Starting in Android 9 (API level 28), the platform restricts which non-SDK interfaces your app can use. These restrictions apply whenever an app references a non-SDK interface or attempts to obtain its handle using reflection or JNI. These restrictions were put in place to help improve the user and developer experience and reduce the risks of crashes for users and emergency rollouts for developers. For more information about this decision, see Improving Stability by Reducing Usage of non-SDK Interfaces.
Differentiate between SDK and non-SDK interfaces
Generally speaking, public SDK interfaces are those ones found documented in the Android framework Package Index. Handling of non-SDK interfaces is an implementation detail that the API abstracts away, so these interfaces are subject to change without notice.
To avoid crashes and unexpected behavior, apps should only use the officially documented parts of the classes in the SDK. This also means that you shouldn't access methods or fields that are not listed in the SDK when you interact with a class using mechanisms such as reflection.
Non-SDK API lists
With each release of Android, additional non-SDK interfaces are restricted. We know these restrictions can impact your release workflow, and we want to make sure you have the tools to detect usage of non-SDK interfaces, an opportunity to give us feedback, and time to plan and adjust to the new policies.
To minimize the impact of non-SDK restrictions on your development workflow, the non-SDK interfaces are divided into lists that define how tightly their use is restricted, depending on which API level is being targeted. The following table describes each of these lists:
List | Code tags | Description |
---|---|---|
Blocklist |
|
Non-SDK interfaces that you cannot use regardless of your app's target API level. If your app attempts to access one of these interfaces, the system throws an error. |
Conditionally blocked |
|
Starting with Android 9 (API level 28), each API level has non-SDK interfaces that are restricted when an app targets that API level. These lists are labelled by the maximum API level
( If your app attempts to access an interface that is restricted for your target API level, the system behaves as if the API is part of the blocklist. |
Unsupported |
|
Non-SDK interfaces that are unrestricted and your app can use. Note
however, that these interfaces are unsupported and
subject to change without notice. Expect these interfaces to be
conditionally blocked in future Android versions in a
max-target-x list. |
SDK |
|
Interfaces that can be freely used and are now supported as part of the officially documented Android framework Package Index. |
Test APIs |
|
Interfaces that are used for internal system testing, such as APIs that facilitate testing through the Compatibility Test Suite (CTS). Test APIs are not part of the SDK. Starting in Android 11 (API level 30), test APIs are included in the blocklist, so apps aren't allowed to use them regardless of their target API level. All test APIs are unsupported and subject to change without notice, regardless of the platform API level. |
While you can use some non-SDK interfaces (depending on your app's target API level), using any non-SDK method or field always carries a high risk of breaking your app. If your app relies on non-SDK interfaces, you should begin planning a migration to SDK interfaces or other alternatives. If you cannot find an alternative to using a non-SDK interface for a feature in your app, you should request a new public API.
Determine which list an interface belongs to
The lists of non-SDK interfaces are built as part of the platform. See the following sections for information about each Android release.
Android 16 (Developer Preview)
For Android 16, you can download the following file that describes all of the non-SDK interfaces and their corresponding lists:
File: hiddenapi-flags.csv
SHA-256 checksum:
a22d5c2fa9c24ec0b864f0680208e9794222d1921114abe3245979143ce6d1c6
To learn more about the non-SDK API list changes in Android 16, see Updates to non-SDK interface restrictions in Android 16.
Android 15
For Android 15 (API level 35), you can download the following file that describes all of the non-SDK interfaces and their corresponding lists:
File: hiddenapi-flags.csv
SHA-256 checksum:
40134e205e58922a708c453726b279a296e6a1f34a988abd90cec0f3432ea5a9
To learn more about the non-SDK API list changes in Android 15, see Updates to non-SDK interface restrictions in Android 15.
Android 14
For Android 14 (API level 34), you can download the following file that describes all of the non-SDK interfaces and their corresponding lists:
File: hiddenapi-flags.csv
SHA-256 checksum:
7e00db074cbe51c51ff4b411f7b48e98692951395c5c17d069c822cc1d0eae0f
To learn more about the non-SDK API list changes in Android 14, see Updates to non-SDK interface restrictions in Android 14.
