官方说明
从Android 9(API级别28)开始,该平台限制您的应用可以使用哪些非SDK接口。 只要应用程序引用非SDK接口或尝试使用反射或JNI获取其句柄,这些限制就适用。 这些限制旨在帮助改善用户和开发人员体验,降低用户崩溃的风险以及开发人员的紧急部署。
一般来说,公共SDK接口是在Android框架包索引中记录的那些接口。 非SDK接口的处理是API抽象出来的实现细节,因此这些接口如有更改,恕不另行通知。
源码分析(基于Api 28)
该改动造成的主要影响之一就是无法用反射的方法调用隐藏的API,我们就通过反射来从Class开始分析方法调用的过程:
Class.java
@CallerSensitive
public Method getDeclaredMethod(String name, Class<?>... parameterTypes)
throws NoSuchMethodException, SecurityException {
return getMethod(name, parameterTypes, false);
}
private Method getMethod(String name, Class<?>[] parameterTypes, boolean recursivePublicMethods)
throws NoSuchMethodException {
...
Method result = recursivePublicMethods ? getPublicMethodRecursive(name, parameterTypes)
: getDeclaredMethodInternal(name, parameterTypes);
...
return result;
@FastNative
private native Method getDeclaredMethodInternal(String name, Class<?>[] args);
}
Class中使用getDeclaredMethod
反射一个方法,而该方法最终会调用一个名为getDeclaredMethodInternal
的native的方法,该方法位于Framework层中的java_lang_Class.cc。
java_lang_Class.cc。
static jobject Class_getDeclaredMethodInternal(JNIEnv* env, jobject javaThis,
jstring name, jobjectArray args) {
...
//ShouldBlockAccessToMember方法如果返回false则该方法返回nullptr,上层则会抛出NoSuchMethodException的错误
if (result == nullptr || ShouldBlockAccessToMember(result->GetArtMethod(), soa.Self())) {
return nullptr;
}
return soa.AddLocalReference<jobject>(result.Get());
}
这里有一个ShouldBlockAccessToMember
的方法,如果该方法返回true则Class_getDeclaredMethodInternal
返回nullptr,上层则会抛出NoSuchMethodException的错误,也就形成了系统对非SDK引用的限制。
// Returns true if the first non-ClassClass caller up the stack should not be
// allowed access to `member`.
template<typename T>
ALWAYS_INLINE static bool ShouldBlockAccessToMember(T* member, Thread* self)
REQUIRES_SHARED(Locks::mutator_lock_) {
hiddenapi::Action action = hiddenapi::GetMemberAction(
member, self, IsCallerTrusted, hiddenapi::kReflection);
if (action != hiddenapi::kAllow) {
hiddenapi::NotifyHiddenApiListener(member);
}
return action == hiddenapi::kDeny;
}
这个方法会调用GetMemberAction
方法,如果该方法返回hiddenapi::kDeny
的话,就形成了限制。hiddenapi::Action
的几个值如下:
enum Action {
kAllow, //允许使用
kAllowButWarn, //允许但是警告
kAllowButWarnAndToast, //允许但是警告和弹出提示
kDeny //拒绝使用
};
我们接着看GetMemberAction
方法:
template<typename T>
inline Action GetMemberAction(T* member,
Thread* self,
std::function<bool(Thread*)> fn_caller_is_trusted,
AccessMethod access_method)
REQUIRES_SHARED(Locks::mutator_lock_) {
DCHECK(member != nullptr);
// Decode hidden API access flags.
// NB Multiple threads might try to access (and overwrite) these simultaneously,
// causing a race. We only do that if access has not been denied, so the race
// cannot change Java semantics. We should, however, decode the access flags
// once and use it throughout this function, otherwise we may get inconsistent
// results, e.g. print whitelist warnings (b/78327881).
HiddenApiAccessFlags::ApiList api_list = member->GetHiddenApiAccessFlags();
Action action = GetActionFromAccessFlags(member->GetHiddenApiAccessFlags());
if (action == kAllow) {
// Nothing to do.
return action;
}
// Member is hidden. Invoke `fn_caller_in_platform` and find the origin of the access.
// This can be *very* expensive. Save it for last.
if (fn_caller_is_trusted(self)) {
// Caller is trusted. Exit.
return kAllow;
}
// Member is hidden and caller is not in the platform.
return detail::GetMemberActionImpl(member, api_list, action, access_method);
}
这个函数有三个return,决定了它的Action是什么。
第一个return
先来看第一个return,它数会先通过GetHiddenApiAccessFlags
获取到API的访问Flags(每个API的Flags都是固定的),再根据它用GetActionFromAccessFlags
来获取对应的Action。
inline Action GetActionFromAccessFlags(HiddenApiAccessFlags::ApiList api_list) {
if (api_list == HiddenApiAccessFlags::kWhitelist) {
return kAllow;
}
EnforcementPolicy policy = Runtime::Current()->GetHiddenApiEnforcementPolicy();
if (policy == EnforcementPolicy::kNoChecks) {
// Exit early. Nothing to enforce.
