API restrictions for non SDK interfaces on Android 10

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

API restrictions for non SDK interfaces on Android 10

Abhishek Katti
Hi,


I'm able to generate the Java library which makes use of @SystemApi, @TestApi annotations.
I see that the APIs from the Java library generated are listed with blacklist/whitelist/greylist in hiddenapi-flags.csv appropriately.

However when i import this Java library (JAR) file to to a debug test app (Android studio project), i do have access to all the APIs and i was able to use set/get APIs from the debug test app even when the APIs are blacklisted.
I was expecting Android runtime to intercept and reject the method specially for the blacklisted APIs as described in the below link
https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces#results-of-keeping-non-sdk

Am i missing any step here ? when do we expect the exceptions to be thrown if an app attempts to use non-SDK interfaces.

My expectation here is that for my Java library if an API is listed under blacklist category, exception should be thrown. 
Isn't the expectation correct ?

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/db9c7fc0-822b-4ce1-9f53-df15ecd04927%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: API restrictions for non SDK interfaces on Android 10

Colin Cross
There is an additional step to encode the hiddenapi flags into the dex file that is probably missing.  Did you add your jar to PRODUCT_BOOT_JARS for your product?

The jar produced by the build is the implementation jar, which contains all the APIs.  If you want a jar to distribute to app developers you'll need to use metalava via a droidstubs module to generate java files that contain only the publicly visible API, and then compile that into a stubs jar.

On Thu, Nov 7, 2019 at 2:21 PM Abhishek Katti <[hidden email]> wrote:
Hi,


I'm able to generate the Java library which makes use of @SystemApi, @TestApi annotations.
I see that the APIs from the Java library generated are listed with blacklist/whitelist/greylist in hiddenapi-flags.csv appropriately.

However when i import this Java library (JAR) file to to a debug test app (Android studio project), i do have access to all the APIs and i was able to use set/get APIs from the debug test app even when the APIs are blacklisted.
I was expecting Android runtime to intercept and reject the method specially for the blacklisted APIs as described in the below link

Am i missing any step here ? when do we expect the exceptions to be thrown if an app attempts to use non-SDK interfaces.

My expectation here is that for my Java library if an API is listed under blacklist category, exception should be thrown. 
Isn't the expectation correct ?

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/db9c7fc0-822b-4ce1-9f53-df15ecd04927%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/CAMbhsRTOKvgiByxqYYK8xshxdNG0iBevDXpPnob-s4NOB1J6ww%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: API restrictions for non SDK interfaces on Android 10

Abhishek Katti
Hi Collin,

Thank you for your response.
Yes i did add JAR to PRODUCT_BOOT_JARS and encode the hiddenapi flags into the dex file using below

  1. PRODUCT_BOOT_JARS += com.xyz.yy
  2. PRODUCT_HIDDENAPI_STUBS += \ com.xyz.yy-stub
  3. Used compile_dex: true for stub JAR generated.
Are the above steps sufficient ?
I also have generated different stub JAR files using metalava (droiddoc), as mentioned in your response.

I currently have two stub JARs one for the public APIs and one for the System APIs.
Now, my expectation was if third party app tries to import System API jar stub and tries to make use of the System APIs.
The Android runtime would intercept and reject the method.
Is that a fair expectation ?

Best Regards,
Abhishek k




On Saturday, November 9, 2019 at 5:02:38 AM UTC+11, Colin Cross wrote:
There is an additional step to encode the hiddenapi flags into the dex file that is probably missing.  Did you add your jar to PRODUCT_BOOT_JARS for your product?

The jar produced by the build is the implementation jar, which contains all the APIs.  If you want a jar to distribute to app developers you'll need to use metalava via a droidstubs module to generate java files that contain only the publicly visible API, and then compile that into a stubs jar.

On Thu, Nov 7, 2019 at 2:21 PM Abhishek Katti <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="w6P0LeB1BQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">abhishe...@...> wrote:
Hi,

I'm trying to leverage <a href="https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces" title="https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces&#39;;return true;" onclick="this.href=&#39;https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces&#39;;return true;">https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces for my Java library.

