image.png
..
隐藏api和非隐藏api
Android P 引入了针对非 SDK 接口(俗称为隐藏API)的使用限制。这是继 Android N上针对 NDK 中私有库的链接限制之后的又一次重大调整。
从今以后,不论是native层的NDK还是 Java层的SDK,我们只能使用Google提供的、公开的标准接口。这对开发者以及用户乃至整个Android生态,当然是一件好事。
但这也同时意味着Android上的各种黑科技有可能会逐渐走向消亡。
公共 api
公共 SDK 接口是在 Android 框架软件包索引 中记录的那些接口
从 Android Pie 开始,对某些隐藏类、方法和字段的访问受到限制在 Pie 之前,通过简单地使用反射来使用这些隐藏的非 SDK 组件非常容易。
但是,现在当尝试访问时,面向 API 28 (Pie) 或更高版本的应用程序将遇到 ClassNotFoundException、NoSuchMethodError 或 NoSuchFieldException Activity#createDialog()。
先来看看系统是如何实现这个限制的。
系统是如何实现限制
通过反射或者JNI访问非公开接口时会触发警告/异常等,那么不妨跟踪一下反射的流程,看看系统到底在哪一步做的限制。
先来看一下 java.lang.Class.getDeclaredMethod(String) :
static jobject Class_getDeclaredMethodInternal(JNIEnv* env, jobject javaThis,
jstring name, jobjectArray args) {
ScopedFastNativeObjectAccess soa(env);
StackHandleScope<1> hs(soa.Self());
DCHECK_EQ(Runtime::Current()->GetClassLinker()->GetImagePointerSize(), kRuntimePointerSize);
DCHECK(!Runtime::Current()->IsActiveTransaction());
Handle<mirror::Method> result = hs.NewHandle(
mirror::Class::GetDeclaredMethodInternal<kRuntimePointerSize, false>(
soa.Self(),
DecodeClass(soa, javaThis),
soa.Decode<mirror::String>(name),
soa.Decode<mirror::ObjectArray<mirror::Class>>(args)));
if (result == nullptr || ShouldBlockAccessToMember(result->GetArtMethod(), soa.Self())) {
return nullptr;
}
return soa.AddLocalReference<jobject>(result.Get());
}
其中看一下 ShouldBlockAccessToMember的调用,如果它返回false,那么直接返回nullptr,上层就会抛 NoSuchMethodXXX 异常;也就触发系统的限制了。
源码如下:
// Returns true if the first non-ClassClass caller up the stack should not be
// allowed access to `member`.
template<typename T>
ALWAYS_INLINE static bool ShouldBlockAccessToMember(T* member, Thread* self)
REQUIRES_SHARED(Locks::mutator_lock_) {
hiddenapi::Action action = hiddenapi::GetMemberAction(
member, self, IsCallerTrusted, hiddenapi::kReflection);
if (action != hiddenapi::kAllow) {
hiddenapi::NotifyHiddenApiListener(member);
}
return action == hiddenapi::kDeny;
}
继续跟踪下 GetMemberAction方法 :
template<typename T>
inline Action GetMemberAction(T* member,
Thread* self,
std::function<bool(Thread*)> fn_caller_is_trusted,
AccessMethod access_method)
REQUIRES_SHARED(Locks::mutator_lock_) {
DCHECK(member != nullptr);
// Decode hidden API access flags.
// NB Multiple threads might try to access (and overwrite) these simultaneously,
// causing a race. We only do that if access has not been denied, so the race
// cannot change Java semantics. We should, however, decode the access flags
// once and use it throughout this function, otherwise we may get inconsistent
// results, e.g. print whitelist warnings (b/78327881).
HiddenApiAccessFlags::ApiList api_list = member->GetHiddenApiAccessFlags();
Action action = GetActionFromAccessFlags(member->GetHiddenApiAccessFlags());
if (action == kAllow) {
// Nothing to do.
return action;
}
// Member is hidden. Invoke `fn_caller_in_platform` and find the origin of the access.
