java.lang.UnsupportedOperationException:出于安全原因,特权进程中不允许使用WebView

Question

我尝试在我的设备的设置应用程序中选择子集,我看到了这个例外.这是否意味着设置是一个特权进程,无法访问webview？

我尝试从设置中选择HDMI选项,这是异常堆栈:

03-23 08:45:03.301 E/AndroidRuntime( 3299): Caused by: java.lang.UnsupportedOperationException: For security reasons, WebView is not allowed in privileged processes
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.webkit.WebViewFactory.getProvider(WebViewFactory.java:96)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.webkit.WebView.getFactory(WebView.java:2194)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.webkit.WebView.ensureProviderCreated(WebView.java:2189)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.webkit.WebView.setOverScrollMode(WebView.java:2248)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.view.View.<init>(View.java:3588)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.view.View.<init>(View.java:3682)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.view.ViewGroup.<init>(ViewGroup.java:497)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.widget.AbsoluteLayout.<init>(AbsoluteLayout.java:55)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.webkit.WebView.<init>(WebView.java:544)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.webkit.WebView.<init>(WebView.java:489)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.webkit.WebView.<init>(WebView.java:472)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.webkit.WebView.<init>(WebView.java:459)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.webkit.WebView.<init>(WebView.java:449)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at com.android.settings.HDMI3DPlaySettings.onCreate(HDMI3DPlaySettings.java:123)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.app.Fragment.performCreate(Fragment.java:2031)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.app.FragmentManagerImpl.moveToState(FragmentManager.java:863)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.app.FragmentManagerImpl.moveToState(FragmentManager.java:1067)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.app.BackStackRecord.run(BackStackRecord.java:834)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.app.FragmentManagerImpl.execPendingActions(FragmentManager.java:1452)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.app.FragmentManagerImpl.executePendingTransactions(FragmentManager.java:483)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at com.android.settings.SettingsActivity.switchToFragment(SettingsActivity.java:1002)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at com.android.settings.SettingsActivity.onCreate(SettingsActivity.java:599)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.app.Activity.performCreate(Activity.java:5990)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1106)
03-23 08:45:03.301 E/AndroidRuntime( 3299):     at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2320)

Answer 1

public static void hookWebView() {
    int sdkInt = Build.VERSION.SDK_INT;
    try {
        Class<?> factoryClass = Class.forName("android.webkit.WebViewFactory");
        Field field = factoryClass.getDeclaredField("sProviderInstance");
        field.setAccessible(true);
        Object sProviderInstance = field.get(null);
        if (sProviderInstance != null) {
            log.debug("sProviderInstance isn't null");
            return;
        }
        Method getProviderClassMethod;
        if (sdkInt > 22) { // above 22
            getProviderClassMethod = factoryClass.getDeclaredMethod("getProviderClass");
        } else if (sdkInt == 22) { // method name is a little different
            getProviderClassMethod = factoryClass.getDeclaredMethod("getFactoryClass");
        } else { // no security check below 22
            log.info("Don't need to Hook WebView");
            return;
        }
        getProviderClassMethod.setAccessible(true);
        Class<?> providerClass = (Class<?>) getProviderClassMethod.invoke(factoryClass);
        Class<?> delegateClass = Class.forName("android.webkit.WebViewDelegate");
        Constructor<?> providerConstructor = providerClass.getConstructor(delegateClass);
        if (providerConstructor != null) {
            providerConstructor.setAccessible(true);
            Constructor<?> declaredConstructor = delegateClass.getDeclaredConstructor();
            declaredConstructor.setAccessible(true);
            sProviderInstance = providerConstructor.newInstance(declaredConstructor.newInstance());
            log.debug("sProviderInstance:{}", sProviderInstance);
            field.set("sProviderInstance", sProviderInstance);
        }
        log.debug("Hook done!");
    } catch (Throwable e) {
        log.error(e);
    }
}

在创建 WebView 之前运行此方法。

Android 在创建WebViewFactory的字段时sProviderInstance（当它为空时）会做这样的安全检查，并且sProviderInstance是一个静态字段。所以我们可以sProviderInstance使用反射在安全检查之前创建一个实例。

请参阅下面的 android 5.1 源代码。

static WebViewFactoryProvider getProvider() {
    synchronized (sProviderLock) {
        // For now the main purpose of this function (and the factory abstraction) is to keep
        // us honest and minimize usage of WebView internals when binding the proxy.
        if (sProviderInstance != null) return sProviderInstance;

        final int uid = android.os.Process.myUid();
        if (uid == android.os.Process.ROOT_UID || uid == android.os.Process.SYSTEM_UID) {
        throw new UnsupportedOperationException(
            "For security reasons, WebView is not allowed in 
privileged processes");
        }

...

Answer 2

我也遇到过同样的情况；在manifest中添加[android:sharedUserId="android.uid.system"]，并在APP中使用webview；在android 5.0.2项目中一切正常，而在5.1项目中失败......