Android INJECT_EVENTS permission

Question

I am trying to create an application that will have a service running in the background that will be capable of injecting touch screen events into whatever activity is running. I am able to inject events into an Activity that is part of my application by calling Instrumentation.sendPointerSync(motionEvent); However if I try to do this without an activity from my application running I get a permission error saying that I don't have the INJECT_EVENTS permission. I've added this permission to my manifest like this: <uses-permission android:name="android.permission.INJECT_EVENTS"></uses-permission> Its still throwing the same permission exception though. After a bit of searching I've gotten the answer that in order to receive the INJECT_EVENTS permission your app must be signed by the same signature that the system is signed with. I am unclear however what exactly this means. I am going to have to find a custom rom build it and sign it with the same signature that the application is signed with. Then install the custom rom on my device, then install my app and I'll be able to inject the touch events correctly? If this is the case am I better off starting with a custom rom that is already put together, like one from this page Or is it a situation where I am going to need to grab a git copy of the android project and build the whole thing myslef? And either way does anyone know of a place you could point me that would get me working in the right direction to make this happen?

Answer 1

To inject events into a separate process, it is required to both install your app into /system/app and sign your APK with the system certificate.

1. Add permission to the app manifest

<uses-permission android:name="android.permission.INJECT_EVENTS"/>

2. Sign your APK with the system certificate

This requires that you have the AOSP source in order to build a keystore with the google keys used to build the system running on the phone.

Given you have an AOSP directory, @Eli does an excellent job of showing how to build the keystore using a nice script called 'keytool-importkeypair'

Using IntelliJ as an example, choose Generate Signed APK.. from the Build menu. Locate the keystore created above, type in the password given (e.g., android), give the key the same password, if desired. Note that the signed apk is written to the project root (!) not to the typical location (./out/production//).

3. Install into /system/app/

adb root
adb remount
adb push MyApp.apk /system/app

The 'installation' happens automatically. Note, however, that unlike the normal app installation process, any native libraries in your APK are not copied into /system/lib/. You will need to do that manually, if you are using the NDK to build and call your own native libraries.

Answer 2

Actually, this is pretty simple on a rooted device. I think any app that is running off /system will get access to whatever permissions it requires. So simply manually install your App to /system (as described here http://androidforums.com/droid-all-things-root/64603-installing-apk-system-app-directory.html ):

Execute the following commands in the terminal emulator to remount the /system directory as read/write and to install the application into the /system/app directory from the SDCARD:

su
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
cp /sdcard/APP.apk /system/app

If you prefer to use adb from your computer, execute these commands:

adb remount
adb shell cp /sdcard/APP.apk /system/app

Several users have utilized root explorer from the Google marketplace to simplify this process.

---

Alternatively, check this out: How to compile Android Application with system permissions

Answer 3

Using Touch Events:

1. Sign the application with the same signature that the ROM is signed with

2. Download keytool-importkeypair to do this

3. Find platform.pk8 + platform.x509.pem: {Android Source}/build/target/product/security

4. Then generate a certificate:

   ./keytool-importkeypair -k google_certificate.keystore -p android -pk8 platform.pk8 -cert platform.x509.pem -alias platform

5. Now export your app from Eclipse and sign with the new certificate you generated

6. Build ROM, flash to device, install app

Check out http://code.google.com/p/android-event-injector/

Answer 4

Starting from API 18 there is UiAutomation class, which isn't bound to user permissions.

For more information see http://developer.android.com/reference/android/app/Instrumentation.html#getUiAutomation()

Answer 5

In case if anyone is looking for a solution to bypass this signature level permission and want to create touch events.

I looked at the source down to the C++ level where it is actually checked whether to allow the app to create touch events or not. The following is the function which actually checks if the app should be allowed or not :

bool InputDispatcher::hasInjectionPermission(int32_t injectorPid, int32_t injectorUid) {
return injectorUid == 0
        || mPolicy->checkInjectEventsPermissionNonReentrant(injectorPid, injectorUid);
}

So the function returns true of the user id of the app is set to 0.

Now I changed the uid if my app to 0 by editing the filee /data/system/packages.xml. This file contains the uid assigned to every app. Edit this file by setting the userId attribute corresponding to your app to 0.

Now all you need is to force close the app and restart again. You will be able to bypass the INJECT_EVENTS permission.

Answer 6

I'm also having this same problem before, In the below way I over the KEY_INJECT_EVENT_PERMISSION issue.

Step 1: You need to get the Signature (for me the file name is signapk) of your Device ROM.

Step 2: Then you need to get the platform.pk8 and platform.x509.pem files.

Step 3: Generate the the debug apk of your application.

Step 4: Place all the above files in a single folder.

Step 5: Once you get all the above files run the command mentioned in below.

java -jar signapk.jar platform.x509.pem platform.pk8 your_debug_app.apk customname.apk

Step 6: After this you can get a signed apk (customname.apk) in the same folder.Once you get that run the below command.

adb install -r app-release-signed.apk

Step 7: Now the Inject_Event_Permisson will be enabled.

Refer the below link:

https://steveandro.blogspot.com/2019/09/key-injection-android.html

Answer 7

If you are using a physical samsung device, changing navigation type from Swipe gestures to Buttons in the device settings seems to solve this issue.

Answer 8

Alright, I got this finally. Believe me when I say this, this is probably the worst solution if you can even call it that. This requires root and will disable signature verification of all packages, system wide. This can expose you to a bunch of attacks where a dangerous app replaces a normal one.

Anyways, with that out of the way here we go:

1. Install Xposed
2. Install XInstaller module for Xposed
3. In XInstaller options, go to the menu named "Installations" and check the box that says "Checking signatures" and "Verifying apps"

You should be good to go after a reboot. Your app won't even need to be installed as system, it can now be run in userspace which I suppose makes developing easier since you don't need to copy to /system/app anymore