Menu
I try selecting a subsettings in the settings app of my device, and i see this exception. Does this mean settings is a privileged process and can't access webview?
I tried selecting HDMI option from settings, this is the exception stack:
03-23 08:45:03.301 E/AndroidRuntime( 3299): Caused by: java.lang.UnsupportedOperationException: For security reasons, WebView is not allowed in privileged processes
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.webkit.WebViewFactory.getProvider(WebViewFactory.java:96)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.webkit.WebView.getFactory(WebView.java:2194)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.webkit.WebView.ensureProviderCreated(WebView.java:2189)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.webkit.WebView.setOverScrollMode(WebView.java:2248)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.view.View.<init>(View.java:3588)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.view.View.<init>(View.java:3682)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.view.ViewGroup.<init>(ViewGroup.java:497)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.widget.AbsoluteLayout.<init>(AbsoluteLayout.java:55)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.webkit.WebView.<init>(WebView.java:544)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.webkit.WebView.<init>(WebView.java:489)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.webkit.WebView.<init>(WebView.java:472)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.webkit.WebView.<init>(WebView.java:459)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.webkit.WebView.<init>(WebView.java:449)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at com.android.settings.HDMI3DPlaySettings.onCreate(HDMI3DPlaySettings.java:123)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.app.Fragment.performCreate(Fragment.java:2031)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.app.FragmentManagerImpl.moveToState(FragmentManager.java:863)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.app.FragmentManagerImpl.moveToState(FragmentManager.java:1067)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.app.BackStackRecord.run(BackStackRecord.java:834)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.app.FragmentManagerImpl.execPendingActions(FragmentManager.java:1452)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.app.FragmentManagerImpl.executePendingTransactions(FragmentManager.java:483)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at com.android.settings.SettingsActivity.switchToFragment(SettingsActivity.java:1002)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at com.android.settings.SettingsActivity.onCreate(SettingsActivity.java:599)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.app.Activity.performCreate(Activity.java:5990)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1106)
03-23 08:45:03.301 E/AndroidRuntime( 3299): at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2320)
833
public static void hookWebView() {
int sdkInt = Build.VERSION.SDK_INT;
try {
Class<?> factoryClass = Class.forName("android.webkit.WebViewFactory");
Field field = factoryClass.getDeclaredField("sProviderInstance");
field.setAccessible(true);
Object sProviderInstance = field.get(null);
if (sProviderInstance != null) {
log.debug("sProviderInstance isn't null");
return;
}
Method getProviderClassMethod;
if (sdkInt > 22) { // above 22
getProviderClassMethod = factoryClass.getDeclaredMethod("getProviderClass");
} else if (sdkInt == 22) { // method name is a little different
getProviderClassMethod = factoryClass.getDeclaredMethod("getFactoryClass");
} else { // no security check below 22
log.info("Don't need to Hook WebView");
return;
}
getProviderClassMethod.setAccessible(true);
Class<?> providerClass = (Class<?>) getProviderClassMethod.invoke(factoryClass);
Class<?> delegateClass = Class.forName("android.webkit.WebViewDelegate");
Constructor<?> providerConstructor = providerClass.getConstructor(delegateClass);
if (providerConstructor != null) {
providerConstructor.setAccessible(true);
Constructor<?> declaredConstructor = delegateClass.getDeclaredConstructor();
declaredConstructor.setAccessible(true);
sProviderInstance = providerConstructor.newInstance(declaredConstructor.newInstance());
log.debug("sProviderInstance:{}", sProviderInstance);
field.set("sProviderInstance", sProviderInstance);
}
log.debug("Hook done!");
} catch (Throwable e) {
log.error(e);
}
}
Run this method before creating WebView.
Android do such security check during creating WebViewFactory's field sProviderInstance(when it is null), and sProviderInstance is a static field. So we can make a instance of sProviderInstance before the security check by using reflection.
See android 5.1 source code below.
static WebViewFactoryProvider getProvider() {
synchronized (sProviderLock) {
// For now the main purpose of this function (and the factory abstraction) is to keep
// us honest and minimize usage of WebView internals when binding the proxy.
if (sProviderInstance != null) return sProviderInstance;
final int uid = android.os.Process.myUid();
if (uid == android.os.Process.ROOT_UID || uid == android.os.Process.SYSTEM_UID) {
throw new UnsupportedOperationException(
"For security reasons, WebView is not allowed in
privileged processes");
}
...
I met the same case; Added [android:sharedUserId="android.uid.system"] in manifest, and used the webview in APP; It was all right in android 5.0.2 project, while failed in 5.1 project...
4
same of Zhenghong Wang's answer, but it works on android 8.1
public static void hookWebView() {
int sdkInt = Build.VERSION.SDK_INT;
try {
Class<?> factoryClass = Class.forName("android.webkit.WebViewFactory");
Field field = factoryClass.getDeclaredField("sProviderInstance");
field.setAccessible(true);
Object sProviderInstance = field.get(null);
if (sProviderInstance != null) {
Log.d(TAG, "sProviderInstance isn't null");
return;
}
Method getProviderClassMethod;
if (sdkInt > 22) { // above 22
getProviderClassMethod = factoryClass.getDeclaredMethod("getProviderClass");
} else if (sdkInt == 22) { // method name is a little different
getProviderClassMethod = factoryClass.getDeclaredMethod("getFactoryClass");
} else { // no security check below 22
Log.i(TAG, "Don't need to Hook WebView");
return;
}
getProviderClassMethod.setAccessible(true);
Class<?> providerClass = (Class<?>) getProviderClassMethod.invoke(factoryClass);
Class<?> delegateClass = Class.forName("android.webkit.WebViewDelegate");
Constructor<?> declaredConstructor = delegateClass.getDeclaredConstructor();
declaredConstructor.setAccessible(true);
sProviderInstance = providerClass
.getDeclaredMethod("create", delegateClass)
.invoke(providerClass, declaredConstructor.newInstance());
Log.d("sProviderInstance", sProviderInstance.toString());
field.set("sProviderInstance", sProviderInstance);
Log.d(TAG, "Hook done!");
} catch (Throwable e) {
Log.e(TAG, "hook WebView Failed", e);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
