场景描述:
我们在使用淘宝,京东等一些app时,在未登录的情况下是允许我们去浏览app的,但是当我们去购物或者其他操作时就需要用户登录才可操作,我们一般的作法是在BaseActivity里写一个公共方法:
@Override
public void startActivity(Intent intent) {
if(!isLogin){
Toast.makeText(this,"暂未登录", Toast.LENGTH_SHORT).show();
return;
}
super.startActivity(intent);
}
这样当然也可以实现我们的需求,但是很low。所以我们是否可以尝试一种比较高级的方法呢,能不能去拦截系统的startActivity方法,在执行真正的跳转之前执行我们的逻辑。
进入正题:
想要拦截系统的api,自然而然就会想到去hook startActivity这个方法,接下来去阅读下activity的startActivity源码:
/**
* Same as {@link #startActivity(Intent, Bundle)} with no options
* specified.
*
* @param intent The intent to start.
*
* @throws android.content.ActivityNotFoundException
*
* @see #startActivity(Intent, Bundle)
* @see #startActivityForResult
*/
@Override
public void startActivity(Intent intent) {
this.startActivity(intent, null);
}
再点进去startActivity(intent, null):
/**
* Launch a new activity. You will not receive any information about when
* the activity exits. This implementation overrides the base version,
* providing information about
* the activity performing the launch. Because of this additional
* information, the {@link Intent#FLAG_ACTIVITY_NEW_TASK} launch flag is not
* required; if not specified, the new activity will be added to the
* task of the caller.
*
* <p>This method throws {@link android.content.ActivityNotFoundException}
* if there was no Activity found to run the given Intent.
*
* @param intent The intent to start.
* @param options Additional options for how the Activity should be started.
* See {@link android.content.Context#startActivity(Intent, Bundle)}
* Context.startActivity(Intent, Bundle)} for more details.
*
* @throws android.content.ActivityNotFoundException
*
* @see #startActivity(Intent)
* @see #startActivityForResult
*/
@Override
public void startActivity(Intent intent, @Nullable Bundle options) {
if (options != null) {
startActivityForResult(intent, -1, options);
} else {
// Note we want to go through this call for compatibility with
// applications that may have overridden the method.
startActivityForResult(intent, -1);
}
}
继续查看startActivityForResult:
public void startActivityForResult(@RequiresPermission Intent intent, int requestCode,
@Nullable Bundle options) {
if (mParent == null) {
options = transferSpringboardActivityOptions(options);
Instrumentation.ActivityResult ar =
mInstrumentation.execStartActivity(
this, mMainThread.getApplicationThread(), mToken, this,
intent, requestCode, options);
if (ar != null) {
mMainThread.sendActivityResult(
mToken, mEmbeddedID, requestCode, ar.getResultCode(),
ar.getResultData());
}
if (requestCode >= 0) {
// If this start is requesting a result, we can avoid making
// the activity visible until the result is received. Setting
// this code during onCreate(Bundle savedInstanceState) or onResume() will keep the
// activity hidden during this time, to avoid flickering.
// This can only be done when a result is requested because
// that guarantees we will get information back when the
// activity is finished, no matter what happens to it.
mStartedActivity = true;
}
cancelInputsAndStartExitTransition(options);
// TODO Consider clearing/flushing other event sources and events for child windows.
} else {
if (options != null) {
mParent.startActivityFromChild(this, intent, requestCode, options);
} else {
// Note we want to go through this method for compatibility with
// existing applications that may have overridden it.
