Android懸浮窗TYPE_TOAST小結: 原始碼分析

發表於2016-02-19

前言

Android無需許可權顯示懸浮窗, 兼談逆向分析app這篇文章閱讀量很大, 這篇文章是通過逆向分析UC瀏覽器的實現和相容性處理來得到一個懸浮窗的實現小技巧, 但有很多問題沒有弄明白, 比如為什麼在API 18及以下TYPE_TOAST的懸浮窗無法接受觸控事件, 為什麼使用TYPE_TOAST就不需要許可權.

期間@廖祜秋liaohuqiu_秋百萬和我有較多探討, 原文貼的一個demo android-UCToast也是他做的, 他也有寫Android 懸浮窗的小結. 這幾篇關於懸浮窗的文章, 是我和他共同探索的結果, 非常感謝.

思路

老實說一開始我是想看看整個事件的傳播過程, 從EventHub開始, 到View.onTouchEvent, 想看看Android系統內事件分發, 不過由於絕大部分程式碼在Native層, 我並沒有搞清楚.

其實要想知道原因很簡單, 只要grep一下TYPE_TOAST, 把每個用到的地方看一看, 自然就知道了, 但是恰好週末我手上沒有原始碼, 只能在grepcode上面一個一個的查, 所以也花了不少時間.

正文

還是從最簡單的地方開始, 我們呼叫了WindowManager.addView, WindowManager是個介面, 我們使用的是他的實現類WindowManagerImpl, 看看它的addView方法:

@Override
public void addView(View view, ViewGroup.LayoutParams    params) {
    mGlobal.addView(view, params, mDisplay, mParentWindow);
}

@Override

public void addView(View view, ViewGroup.LayoutParams params) {

mGlobal.addView(view, params, mDisplay, mParentWindow);

}

mGlobal是WindowManagerGlobal的例項, 再看看WindowManagerGlobal.addView:

    public void addView(View view, ViewGroup.LayoutParams params,
            Display display, Window parentWindow) {
        ......
        final WindowManager.LayoutParams wparams = (WindowManager.LayoutParams)params;
        ......

        synchronized (mLock) {
            ......
            root = new ViewRootImpl(view.getContext(), display);

            view.setLayoutParams(wparams);
            ......
        }

        // do this last because it fires off messages to start doing things
        try {
            root.setView(view, wparams, panelParentView);
        } catch (RuntimeException e) {
            // BadTokenException or InvalidDisplayException, clean up.
            ......
    }

public void addView(View view, ViewGroup.LayoutParams params,

Display display, Window parentWindow) {

......

final WindowManager.LayoutParams wparams = (WindowManager.LayoutParams)params;

......

synchronized (mLock) {

......

root = new ViewRootImpl(view.getContext(), display);

view.setLayoutParams(wparams);

......

}

// do this last because it fires off messages to start doing things

try {

root.setView(view, wparams, panelParentView);

} catch (RuntimeException e) {

// BadTokenException or InvalidDisplayException, clean up.

......

}

程式碼中建立了一個ViewRootImpl, 呼叫了它的setView, 將我們要新增的view傳入. 繼續看ViewRootImpl.setView:

    public void setView(View view, WindowManager.LayoutParams attrs, View panelParentView) {
        synchronized (this) {
            if (mView == null) {
                ......
                mWindowAttributes.copyFrom(attrs);
                if (mWindowAttributes.packageName == null) {
                    mWindowAttributes.packageName = mBasePackageName;
                }
                ......
                try {
                    ......
                    res = mWindowSession.addToDisplay(mWindow, mSeq, mWindowAttributes,
                            getHostVisibility(), mDisplay.getDisplayId(),
                            mAttachInfo.mContentInsets, mInputChannel);
                } catch (RemoteException e) {
                    ......
                    throw new RuntimeException("Adding window failed", e);
                } finally {
                    ......
                }
                ......
            }
        }
    }

public void setView(View view, WindowManager.LayoutParams attrs, View panelParentView) {

synchronized (this) {

if (mView == null) {

......

mWindowAttributes.copyFrom(attrs);

if (mWindowAttributes.packageName == null) {

mWindowAttributes.packageName = mBasePackageName;

}

......

try {

......

res = mWindowSession.addToDisplay(mWindow, mSeq, mWindowAttributes,

getHostVisibility(), mDisplay.getDisplayId(),

mAttachInfo.mContentInsets, mInputChannel);

} catch (RemoteException e) {

......

throw new RuntimeException("Adding window failed", e);

} finally {

......

