How to use the remote service hidden by the reflection call system to intercept incoming calls and Android calls in a higher version of android

Source: Internet
Author: User

How to use the remote service hidden by the reflection call system to intercept incoming calls and Android calls in a higher version of android

To intercept calls from the Android system, you have to talk about an endCall () method Android provided to developers in earlier versions. However, since Google later considered that for a mobile phone, the most important function is to make a phone call. If this function is easily blocked and the security is poor, Android in the later version shields this method, this method is no longer exposed in TelephoneManager.


So our goal below is to find a way to call this method. Of course, first we need to implement a broadcast receiver to receive the broadcast with the phone status changed, this is implemented by dynamically registering the broadcast receiver in the service. The main advantage is that it is easy to control the life cycle of the broadcast receiver and has higher permissions than static registration.

Private static final String PHONE = "PHONE"; private static final String BOTH = "BOTH"; private static final String SMS = "SMS"; private TelephonyManager tm; private BlacklistDao dao; private inCommingCallReceiver callReceiver; private PhoneStateListener listener; @ Overridepublic IBinder onBind (Intent intent) {return null;} @ Overridepublic void onCreate () {super. onCreate (); tm = (TelephonyManager) getSystem Service (TELEPHONY_SERVICE); dao = new BlacklistDao (this, 1); callcycler = new inCommingCallReceiver (); IntentFilter filter = new IntentFilter (); filter. addAction ("android. intent. action. PHONE_STATE "); filter. addAction ("android. provider. telephony. SMS_RECEIVED "); filter. setPriority (Integer. MAX_VALUE); listener = new PhoneStateListener () {private BlacklistItem blacklistItem; @ Overridepublic void onCallState Changed (int state, String incomingNumber) {super. onCallStateChanged (state, incomingNumber); switch (state) {case TelephonyManager. CALL_STATE_RINGING: // if it is a call, blacklistItem = dao. queryItem (incomingNumber); if (blacklistItem! = Null) {String type = blacklistItem. getType (); if (BOTH. equals (type) | PHONE. equals (type) {System. out. println ("hanging up the phone"); <strong> hangUpCallFromBlacklist (incomingNumber); // method of hanging up the phone} break; default: break ;}}; registerReceiver (callcycler, filter); // register the broadcast receiver}

Cancel the registration of the broadcast receiver in the onDestroy () method of the Service:


@ Overridepublic void onDestroy () {super. onDestroy (); System. out. println (""); unregisterReceiver (callcycler); // cancel the listener tm. listen (listener, PhoneStateListener. LISTEN_NONE); // listener = null ;}


Internal broadcast receiver, used to receive broadcasts with phone status changes:

/*** Listen for incoming calls ** @ author Alex **/private class inCommingCallReceiver extends BroadcastReceiver {private BlacklistItem blacklistItem; @ Overridepublic void onReceive (Context context, Intent intent) {if ("android. intent. action. PHONE_STATE ". equals (intent. getAction () {// If you receive a change in the phone status tm. listen (listener, PhoneStateListener. LISTEN_CALL_STATE );}}}


Next we will focus on hangUpCallFromBlacklist (incomingNumber); in this way, the method of hanging up the incoming call, incomingNumber is the incoming call number.

According to my practice, we should start with the source code of the Android system. Since the endCall method was originally in TelephoneManager, we should start with getSystemService, the instantiation method of TelephoneManager:



We can find that this method is defined in ContextWrapper, and ContextWrapper is inherited from Context. We may go to the source code of Context to find out exactly:


In Context, we only find an abstract method of getSystemService. How can we find the implementation method? in java, the implementation class of the abstract class is generally named after the abstract class name with an "Impl", so we will search for ContextImpl in the source code. java:


We found that getSystemService actually returns the result of a getService method of a ServiceFetcher object. Let's take a look at the getService method of ServiceFetcher:



Here we can see that many different service services are registered in a static block, and these gerService methods are called by ServiceManager, And the return value is an IBinder object. Next, we can find the ServiceManager location in the file import package in android/OS:


Because getService returns an IBinder object, we only need to find the implementation of this getService method, we can pass in TELEPONY_SERVICE to get the remote service binding object that the real TelephonyManager proxy, call the endCall method hidden in it.

Fortunately, in ServiceMnager. java, we found the implementation of the getService method:



We can find that the ServiceManager class is also a hidden class. We cannot directly obtain this class in our code to call the getService method to obtain the IBinder object, so what should we do?

Here we only use the reflection method for processing:

Class clazz = CallSmsSafeService.class.getClassLoader().loadClass("android.os.ServiceManager");Method method = clazz.getMethod("getService", String.class);IBinder binder = (IBinder) method.invoke(null, TELEPHONY_SERVICE);
Through the reflection method above, we get the IBinder object corresponding to TelephonyManager. Next we need to use aidl to call the remote method. Since it is the IBinder object of TelephonyManager, let's go to the TelephonyManager source code to see:


In TelephonyManager, methods similar to getCallState () basically return the method called by the return value of getITelephony (). What is getITelephy:


We found that the returned object is actually an ITelephony object and is returned in the form of a remote service method call;

We can find the location of ITelephony in the file header:


Open the directory above and we find that ITelephony is an aidl file. In this directory, we can find the endCall method:


The following information is contained in the header of ITelephony. aidl:


We want to use aidl to call the method endCall () of the remote service telephony. copy aidl to the com. android. internal. in the telephony package. telephony. neighboringCellInfo. copy the aidl file to the new android. in the telephony package, a corresponding ITelephony is automatically generated in the gen project. java file. So far, we can use the following statement to call the endCall method of the remote service:

ITelephony.Stub.asInterface(binder).endCall();

Finally, do not forget to add the corresponding permissions to the list file:

<! -- Grant the application permission to control calls --> <uses-permission android: name = "android. permission. CALL_PHONE"> <! -- Grant the application permission to read the call status --> <uses-permission android: name = "android. permission. READ_PHONE_STATE">




How does android call methods in other applications through reflection in an application or change the value? ClassNotFo is reported every time.

The two applications should be different processes. You can use JDK's RMI (remote method call) to pass the class to the instance.

In struts2, what is the call sequence of the action method? What is the reflection mechanism of the interceptor? O (partition _ partition) O

To call a method in action, you must specify the method to be called. There is no call order.
Unless you have written the default call method.
Interceptor: for example, you want to go to bed, eat, and take a bath. They all need to enter the room. The door must pass into the room. This door is the interceptor. Of course, the real interceptor function is more than that.
Reflection mechanism: in short, all attributes and methods of a class can be known for any class, and any method of the class can be called for any object; the reflection mechanism is used to dynamically obtain information and call methods of objects. For example, when I see you, I know what you can do. How high are you, who are you. Just for example. Haha
The reflection mechanism of the interceptor is actually the interceptor implemented through the reflection mechanism.
Do you understand?
For more information about the interceptor, see the specific application of Baidu struts2 interceptor.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.