How to see what hidden APIs apps are using in Android P
In late February, we spotted commits in the Android Open Source Code suggesting that Google would restrict applications from accessing undocumented/hidden APIs in the Android software development kit (SDK). The search giant later confirmed those changes; in Android P, API restrictions have expanded to cover Java language interfaces of the SDK, starting with rarely-used interfaces and eventually broadening to other non-SDK methods and fields. The first Android P Developer Preview shows warnings when apps are using non-SDK interfaces, but it isn’t obvious what hidden APIs are being accessed. Luckily, Logcat makes it easier.
Logcat, a command-line tool of the Android Debug Bridge (ADB) that dumps a running log of Android system messages, can be used to see which hidden APIs apps are using in Android P. As XDA Member Senior Telperion discovered, filtering the Logcat with the string “Accessing hidden” exposes a list of internal methods and services that running apps have recently accessed.
One of the easiest ways to set up Logcat is by downloading the ADB binary from Google for your PC’s operating system, installing the appropriate USB drivers for your phone, and enabling USB debugging in Android’s Developer Options menu. (Huawei phones disable Logcat by default; to get it up and running, open the dialer app, enter code *#*#2846579#*#*, select Background Settings, and checkmark every setting in the dialog box.) We recommend using Matlog, a low-overhead, easy-to-use app by XDA Junior Member plusCubed. It can be compiled from source, or downloaded from the Google Play Store.
To add the filter, tap the three-dot menu in the top-right corner of Matlog, select Filters, and tap Add filter. Then type “Accessing hidden” (without quotes) and select OK.
While most apps access hidden APIs relatively innocuously, Google’s decision to restrict non-SDK interfaces in Android P is intended to prevent abuse of those APIs that might compromise users’ privacy and security. A study by researchers at the University of Luxenbourg found that a number of malicious apps used private internal API methods to inject advertisement code into any app, including system services.
It’s also part of Google’s broader effort to crack down on rogue apps in Android. Android P restricts background apps from accessing device cameras and microphones, and Google previously threatened to delist apps from the Google Play Store that misuse Android’s Accessibility APIs—services designed to make Android apps easier to use for people with certain disabilities—in ways that don’t conform to official guidelines.
Want more posts like this delivered to your inbox? Enter your email to be subscribed to our newsletter.