mParent.startActivityFromChild(this, intent, requestCode);
}
}
}
这里可以看到mParent==null,执行
Instrumentation.ActivityResult ar =
mInstrumentation.execStartActivity(
this, mMainThread.getApplicationThread(), mToken, this,
intent, requestCode, options);
否则执行:startActivityFromChild
public void startActivityFromChild(@NonNull Activity child, @RequiresPermission Intent intent,
int requestCode, @Nullable Bundle options) {
options = transferSpringboardActivityOptions(options);
Instrumentation.ActivityResult ar =
mInstrumentation.execStartActivity(
this, mMainThread.getApplicationThread(), mToken, child,
intent, requestCode, options);
if (ar != null) {
mMainThread.sendActivityResult(
mToken, child.mEmbeddedID, requestCode,
ar.getResultCode(), ar.getResultData());
}
cancelInputsAndStartExitTransition(options);
}
到这里我们可以看到也是执行了这样一个方法:
Instrumentation.ActivityResult ar =
mInstrumentation.execStartActivity(
this, mMainThread.getApplicationThread(), mToken, child,
intent, requestCode, options);
所以至此为止,我们找到了我们需要hook的对象,接下来进入真正的hook阶段。
想要实现hook,就必然想到反射和代理,反射这里就不再赘述,对于代理不熟悉的伙伴可以看看:https://blog.csdn.net/u011784767/article/details/78281384
熟悉这两点以后,就进入代码阶段了:
- 进入Instrumentation类,Instrumentation并不是一个接口,我们采用静态代理模式,找到要hook的方法
* {@hide}
*/
public ActivityResult execStartActivity(
Context who, IBinder contextThread, IBinder token, Activity target,
Intent intent, int requestCode, Bundle options) {
IApplicationThread whoThread = (IApplicationThread) contextThread;
Uri referrer = target != null ? target.onProvideReferrer() : null;
if (referrer != null) {
intent.putExtra(Intent.EXTRA_REFERRER, referrer);
}
if (mActivityMonitors != null) {
synchronized (mSync) {
final int N = mActivityMonitors.size();
for (int i=0; i<N; i++) {
final ActivityMonitor am = mActivityMonitors.get(i);
ActivityResult result = null;
if (am.ignoreMatchingSpecificIntents()) {
result = am.onStartActivity(intent);
}
if (result != null) {
am.mHits++;
return result;
} else if (am.match(who, null, intent)) {
am.mHits++;
if (am.isBlocking()) {
return requestCode >= 0 ? am.getResult() : null;
}
break;
}
}
}
}
try {
intent.migrateExtraStreamToClipData();
intent.prepareToLeaveProcess(who);
int result = ActivityManager.getService()
.startActivity(whoThread, who.getBasePackageName(), intent,
intent.resolveTypeIfNeeded(who.getContentResolver()),
token, target != null ? target.mEmbeddedID : null,
requestCode, 0, null, options);
checkStartActivityResult(result, intent);
} catch (RemoteException e) {
throw new RuntimeException("Failure from system", e);
}
return null;
}
可以看到execStartActivity是一个hide方法,所以必须用反射调用
class ActivityProxyInstrumentation extends Instrumentation {
private static final String TAG = "ActivityProxyInstrumentation";
// ActivityThread中原始的对象, 保存起来
Instrumentation mBase;
public ActivityProxyInstrumentation(Instrumentation base) {
mBase = base;
}
public ActivityResult execStartActivity(
Context who, IBinder contextThread, IBinder token, Activity target,
Intent intent, int requestCode, Bundle options) {
if (isLogin) { //模拟是否登录
// 由于execStartActivity是隐藏的,因此需要使用反射调用;首先找到这个方法
try {
Method execStartActivity = Instrumentation.class.getDeclaredMethod(
"execStartActivity",
Context.class, IBinder.class, IBinder.class, Activity.class,
Intent.class, int.class, Bundle.class);
execStartActivity.setAccessible(true);
return (ActivityResult) execStartActivity.invoke(mBase, who,
contextThread, token, target, intent, requestCode, options);
} catch (Exception e) {
throw new RuntimeException("do not support!!! pls adapt it");
}
} else {
Toast.makeText(who, "暂未登录", Toast.LENGTH_SHORT).show();
return null;
}
}
}
2.有了代理对象,接下来的工作就是替换成我们的代理对象了
public static void replaceInstrumentation(Activity activity) throws Exception {
Class<?> k = Activity.class;
//通过Activity.class 拿到 mInstrumentation字段
Field field = k.getDeclaredField("mInstrumentation");
field.setAccessible(true);
//根据activity内mInstrumentation字段 获取Instrumentation对象
Instrumentation instrumentation = (Instrumentation) field.get(activity);
//创建代理对象
ActivityProxyInstrumentation proxyInstrumentation = new ActivityProxyInstrumentation(instrumentation);
//进行替换成我们在上个步骤中的代理对象
field.set(activity, proxyInstrumentation);
}
其实这就是最关键的两点,接下来实验一把,把图附上:
这里就是应用反射和静态代理实现的一个简单登录框架,有什么不对的地方请多多指教,一起学习交流!