例中保存了IAccessibilityServiceConnection实例,而AccessibilityManagerService中对应的Service对象中也保存了IAccessibilityServiceClient实例,从而建立起双向的Binder通信。
在发生Accessibility事件后,AccessibilityManagerService会通过IAccessibilityServiceConnection的onAccessibilityEvent方法将事件通知给UiAutomation。
0x04 UiAutomator与AccessibilityService
AccessibilityService是一个继承自Service的抽象服务类,用户在使用时需要实现一个自己的子类。该类很大程度上依赖于AccessibilityInteractionClient类提供的接口,AccessibilityInteractionClient类内部保存了一个静态的LongSparseArray<AccessibilityInteractionClient> sClients对象,用来实现线程相关的单例对象。
/*** @return The client for the current thread.*/public static AccessibilityInteractionClient getInstance() {final long threadId = Thread.currentThread().getId();return getInstanceForThread(threadId);}/*** <strong>Note:</strong> We keep one instance per interrogating thread since* the instance contains state which can lead to undesired thread interleavings.* We do not have a thread local variable since other threads should be able to* look up the correct client knowing a thread id. See ViewRootImpl for details.** @return The client for a given <code>threadId</code>.*/public static AccessibilityInteractionClient getInstanceForThread(long threadId) {synchronized (sStaticLock) {AccessibilityInteractionClient client = sClients.get(threadId);if (client == null) {client = new AccessibilityInteractionClient();sClients.put(threadId, client);}return client;}}COPY
前面提到,AccessibilityInteractionClient对象中保存了IAccessibilityServiceConnection实例,因此,可以调用该接口提供的功能。
/*** Interface given to an AccessibilitySerivce to talk to the AccessibilityManagerService.** @hide*/interface IAccessibilityServiceConnection {void setServiceInfo(in AccessibilityServiceInfo info);boolean findAccessibilityNodeInfoByAccessibilityId(int accessibilityWindowId,long accessibilityNodeId, int interactionId,IAccessibilityInteractionConnectionCallback callback, int flags, long threadId);boolean findAccessibilityNodeInfosByText(int accessibilityWindowId, long accessibilityNodeId,String text, int interactionId, IAccessibilityInteractionConnectionCallback callback,long threadId);boolean findAccessibilityNodeInfosByViewId(int accessibilityWindowId,long accessibilityNodeId, String viewId, int interactionId,IAccessibilityInteractionConnectionCallback callback, long threadId);boolean findFocus(int accessibilityWindowId, long accessibilityNodeId, int focusType,int interactionId, IAccessibilityInteractionConnectionCallback callback, long threadId);boolean focusSearch(int accessibilityWindowId, long accessibilityNodeId, int direction,int interactionId, IAccessibilityInteractionConnectionCallback callback, long threadId);boolean performAccessibilityAction(int accessibilityWindowId, long accessibilityNodeId,int action, in Bundle arguments, int interactionId,IAccessibilityInteractionConnectionCallback callback, long threadId);AccessibilityWindowInfo getWindow(int windowId);List<AccessibilityWindowInfo> getWindows();AccessibilityServiceInfo getServiceInfo();boolean performGlobalAction(int action);oneway void setOnKeyEventResult(boolean handled, int sequence);}COPY
与UiAutomation不同的是,AccessibilityService的初始化是和普通的Service一致的。由于AccessibilityService比较特殊的地方在于需要在设置的辅助功能里开启对应的服务,点击开启后,会执行到BindService逻辑,进而执行到AccessibilityService的onBind回调,并触发AccessibilityManagerService中Service的onServiceConnected回调。
/*** Implement to return the implementation of the internal accessibility* service interface.*/@Overridepublic final IBinder onBind(Intent intent) {return new IAccessibilityServiceClientWrapper(this, getMainLooper(), new Callbacks() {@Overridepublic void onServiceConnected() {AccessibilityService.this.onServiceConnected();}@Overridepublic void onInterrupt() {AccessibilityService.this.onInterrupt();}@Overridepublic void onAccessibilityEvent(AccessibilityEvent event) {AccessibilityService.this.onAccessibilityEvent(event);}@Overridepublic void init(int connectionId, IBinder windowToken) {mConnectionId = connectionId;mWindowToken = windowToken;// The client may have already obtained the window manager, so// update the default token on whatever manager we gave them.final WindowManagerImpl wm = (WindowManagerImpl) getSystemService(WINDOW_SERVICE);wm.setDefaultToken(windowToken);}@Overridepublic boolean onGesture(int gestureId) {return AccessibilityService.this.onGesture(gestureId);}@Overridepublic boolean onKeyEvent(KeyEvent event) {return AccessibilityService.this.onKeyEvent(event);}});}COPY
相对于UiAutomation只能在shell环境中执行,AccessibilityService是可以运行在app环境中的,但是需要用户手动开启服务会略显麻烦。
0x05 总结
UiAutomator和AccessibilityService作为两种不同的实现形式,拥有各自的优缺点,这两年流行的抢红包工具基本也是基于这两种方式实现的。在自动化中使用它们也能起到一些辅助作用。
Gitalking ...