return kAllow;
}
// if policy is "just warn", always warn. We returned above for whitelist APIs.
if (policy == EnforcementPolicy::kJustWarn) {
return kAllowButWarn;
}
DCHECK(policy >= EnforcementPolicy::kDarkGreyAndBlackList);
// The logic below relies on equality of values in the enums EnforcementPolicy and
// HiddenApiAccessFlags::ApiList, and their ordering. Assertions are in hidden_api.cc.
if (static_cast<int>(policy) > static_cast<int>(api_list)) {
return api_list == HiddenApiAccessFlags::kDarkGreylist
? kAllowButWarnAndToast
: kAllowButWarn;
} else {
return kDeny;
}
}
首先判断是否在白名单里,如果再白名单里则直接返回kAllow
。
接着判断EnforcementPolicy
,EnforcementPolicy
定义如下:
// Hidden API enforcement policy
// This must be kept in sync with ApplicationInfo.ApiEnforcementPolicy in
// frameworks/base/core/java/android/content/pm/ApplicationInfo.java
enum class EnforcementPolicy {
kNoChecks = 0,
kJustWarn = 1, // keep checks enabled, but allow everything (enables logging)
kDarkGreyAndBlackList = 2, // ban dark grey & blacklist
kBlacklistOnly = 3, // ban blacklist violations only
kMax = kBlacklistOnly,
};
policy
调用了GetHiddenApiEnforcementPolicy
为其赋值:
hiddenapi::EnforcementPolicy GetHiddenApiEnforcementPolicy() const {
return hidden_api_policy_;
}
hidden_api_policy_
是runtime.h里的一个成员变量。如果hidden_api_policy_
的值为kNoChecks
的话,则GetActionFromAccessFlags
返回kAllow
。
后面就是根据ApiList的类型返回相应的Action,把他们的关系整理如下:
" | kWhitelist | kLightGreylist | kDarkGreylist | kBlacklist |
---|---|---|---|---|
kNoChecks | kAllow | kAllow | kAllow | kAllow |
kJustWarn | kAllow | kAllowButWarn | kAllowButWarn | kAllowButWarn |
kDarkGreyAndBlackList | kAllow | kAllowButWarn | kDeny | kDeny |
kBlacklistOnly | kAllow | kAllowButWarn | kAllowButWarnAndToast | kDeny |
第二个return
第二个return主要用fn_caller_is_trusted(self)
来判断,如果为true的话则返回kAllow
。
fn_caller_is_trusted(self)
这个方法通过调用者的Class来回溯是不是系统调用的该方法系统的ClassLoader都是BootClassLoader,通过判断这个来判断的,如果是系统调用的话,直接返回kAllow
。
第三个return
最后通过GetMemberActionImpl
来判断返回的Action,先来看看这个方法:
template<typename T>
Action GetMemberActionImpl(T* member,
HiddenApiAccessFlags::ApiList api_list,
Action action,
AccessMethod access_method) {
DCHECK_NE(action, kAllow);
// Get the signature, we need it later.
MemberSignature member_signature(member);
Runtime* runtime = Runtime::Current();
// Check for an exemption first. Exempted APIs are treated as white list.
// We only do this if we're about to deny, or if the app is debuggable. This is because:
// - we only print a warning for light greylist violations for debuggable apps
// - for non-debuggable apps, there is no distinction between light grey & whitelisted APIs.
// - we want to avoid the overhead of checking for exemptions for light greylisted APIs whenever
// possible.
const bool shouldWarn = kLogAllAccesses || runtime->IsJavaDebuggable();
if (shouldWarn || action == kDeny) {
if (member_signature.IsExempted(runtime->GetHiddenApiExemptions())) {
action = kAllow;
// Avoid re-examining the exemption list next time.
// Note this results in no warning for the member, which seems like what one would expect.
// Exemptions effectively adds new members to the whitelist.
MaybeWhitelistMember(runtime, member);
return kAllow;
}
...
return action;
}
首先通过IsJavaDebuggable
方法来判断是Debug版本还是Release版本,如果是debug或者Action是kDeny时会调用IsExempted
方法来看看是不是需要处理,再通过MaybeWhitelistMember
来查看是否在豁免名单里(进程启动时,会设置一个豁免列表)。如果在豁免名单里,则把Action设置为kAllow。后面的代码就是通过判断是哪种调用方法调用的来决定用什么方法提示(Warning,Toast等)。
结论
至此,Android P 非SDK限制的源码分析到此就结束了,要注意的是除了反射,JNI调用,通过Provider方式的动态链接也会出发API的检测。通过分析我们知道检测结果的Action都是由GetMemberAction
来返回的,该方法的返回值决定了系统是怎么处理API的调用。