}

......

}

對我們的分析來說最關鍵的程式碼是

res = mWindowSession.addToDisplay(mWindow, mSeq, mWindowAttributes,
        getHostVisibility(), mDisplay.getDisplayId(),
        mAttachInfo.mContentInsets, mInputChannel);

res = mWindowSession.addToDisplay(mWindow, mSeq, mWindowAttributes,

getHostVisibility(), mDisplay.getDisplayId(),

mAttachInfo.mContentInsets, mInputChannel);

mWindowSession的型別是IWindowSession, mWindow的型別是IWindow.Stub, 這句程式碼就是利用AIDL進行IPC, 實際被呼叫的是Session.addToDisplay:

    @Override
    public int addToDisplay(IWindow window, int seq, WindowManager.LayoutParams attrs,
            int viewVisibility, int displayId, Rect outContentInsets,
            InputChannel outInputChannel) {
        return mService.addWindow(this, window, seq, attrs, viewVisibility, displayId,
                outContentInsets, outInputChannel);
    }

@Override

public int addToDisplay(IWindow window, int seq, WindowManager.LayoutParams attrs,

int viewVisibility, int displayId, Rect outContentInsets,

InputChannel outInputChannel) {

return mService.addWindow(this, window, seq, attrs, viewVisibility, displayId,

outContentInsets, outInputChannel);

}

mService是WindowManagerService, 繼續往下跟:

    public int addWindow(Session session, IWindow client, int seq,
            WindowManager.LayoutParams attrs, int viewVisibility, int displayId,
            Rect outContentInsets, InputChannel outInputChannel) {
        int[] appOp = new int[1];
        int res = mPolicy.checkAddPermission(attrs, appOp);
        if (res != WindowManagerGlobal.ADD_OKAY) {
            return res;
        }
        ......
        final int type = attrs.type;

        synchronized(mWindowMap) {
            ......

            mPolicy.adjustWindowParamsLw(win.mAttrs);
            ......
        }
        ......

        return res;
    }

public int addWindow(Session session, IWindow client, int seq,

WindowManager.LayoutParams attrs, int viewVisibility, int displayId,

Rect outContentInsets, InputChannel outInputChannel) {

int[] appOp = new int[1];

int res = mPolicy.checkAddPermission(attrs, appOp);

if (res != WindowManagerGlobal.ADD_OKAY) {

return res;

}

......

final int type = attrs.type;

synchronized(mWindowMap) {

......

mPolicy.adjustWindowParamsLw(win.mAttrs);

......

}

......

return res;

}

mPolicy是標記為final的成員變數:

final WindowManagerPolicy mPolicy = PolicyManager.makeNewWindowManager();

1	final WindowManagerPolicy mPolicy = PolicyManager.makeNewWindowManager();

繼續看PolicyManager.makeNewWindowManager:

public final class PolicyManager {
    private static final String POLICY_IMPL_CLASS_NAME =
        "com.android.internal.policy.impl.Policy";

    private static final IPolicy sPolicy;

    static {
        // Pull in the actual implementation of the policy at run-time
        try {
            Class policyClass = Class.forName(POLICY_IMPL_CLASS_NAME);
            sPolicy = (IPolicy)policyClass.newInstance();
        } catch (ClassNotFoundException ex) {
            throw new RuntimeException(
                    POLICY_IMPL_CLASS_NAME + " could not be loaded", ex);
        } catch (InstantiationException ex) {
            throw new RuntimeException(
                    POLICY_IMPL_CLASS_NAME + " could not be instantiated", ex);
        } catch (IllegalAccessException ex) {
            throw new RuntimeException(
                    POLICY_IMPL_CLASS_NAME + " could not be instantiated", ex);
        }
    }

