安卓WindowManager注入事件如何跳出进程间安全限制

在分析monkey源码的时候有些背景知识没有搞清楚，比如在看到monkey是使用windowmanager的injectKeyEvent方法注入事件的时候，心里就打了个疙瘩，这种方式不是只能在当前应用中注入事件吗？Google了下发现了国外一个大牛有留下蛛丝马迹描述这个问题，特意摘录下来并做相应部分的翻译，其他部分大家喜欢就看下，我就不翻译了。

How it works

Behind the scenes, Monkey uses several private interfaces to communicate with three essential system services:

1. Package Manager: Monkey uses the package manager to get a list of Activities for a given Intent. This enables Monkey to randomly switch between Activities while testing an application.
2. Activity Manager: Monkey calls the very powerful setActivityController function on the Activity Manager. This effectively gives Monkey complete control over the activity life-cycle for the duration of the test.
3. Window Manager: Monkey calls a series of functions on the Window Manager to inject events into the application. This enables Monkey to simulate touches and key-presses. Because Monkey communicates at this level, there is no obvious difference between events which have arrived from Monkey and events which have arrived from an actual user. In fact, the distinction is so seamless that it is sometimes necessary to manually check who is in control — hence the famous isUserAMonkey() method in the Android

Window Manager: Monkey通过调用WindowManager的一系列方法来注入事件到应用中。这样monkey可以模拟触摸和按键等用户行为。正是因为monkey是在这个层面和应用交互的，所以你的应用接收到的事件哪个是来自真实用户，哪个是来自monkey模拟的已经没有很明显的界限了。事实上正是因为这种近似无缝的区别，我们有时不得不去判断究竟是谁在控制着我们的设备了－－这就是为什么android系统提供的isUserAMonkey()方法变得这么流行的原因了。

Monkey sends random events to any application you choose. In order to ensure that this doesn’t cause a security hole, Android uses several techniques to ensure that only monkey can send events, and only when the phone’s user is asking it to.

Monkey随机的往不同的的app发送随机事件。为了防止这种行为导致android自家的安全漏洞出来，android使用了几个技术来保证只有monkey可以，且在该手机设备用户允许的情况下才可以，往不同的app发送事件。

Firstly, Monkey itself can only be run by root, or by someone in the “shell” Unix group. Normally, only “adb shell” runs as the “shell group”. This means that the only way to run monkey is to do so through “adb shell”.

首先，monkey本身只能一是被root运行，二是被属于shell这个组的成员运行。而正常来说，只有”adb shell“是在shell这个组下运行的。这就意味着运行monkey的唯一方法就是通过‘adb shell’了。

Secondly, the Monkey application, which is mostly written in Java, asks for two special manifest permissions. The first, SET_ACTIVITY_WATCHER, allows Monkey to take control of the activity life-cycle. The second, INJECT_EVENTS, allows Monkey to simulate touches and key presses. Importantly, no normal Android application can request these permissions — they are only granted to applications supplied with the Android system. So there is little danger of a rogue APK taking control of an Android device using Monkey.

其次，monkey这个android自身提供的应用，大部分是用android的native语言java来编写的，它会向系统请求两个特背的manifest权限。第一个就是SET_ACTIVITY_WATCHER这个权限，它允许monkey对activity的生命周期进行全权控制。第二个就是INJECT_EVENTS这个权限它允许monkey去模拟触摸和按键事件。重要的是，正常的安卓app是不能请求到这些权限的--只有android系统同意的应用才会得到允许获得这些权限（译者注：其实就是需要android系统的AOSP系统签名。monkey是android自己维护编写的工具，当然是允许了） 以下是本人摘录的INJECT_EVENTS这个manifest选项的官方解析：

INJECT_EVENTS:Allows an application to inject user events (keys, touch, trackball) into the event stream and deliver them to ANY window. Monkey events What is an event? In Android, events are sent in  response to user input, or due to system events, such as power management. Monkey supports quite a few event types, but only three of them are of interest for automated testing:

• KeyEvent: these events are sent by the window manager in response to hardware button presses, and also presses on the keyboard — whether hardware, or on-screen.
• MotionEvent: sent by the window manager in response to presses on the touchscreen.
• FlipEvent: sent when the user flips out the hardware keyboard on the HTC Dream. On that device, this would imply an orientation change. Unfortunately, Monkey does not simulate orientation changes on other devices.

作/译者	微信知识共享公众号	CSDN
天地会珠海分舵	TechGoGoGo	http://blog.csdn.net/zhubaitian