Android 13
For Android 13 (API level 33), you can download the following file that describes all of the non-SDK interfaces and their corresponding lists:
File: hiddenapi-flags.csv
SHA-256 checksum:
233a277aa8ac475b6df61bffd95665d86aac6eb2ad187b90bf42a98f5f2a11a3
To learn more about the non-SDK API list changes in Android 13, including suggested public API alternatives for APIs that are conditionally blocked in Android 13, see Updates to non-SDK interface restrictions in Android 13.
Android 12
For Android 12 (API level 31), you can download the following file that describes all of the non-SDK interfaces and their corresponding lists:
File: hiddenapi-flags.csv
SHA-256 checksum:
40674ff4291eb268f86561bf687e69dbd013df9ec9531a460404532a4ac9a761
To learn more about the non-SDK API list changes in Android 12, including suggested public API alternatives for APIs that are conditionally blocked in Android 12, see List changes for Android 12.
Android 11
For Android 11 (API level 30), you can download the following file that describes all of the non-SDK interfaces and their corresponding lists:
File: hiddenapi-flags.csv
SHA-256 checksum:
a19d839f4f61dc9c94960ae977b2e0f3eb30f880ba1ffe5108e790010b477a56
To learn more about the non-SDK API list changes in Android 11, including suggested public API alternatives for APIs that are conditionally blocked in Android 11, see List changes for Android 11.
Android 10
For Android 10 (API level 29), you can download the following file that describes all of the non-SDK interfaces and their corresponding lists:
File: hiddenapi-flags.csv
SHA-256 checksum:
f22a59c215e752777a114bd9b07b0b6b4aedfc8e49e6efca0f99681771c5bfeb
To learn more about the non-SDK API list changes in Android 10, including suggested public API alternatives for APIs that are conditionally blocked in Android 10, see List changes for Android 10.
Android 9
For Android 9 (API level 28), the following text file contains the list of
non-SDK APIs that are not restricted (greylisted):
hiddenapi-light-greylist.txt
.
The blocklist (blacklist
) and list of conditionally blocked APIs (darkgrey
list) are derived at build time.
Generate lists from AOSP
When working with AOSP, you can generate a hiddenapi-flags.csv
file that
contains all of the non-SDK interfaces and their corresponding lists. To do so,
download the AOSP source and then run the following command:
m out/soong/hiddenapi/hiddenapi-flags.csv
You can then find the file in the following location:
out/soong/hiddenapi/hiddenapi-flags.csv
Expected behavior when restricted non-SDK interfaces are accessed
The following table describes the behavior that you can expect if your app attempts to access a non-SDK interface that is part of the blocklist.
Means of access | Result |
---|---|
Dalvik instruction referencing a field | NoSuchFieldError thrown |
Dalvik instruction referencing a method | NoSuchMethodError thrown |
Reflection using Class.getDeclaredField() or Class.getField() |
NoSuchFieldException thrown |
Reflection using Class.getDeclaredMethod() , Class.getMethod() |
NoSuchMethodException thrown |
Reflection using Class.getDeclaredFields() , Class.getFields() |
Non-SDK members not in results |
Reflection using Class.getDeclaredMethods() , Class.getMethods() |
Non-SDK members not in results |
JNI using env->GetFieldID() |
NULL returned, NoSuchFieldError thrown |
JNI using env->GetMethodID() |
NULL returned, NoSuchMethodError thrown |
Test your app for non-SDK interfaces
There are several methods that you can use to test for non-SDK interfaces in your app.
Test using a debuggable app
You can test for non-SDK interfaces by building and running a debuggable app on a device or emulator running Android 9 (API level 28) or higher. Make sure that the device or emulator that you are using matches the target API level of your app.
While running through tests on your app, the system prints a log message if your app accesses certain non-SDK interfaces. You can inspect your app's log messages to find the following details:
- The declaring class, name, and type (in the format that is used by the Android runtime).
- The means of access: either linking, using reflection, or using JNI.
- Which list the non-SDK interface belongs to.
You can use adb logcat
to access these log messages, which appear under the
PID of the running app. For example, an entry in the log might read as follows:
Accessing hidden field Landroid/os/Message;->flags:I (light greylist, JNI)
Test using the StrictMode API
You can also test for non-SDK interfaces by using the StrictMode
API. Use the
detectNonSdkApiUsage
method to enable this. After enabling the
StrictMode
API, you can receive a callback for each usage of a non-SDK
interface by using a penaltyListener
, where you can implement custom
handling. The Violation
object provided in the callback derives from
Throwable
, and the enclosed stack trace provides the context of the usage.