    // Cannot instantiate this class
    private PolicyManager() {}

    ......
    public static WindowManagerPolicy makeNewWindowManager() {
        return sPolicy.makeNewWindowManager();
    }
    ......
}

public final class PolicyManager {

private static final String POLICY_IMPL_CLASS_NAME =

"com.android.internal.policy.impl.Policy";

private static final IPolicy sPolicy;

static {

// Pull in the actual implementation of the policy at run-time

try {

Class policyClass = Class.forName(POLICY_IMPL_CLASS_NAME);

sPolicy = (IPolicy)policyClass.newInstance();

} catch (ClassNotFoundException ex) {

throw new RuntimeException(

POLICY_IMPL_CLASS_NAME + " could not be loaded", ex);

} catch (InstantiationException ex) {

throw new RuntimeException(

POLICY_IMPL_CLASS_NAME + " could not be instantiated", ex);

} catch (IllegalAccessException ex) {

throw new RuntimeException(

POLICY_IMPL_CLASS_NAME + " could not be instantiated", ex);

}

// Cannot instantiate this class

private PolicyManager() {}

......

public static WindowManagerPolicy makeNewWindowManager() {

return sPolicy.makeNewWindowManager();

}

......

}

這裡sPolicy是com.android.internal.policy.impl.Policy物件, 再看看它的makeNewWindowManager方法返回的是什麼:

public WindowManagerPolicy makeNewWindowManager() {
    return new PhoneWindowManager();
}

public WindowManagerPolicy makeNewWindowManager() {

return new PhoneWindowManager();

}

現在我們知道mPolicy實際上是PhoneWindowManager, 那麼

int res = mPolicy.checkAddPermission(attrs, appOp);

1	int res = mPolicy.checkAddPermission(attrs, appOp);

實際呼叫的程式碼是:

    @Override
    public int checkAddPermission(WindowManager.LayoutParams attrs, int[] outAppOp) {
        int type = attrs.type;

        outAppOp[0] = AppOpsManager.OP_NONE;

        if (type  WindowManager.LayoutParams.LAST_SYSTEM_WINDOW) {
            return WindowManagerGlobal.ADD_OKAY;
        }
        String permission = null;
        switch (type) {
            case TYPE_TOAST:
                // XXX right now the app process has complete control over
                // this...  should introduce a token to let the system
                // monitor/control what they are doing.
                break;
            case TYPE_DREAM:
            case TYPE_INPUT_METHOD:
            case TYPE_WALLPAPER:
            case TYPE_PRIVATE_PRESENTATION:
                // The window manager will check these.
                break;
            case TYPE_PHONE:
            case TYPE_PRIORITY_PHONE:
            case TYPE_SYSTEM_ALERT:
            case TYPE_SYSTEM_ERROR:
            case TYPE_SYSTEM_OVERLAY:
                permission = android.Manifest.permission.SYSTEM_ALERT_WINDOW;
                outAppOp[0] = AppOpsManager.OP_SYSTEM_ALERT_WINDOW;
                break;
            default:
                permission = android.Manifest.permission.INTERNAL_SYSTEM_WINDOW;
        }
        if (permission != null) {
            if (mContext.checkCallingOrSelfPermission(permission)
                    != PackageManager.PERMISSION_GRANTED) {
                return WindowManagerGlobal.ADD_PERMISSION_DENIED;
            }
        }
        return WindowManagerGlobal.ADD_OKAY;
    }

@Override

public int checkAddPermission(WindowManager.LayoutParams attrs, int[] outAppOp) {

int type = attrs.type;

outAppOp[0] = AppOpsManager.OP_NONE;

if (type WindowManager.LayoutParams.LAST_SYSTEM_WINDOW) {

return WindowManagerGlobal.ADD_OKAY;

}

String permission = null;

switch (type) {

case TYPE_TOAST:

// XXX right now the app process has complete control over

// this... should introduce a token to let the system

// monitor/control what they are doing.

break;

case TYPE_DREAM:

case TYPE_INPUT_METHOD:

case TYPE_WALLPAPER:

case TYPE_PRIVATE_PRESENTATION:

// The window manager will check these.

