There are three primary parties involved in the input method framework (IMF) architecture:
In most cases, applications that are using the standard de>TextView de> or its subclasses will have little they need to do to work well with soft input methods. The main things you need to be aware of are:
More finer-grained control is available through the APIs here to directly interact with the IMF and its IME -- either showing or hiding the input area, letting the user pick an input method, etc.
For the rare people amongst us writing their own text editors, you will need to implement de>onCreateInputConnection(EditorInfo) de> to return a new instance of your own de>InputConnection de> interface allowing the IME to interact with your editor.
An input method (IME) is implemented as a de>Service de>, typically deriving from de>InputMethodService de>. It must provide the core de>InputMethod de> interface, though this is normally handled by de>InputMethodService de> and implementors will only need to deal with the higher-level API there.
See the
There are a lot of security issues associated with input methods, since they essentially have freedom to completely drive the UI and monitor everything the user enters. The Android input method framework also allows arbitrary third party IMEs, so care must be taken to restrict their selection and interactions.
Here are some key points about the security architecture behind the IMF:
Only the system is allowed to directly access an IME's de>InputMethod de> interface, via the de>BIND_INPUT_METHOD de> permission. This is enforced in the system by not binding to an input method service that does not require this permission, so the system can guarantee no other untrusted clients are accessing the current input method outside of its control.
There may be many client processes of the IMF, but only one may be active at a time. The inactive clients can not interact with key parts of the IMF through the mechanisms described below.
Clients of an input method are only given access to its de>InputMethodSession de> interface. One instance of this interface is created for each client, and only calls from the session associated with the active client will be processed by the current IME. This is enforced by de>AbstractInputMethodService de> for normal IMEs, but must be explicitly handled by an IME that is customizing the raw de>InputMethodSession de> implementation.
Only the active client's de>InputConnection de> will accept operations. The IMF tells each client process whether it is active, and the framework enforces that in inactive processes calls on to the current InputConnection will be ignored. This ensures that the current IME can only deliver events and text edits to the UI that the user sees as being in focus.
An IME can never interact with an de>InputConnection de> while the screen is off. This is enforced by making all clients inactive while the screen is off, and prevents bad IMEs from driving the UI when the user can not be aware of its behavior.
A client application can ask that the system let the user pick a new IME, but can not programmatically switch to one itself. This avoids malicious applications from switching the user to their own IME, which remains running when the user navigates away to another application. An IME, on the other hand, is allowed to programmatically switch the system to another IME, since it already has full control of user input.
The user must explicitly enable a new IME in settings before they can switch to it, to confirm with the system that they know about it and want to make it available for use.