// This can be *very* expensive. Save it for last.
if (fn_caller_is_trusted(self)) {
// Caller is trusted. Exit.
return kAllow;
}
// Member is hidden and caller is not in the platform.
return detail::GetMemberActionImpl(member, api_list, action, access_method);
}
继续跟踪GetMemberActionImpl方法:
emplate<typename T>
Action GetMemberActionImpl(T* member,
HiddenApiAccessFlags::ApiList api_list,
Action action,
AccessMethod access_method) {
DCHECK_NE(action, kAllow);
// Get the signature, we need it later.
MemberSignature member_signature(member);
Runtime* runtime = Runtime::Current();
// Check for an exemption first. Exempted APIs are treated as white list.
// We only do this if we're about to deny, or if the app is debuggable. This is because:
// - we only print a warning for light greylist violations for debuggable apps
// - for non-debuggable apps, there is no distinction between light grey & whitelisted APIs.
// - we want to avoid the overhead of checking for exemptions for light greylisted APIs whenever
// possible.
const bool shouldWarn = kLogAllAccesses || runtime->IsJavaDebuggable();
if (shouldWarn || action == kDeny) {
if (member_signature.IsExempted(runtime->GetHiddenApiExemptions())) {
action = kAllow;
// Avoid re-examining the exemption list next time.
// Note this results in no warning for the member, which seems like what one would expect.
// Exemptions effectively adds new members to the whitelist.
MaybeWhitelistMember(runtime, member);
return kAllow;
}
if (access_method != kNone) {
// Print a log message with information about this class member access.
// We do this if we're about to block access, or the app is debuggable.
member_signature.WarnAboutAccess(access_method, api_list);
}
}
if (kIsTargetBuild) {
uint32_t eventLogSampleRate = runtime->GetHiddenApiEventLogSampleRate();
// Assert that RAND_MAX is big enough, to ensure sampling below works as expected.
static_assert(RAND_MAX >= 0xffff, "RAND_MAX too small");
if (eventLogSampleRate != 0 &&
(static_cast<uint32_t>(std::rand()) & 0xffff) < eventLogSampleRate) {
member_signature.LogAccessToEventLog(access_method, action);
}
}
if (action == kDeny) {
// Block access
return action;
}
// Allow access to this member but print a warning.
DCHECK(action == kAllowButWarn || action == kAllowButWarnAndToast);
if (access_method != kNone) {
// Depending on a runtime flag, we might move the member into whitelist and
// skip the warning the next time the member is accessed.
MaybeWhitelistMember(runtime, member);
// If this action requires a UI warning, set the appropriate flag.
if (shouldWarn &&
(action == kAllowButWarnAndToast || runtime->ShouldAlwaysSetHiddenApiWarningFlag())) {
runtime->SetPendingHiddenApiWarning(true);
}
}
return action;
}
其中调用到了
if (member_signature.IsExempted(runtime->GetHiddenApiExemptions())) {
action = kAllow;
// Avoid re-examining the exemption list next time.
// Note this results in no warning for the member, which seems like what one would expect.
// Exemptions effectively adds new members to the whitelist.
MaybeWhitelistMember(runtime, member);
return kAllow;
}
只要 IsExempted 方法返回 true,就算这个方法在黑名单中,依然会被放行然后允许被调用。
IsExempted方法:
bool MemberSignature::IsExempted(const std::vector<std::string>& exemptions) {
for (const std::string& exemption : exemptions) {
if (DoesPrefixMatch(exemption)) {
return true;
}
}
return false;
}
继续跟踪传递进来的参数 runtime->GetHiddenApiExemptions() 发现也是 runtime 里面的一个参数.
这样就可以直接修改hidden_api_exemptions_ 绕过去限制。
Java 层的,有一个对应的 VMRuntime.setHiddenApiExemptions方法,通过 VMRuntime.setHiddenApiExemptions 设置下豁免条件,就能愉快滴使用反射了。
IsExempted 方法里面调用 DoesPrefixMatch方法。DoesPrefixMatch是对方法签名进行前缀匹配。所有Java方法类的签名都是以 L 开头,这样就可以直接传个 L进去,所有的隐藏API全部被赦免了!
网友评论