demo.webm
This repo contains the necessary tools which make it possible for one device to act like a touchscreen for (an app running on) some other device, without any special access privilege required on any device.
It does NOT require any quirks like adb or Accessibility Service, and does NOT require root privileges.
Instead, it requires the target app (the one to be remotely controlled) to be specially modded for the purpose (detailed instructions below). As such, it can be utilized to control apps running on normal devices over, for example, the same wifi network. This allows for silent remote controllability without any overlays or permissions. Moreover, it supports all sorts of touch events (like multi touch gestures) and emulates them as-is on the target app with negligible latency.
This project consists of two parts:
-
Remote Touch Client app: the app running on the controlling device, acting as the touchscreen. Its source code is located in client-app directory. You can find a built apk here. It's background is a lazily updating screenshot of the target app (doesn't work for SurfaceViews).
-
A target app: This app receives the touch gestures made by the user on "remote touchscreen" (the client app).
It is actually an app modified so as to host a websocket server which receives and injects into itself these gestures.
The user (you?) has to generate a "target app" themselves. Most simple android apps can be transformed into a target app by following a procedure outlined below.
The example video above uses the "VLC for Android", and "Multi Touch Test" as the target apps. The modified apk in use (for Multi Touch Test) is available in built-samples/sample-target-app for you to try.
A third part of this project is the RTScript, which is a quick n dirty single file java program that automates modification of an app into "target app", using apktool, our lord and saviour.
*The app is should not respond negatively to unpacking/repacking by apktool.
-
Download the RTScript/out/RTScript.jar, place it in an empty folder.
-
Open a terminal window (or command prompt) in the same folder as the one containing RTScript.jar.
-
Run
java -jar RTScript.jar path/to/your-file.apk.Ignore the terminal deprecation warnings.
-
If everything goes well, you will find
your-file.modified.unsigned.apkin that same folder. -
Zipaign and sign this generated apk. If you have no idea how that's done, follow these steps:
5.1: Copy this generated unsigned apk into an empty folder.
5.2: Download and place uber-apk-signer.jar into this folder.
5.3: Run
java -jar uber-apk-signer.jar -a .5.4: You will find a debug signed apk in the same directory, ready to be installed and used as a target app.
-
Unpack the apk of the app (you want to turn into a target app) using
apktool d input.apk -
Make sure the
AndroidManifest.xmlhas<uses-permission android:name="android.permission.INTERNET"/>inside the manifest tag, as well as the attributeandroid:usesCleartextTraffic="true"for application tag. -
Find the launcher (Main) activity using the same
AndroidManifest.xml. Locate the smali file for that activity (without any $ sign in the filename). -
Open the smali file described in the previous step, and search for the line which begins
invoke-super {p0and has a->onCreate(Landroid/os/Bundle;)Vtowards its end. This is the statement which calls super.onCreate inside the onCreate method of said activity. Insert the below line right after said statement:invoke-static {p0}, Lcom/tg/touchdelegate/TouchWs;->startIt(Landroid/app/Activity;)V -
Now simply copy all the contents of
smali-filesfolder (which at present are acomand anorgfolder) inside any one smali folder (the smali folders are named smali, smali_classes2, smali_classes3, and so on), preferably the last one. You may even create a new empty smali folder (numbered one-greater than the last one) to paste the contents into. -
Now simply run
apktool b input, which would build the apk intoinput/dist/input.apk(if successful). Now zipalign and sign this apk. You're done.