I'm able to generate the Java library which makes use of @SystemApi, @TestApi annotations.
I see that the APIs from the Java library generated are listed with blacklist/whitelist/greylist in hiddenapi-flags.csv appropriately.

However when i import this Java library (JAR) file to to a debug test app (Android studio project), i do have access to all the APIs and i was able to use set/get APIs from the debug test app even when the APIs are blacklisted.
I was expecting Android runtime to intercept and reject the method specially for the blacklisted APIs as described in the below link
<a href="https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces#results-of-keeping-non-sdk" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces#results-of-keeping-non-sdk&#39;;return true;" onclick="this.href=&#39;https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces#results-of-keeping-non-sdk&#39;;return true;">https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces#results-of-keeping-non-sdk

Am i missing any step here ? when do we expect the exceptions to be thrown if an app attempts to use non-SDK interfaces.

My expectation here is that for my Java library if an API is listed under blacklist category, exception should be thrown. 
Isn't the expectation correct ?

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="w6P0LeB1BQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">android-...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/android-platform/db9c7fc0-822b-4ce1-9f53-df15ecd04927%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/android-platform/db9c7fc0-822b-4ce1-9f53-df15ecd04927%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/android-platform/db9c7fc0-822b-4ce1-9f53-df15ecd04927%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/android-platform/db9c7fc0-822b-4ce1-9f53-df15ecd04927%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/4c06696a-b4a1-4836-8c93-67041b8dba05%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: API restrictions for non SDK interfaces on Android 10

Colin Cross
I don't think hiddenapi distinguishes between @SystemApi and public api, only blocking access to methods that are @hide and not @SystemApi or @TestApi.

On Tue, Nov 12, 2019 at 9:03 AM Abhishek Katti <[hidden email]> wrote:
Hi Collin,

Thank you for your response.
Yes i did add JAR to PRODUCT_BOOT_JARS and encode the hiddenapi flags into the dex file using below

  1. PRODUCT_BOOT_JARS += com.xyz.yy
  2. PRODUCT_HIDDENAPI_STUBS += \ com.xyz.yy-stub
  3. Used compile_dex: true for stub JAR generated.
Are the above steps sufficient ?
I also have generated different stub JAR files using metalava (droiddoc), as mentioned in your response.

I currently have two stub JARs one for the public APIs and one for the System APIs.
Now, my expectation was if third party app tries to import System API jar stub and tries to make use of the System APIs.
The Android runtime would intercept and reject the method.
Is that a fair expectation ?

Best Regards,
Abhishek k




On Saturday, November 9, 2019 at 5:02:38 AM UTC+11, Colin Cross wrote:
There is an additional step to encode the hiddenapi flags into the dex file that is probably missing.  Did you add your jar to PRODUCT_BOOT_JARS for your product?

The jar produced by the build is the implementation jar, which contains all the APIs.  If you want a jar to distribute to app developers you'll need to use metalava via a droidstubs module to generate java files that contain only the publicly visible API, and then compile that into a stubs jar.

On Thu, Nov 7, 2019 at 2:21 PM Abhishek Katti <[hidden email]> wrote:
Hi,


I'm able to generate the Java library which makes use of @SystemApi, @TestApi annotations.
I see that the APIs from the Java library generated are listed with blacklist/whitelist/greylist in hiddenapi-flags.csv appropriately.

However when i import this Java library (JAR) file to to a debug test app (Android studio project), i do have access to all the APIs and i was able to use set/get APIs from the debug test app even when the APIs are blacklisted.
I was expecting Android runtime to intercept and reject the method specially for the blacklisted APIs as described in the below link

Am i missing any step here ? when do we expect the exceptions to be thrown if an app attempts to use non-SDK interfaces.

My expectation here is that for my Java library if an API is listed under blacklist category, exception should be thrown. 
Isn't the expectation correct ?

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/db9c7fc0-822b-4ce1-9f53-df15ecd04927%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/4c06696a-b4a1-4836-8c93-67041b8dba05%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/CAMbhsRSYJWnsynpGNQ2Su2Tj7O-pTkkPDZ7-_5_FELaOf5RaiQ%40mail.gmail.com.