break;

case TYPE_PHONE:

case TYPE_PRIORITY_PHONE:

case TYPE_SYSTEM_ALERT:

case TYPE_SYSTEM_ERROR:

case TYPE_SYSTEM_OVERLAY:

permission = android.Manifest.permission.SYSTEM_ALERT_WINDOW;

outAppOp[0] = AppOpsManager.OP_SYSTEM_ALERT_WINDOW;

break;

default:

permission = android.Manifest.permission.INTERNAL_SYSTEM_WINDOW;

}

if (permission != null) {

if (mContext.checkCallingOrSelfPermission(permission)

!= PackageManager.PERMISSION_GRANTED) {

return WindowManagerGlobal.ADD_PERMISSION_DENIED;

}

return WindowManagerGlobal.ADD_OKAY;

}

我擷取的是4.4_r1的程式碼, 我們最關心的部分其實一直沒有變, 那就是TYPE_TOAST根本沒有做許可權檢查, 直接break出去了, 最後返回WindowManagerGlobal.ADD_OKAY.

不需要許可權顯示懸浮窗的原因已經找到了, 接著剛才addWindow方法的分析, 繼續看下面一句:

mPolicy.adjustWindowParamsLw(win.mAttrs);

1	mPolicy.adjustWindowParamsLw(win.mAttrs);

也就是PhoneWindowManager.adjustWindowParamsLw, 注意這裡我給出了三個版本的實現, 一個是2.0到2.3.7實現的版本, 一個是4.0.1到4.3.1實現的版本, 一個是4.4實現的版本:

//Android 2.0 - 2.3.7 PhoneWindowManager
    public void adjustWindowParamsLw(WindowManager.LayoutParams attrs) {
        switch (attrs.type) {
            case TYPE_SYSTEM_OVERLAY:
            case TYPE_SECURE_SYSTEM_OVERLAY:
            case TYPE_TOAST:
                // These types of windows can't receive input events.
                attrs.flags |= WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE
                        | WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE;
                break;
        }
    }

//Android 4.0.1 - 4.3.1 PhoneWindowManager
    public void adjustWindowParamsLw(WindowManager.LayoutParams attrs) {
        switch (attrs.type) {
            case TYPE_SYSTEM_OVERLAY:
            case TYPE_SECURE_SYSTEM_OVERLAY:
            case TYPE_TOAST:
                // These types of windows can't receive input events.
                attrs.flags |= WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE
                        | WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE;
                attrs.flags &= ~WindowManager.LayoutParams.FLAG_WATCH_OUTSIDE_TOUCH;
                break;
        }
    }

//Android 4.4 PhoneWindowManager
    @Override
    public void adjustWindowParamsLw(WindowManager.LayoutParams attrs) {
        switch (attrs.type) {
            case TYPE_SYSTEM_OVERLAY:
            case TYPE_SECURE_SYSTEM_OVERLAY:
                // These types of windows can't receive input events.
                attrs.flags |= WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE
                        | WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE;
                attrs.flags &= ~WindowManager.LayoutParams.FLAG_WATCH_OUTSIDE_TOUCH;
                break;
        }
    }

//Android 2.0 - 2.3.7 PhoneWindowManager

public void adjustWindowParamsLw(WindowManager.LayoutParams attrs) {

switch (attrs.type) {

case TYPE_SYSTEM_OVERLAY:

case TYPE_SECURE_SYSTEM_OVERLAY:

case TYPE_TOAST:

// These types of windows can't receive input events.

attrs.flags |= WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE

| WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE;

break;

}

//Android 4.0.1 - 4.3.1 PhoneWindowManager

public void adjustWindowParamsLw(WindowManager.LayoutParams attrs) {

switch (attrs.type) {

case TYPE_SYSTEM_OVERLAY:

case TYPE_SECURE_SYSTEM_OVERLAY:

case TYPE_TOAST:

// These types of windows can't receive input events.

attrs.flags |= WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE

| WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE;

attrs.flags &= ~WindowManager.LayoutParams.FLAG_WATCH_OUTSIDE_TOUCH;

break;

}

//Android 4.4 PhoneWindowManager

@Override

public void adjustWindowParamsLw(WindowManager.LayoutParams attrs) {

switch (attrs.type) {

case TYPE_SYSTEM_OVERLAY:

case TYPE_SECURE_SYSTEM_OVERLAY:

// These types of windows can't receive input events.

