Bypass AndroidManifest tag

The process below shows how to start an Activity that is not registered in the AndroidManifest.xml (https://developer.android.com/guide/topics/manifest/activity-element).

The Default Process

Let’s say we have two Activities and call them Activity A and Activity B. In our scenario Activity A is going to start Activity B via Activity.startActivity(…). This call will invoke Instrumentation.execStartActivity(…) followed by IActivityTaskManager.startActivity(…). From here our request will be forwarded through the Binder interface to the ActivityTaskManagerService. Here Android does different checks and once they have passed it will post a transaction to the corresponding App process. There the ActivityThread will handle this request and call Instrumentation.newActivity(…).

THE WORKAROUND

First of all we use the BinderHook (see more: https://github.com/ChickenHook/BinderHookhttps://github.com/ChickenHook/BinderHook) library to catch all startActivity(..) calls. Also we have to install a custom Instrumentation instance into ActivityThread.mInstrumentation.

Once the Activity’s component name contains our Activity and has no android:process attribute we replace it’s intent with a custom intent. This custom intent targets an Activtiy used as Trampoline (in our example TrampolineActivtiy) and we put the original intent into the extra Bundle.

Once the Activity[Task]Manager decides to launch this Intent our CustomInstrumentation.newActivity(…) will be called and we’re able to recover the original Intent and ComponentName.

GITHUB

I implemented a library shipping this solution to your project out of the box. Read more on Github:

Thanks for reading 😉

One comment

Comments are closed.