Restrictions on non-SDK interfaces with Android Pie
Starting with Android Pie (API level 28), Android will start restricting which APIs your application can call if they are not part of the public API. These restrictions apply whenever an app references a non-SDK interface or attempts to obtain its handle using reflection or JNI but do not affect calls to the EMDK or other third-party APIs.
Google’s documentation for these restrictions is comprehensive although I notice it has changed over the past year or so since Android Pie was first announced. On old blogs you may see reference to ‘light grey’ and ‘dark grey’ lists but this terminology has now been done away with in favour of just differentiating between target API levels.
In short, APIs that your application can call are assigned to one of three lists:
List |
Description |
Blacklist |
Non-SDK interfaces that you cannot use regardless of your app's target API level. If your app attempts to access one of these interfaces, the system will throw an error |
Greylist |
Non-SDK interfaces that you can use as long as they are not restricted for your app's target API level. |
Whitelist |
Interfaces that can be freely used and are supported as part of the officially documented Android framework Package Index. |
If your application uses APIs on the Blacklist you need to act before the app can run on an Android Pie device.
If your application uses APIs on the Greylist you need to plan on making changes to your app in the future, before it can support later Android versions.
How do you know which APIs your application uses?
Again, Google’s documentation is comprehensive in describing the different ways to determine whether your application is calling any APIs on the blacklist or greylist:
Inspect the logcat for messages when running a debug build of your app
Logcat will output messages when you use an API which is part of the blacklist or greylist
Accessing hidden field Landroid/os/Message;->flags:I (light greylist, JNI)
Test using the StrictMode API
Android’s StrictMode API is provided for developers to ensure that an application complies with a set of flexible policies, e.g. ensuring that disk reads do not happen on the main thread. API level 28 introduced a new restriction, detectNonSdkApiUsage(), enabling you to be alerted about restricted SDK usage in the same way as other actions that violate your StrictMode policy.
Test using the Veridex tool
Google have released a tool which allows for static analysis of a built APK that supports Mac, Linux and Windows (through the Windows System for Linux). There are limitations to this tool such as the inability to detect invocations through JNI but unlike the other options on this list it can be run offline without access to the source code or project.
Note the “2 in greylist-max-o” line above, this indicates there are two APIs which will throw an error on Pie but will run fine on Oreo devices.
Test using the Android Studio lint tool
The lint tool is provided as part of Android Studio and can inspect your source code for various issues. Although easily run from within the IDE you can also invoke the lint tool from the command line as part of your DevOps workflow.
The lint tool will also notify you if you have used any APIs on the greylist or blacklist
Test using the Play Console
The Play Console is becoming increasingly attractive to enterprise developers as we see a transition towards managed Android and the Managed Play Store. The Play Store offers a testing track where you can upload your application for internal testing – this is separate from the Alpha and Beta tracks and allows you to see potential issues with your application before posting. The test track is already a popular way for many of our customers to determine whether Google considers their application potentially harmful before rollout but you can also use the test track to identify use of blacklist or greylist APIs via the pre-launch report.
In Summary
Any developer creating applications that will run on Android Pie should take the time to determine whether they are using any blacklist or greylist APIs.
If you are using any APIs identified to be:
- On the blacklist: Transition immediately to an alternative on the whitelist (or greylist)
- On the greylist: Ensure you have the transition work planned.
For more information including FAQ and how to request a new public API please see Google’s documentation on non-sdk interface restrictions.
Darryn Campbell