attrs.flags |= WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE

| WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE;

attrs.flags &= ~WindowManager.LayoutParams.FLAG_WATCH_OUTSIDE_TOUCH;

break;

}

grepcode上沒有3.x的程式碼, 我也沒查具體是什麼, 沒必要考慮3.x.
可以看到, 在4.0.1以前, 當我們使用TYPE_TOAST, Android會偷偷給我們加上FLAG_NOT_FOCUSABLE和FLAG_NOT_TOUCHABLE, 4.0.1開始, 會額外再去掉FLAG_WATCH_OUTSIDE_TOUCH, 這樣真的是什麼事件都沒了. 而4.4開始, TYPE_TOAST被移除了, 所以從4.4開始, 使用TYPE_TOAST的同時還可以接收觸控事件和按鍵事件了, 而4.4以前只能顯示出來, 不能互動.

API level 18及以下使用TYPE_TOAST無法接收觸控事件的原因也找到了.

尾聲

原文發的時候很多事情沒搞清楚, 後來文章編輯了十幾次, 加上這篇文章, 基本上把所有的疑問都搞明白了. 嗯, 關於這個神奇的懸浮窗的事情應該到這裡就結束了.

本人水平有限, 如有錯誤, 歡迎指正, 以免誤導他人

小米 TYPE_TOAST 懸浮窗無效的原因
2021-09-09
AST
Android 懸浮窗
2022-01-04
Android
懸浮窗的一種實現 | Android懸浮窗Window應用
2019-12-19
Android
Android 懸浮窗 System Alert Window
2022-01-06
Android
Android懸浮窗的學習
2018-10-14
Android
直播原始碼，懸浮窗滾動漸變色效果
2022-03-01
原始碼
Android 懸浮視窗的實現
2017-12-14
Android
Android 攝像頭預覽懸浮窗
2022-01-05
Android
Android仿微信文章懸浮窗效果
2018-10-09
Android
Android懸浮窗--獲取記憶體
2014-06-23
Android記憶體
Andorid 任意介面懸浮窗，實現懸浮窗如此簡單
2017-12-24
Android 輔助許可權與懸浮窗
2019-01-21
Android
【轉載】使用WindowManage實現Android懸浮窗
2018-12-20
Android
Android應用內懸浮窗的實現方案
2017-12-13
Android
QPM 之懸浮窗設定資訊
2019-01-03
Android開發筆記（一百一十八）自定義懸浮窗
2016-08-10
Android筆記
Android實現仿360手機衛士懸浮窗效果
2014-08-14
Android
Android 為應用增加可移動的懸浮視窗
2016-01-23
Android
Android桌面懸浮框
2013-05-31
Android
QPM 之懸浮窗助力效能優化
2019-01-03
優化
懸浮窗開發設計實踐
2022-11-22
HTML 滑鼠放上顯示懸浮視窗
2017-05-18
HTML
iOS自帶懸浮窗除錯工具
2017-12-25
iOS除錯
固定位置的Js懸浮視窗
2015-03-24
JS
直播軟體原始碼，設定懸浮窗並可進行任意位置的移動
2022-05-17
原始碼
短視訊app原始碼，連麥時最小化出現可移動懸浮窗
2022-01-24
APP原始碼
Android實現流量統計和網速監控懸浮窗
2016-01-28
Android
【MyBatis原始碼分析】select原始碼分析及小結
2017-06-11
MyBatis原始碼
Android中的懸浮框
2020-11-06
Android
android懸浮框（service形式）
2013-05-31
Android
短視訊系統原始碼，關於懸浮窗的縮放、拖動等應用
2022-01-04
原始碼
記一次懸浮窗的上線以及坑點總結
2019-11-12
下沉式通知的一種實現 | Android懸浮窗Window應用
2020-01-06
Android
Android 懸浮窗許可權各機型各系統適配大全
2016-11-27
Android
css 滑鼠懸浮連結背景變色程式碼
2017-07-16
CSS
Android 原始碼結構分析
2013-07-30
Android原始碼
Android懸浮框的實現
2018-08-13
Android
Android 懸浮框實現方法
2013-05-31
Android

Android懸浮窗TYPE_TOAST小結: 原始碼分析

前言

思路

正文

尾聲

相關文章