Test using the veridex tool
You can also run the veridex static analysis tool on your APK. The veridex tool scans the entire codebase of the APK, including any third-party libraries, and reports any uses of non-SDK interfaces that it finds.
Limitations of the veridex tool include the following:
- It can't detect invocations through JNI.
- It can detect only a subset of invocations through reflection.
- Its analysis for inactive code paths is limited to API level checks.
- It can only be run on machines that support SSE4.2 and POPCNT instructions.
Windows
Native Windows binaries are not provided, but you can run the veridex tool on Windows by executing the Linux binaries using the Windows Subsystem for Linux (WSL). Before following the steps in this section, install the WSL and choose Ubuntu as your Linux distribution.
After Ubuntu is installed, launch a Ubuntu terminal and then follow these steps:
- Download the veridex tool from the Android runtime prebuilts repository.
- Extract the contents of the
appcompat.tar.gz
file. - In the extracted folder, locate the
veridex-linux.zip
file and extract it. Navigate to the unzipped folder and then run the following command, where
your-app.apk
is the APK that you want to test:./appcompat.sh --dex-file=your-app.apk
macOS
To run the veridex tool on macOS, follow these steps:
- Download the veridex tool from the Android runtime prebuilts repository.
- Extract the contents of the
appcompat.tar.gz
file. - In the extracted folder, locate the
veridex-mac.zip
file and extract it. Navigate to the unzipped folder and then run the following command, where
/path-from-root/your-app.apk
is the path to the APK that you want to test, starting from your system's root directory:./appcompat.sh --dex-file=/path-from-root/your-app.apk
Linux
To run the veridex tool on Linux, follow these steps:
- Download the veridex tool from the Android runtime prebuilts repository.
- Extract the contents of the
appcompat.tar.gz
file. - In the extracted folder, locate the
veridex-linux.zip
file and extract it. Navigate to the unzipped folder and then run the following command, where
your-app.apk
is the APK that you want to test:./appcompat.sh --dex-file=your-app.apk
Test using the Android Studio lint tool
Whenever you build your app in Android Studio, the lint tool inspects your code for potential issues. If your app uses non-SDK interfaces, you might see build errors or warnings, depending on which list those interfaces belong to.
You can also run the lint tool from the command line or run inspections manually on a specific project, folder, or file.
Test using the Play Console
When you upload your app to a testing track in the Play Console, your app is automatically tested for potential issues and a pre-launch report is generated. If your app uses non-SDK interfaces, an error or warning displays in the pre-launch report, depending on which list those interfaces belong to.
For more information, see the Android Compatibility section in Use pre-launch reports to identify issues.
Request a new public API
If you cannot find an alternative to using a non-SDK interface for a feature in your app, you can request a new public API by creating a feature request in our issue tracker.
When creating a feature request, provide the following information:
- Which unsupported API you are using, including the full descriptor seen in
the
Accessing hidden ...
logcat message. - Why you need to use these APIs, including details about the high-level feature that the API is necessary for, not just low level details.
- Why any related public SDK APIs are insufficient for your purposes.
- Any other alternatives you have tried and why these didn't work out.
When you provide these details in your feature request, you increase the likelihood that a new public API will be granted.
Other questions
This section includes some answers to other questions that developers have frequently asked:
General questions
How can Google be sure they can capture the needs of all apps through the issuetracker?
We created the initial lists for Android 9 (API level 28) through static analysis of apps that was supplemented using the following methods:
- manual testing of top Play and non-Play apps
- internal reports
- automatic data collection from internal users
- developer preview reports
- additional static analysis that was designed to conservatively include more false positives
As we evaluate the lists for each new release, we take into account API usage as well as developer feedback through the issue tracker.
How can I enable access to non-SDK interfaces?
You can enable access to non-SDK interfaces on development devices by using adb commands to change the API enforcement policy. The commands that you use vary, depending on the API level. These commands don't require a rooted device.
- Android 10 (API level 29) or higher
To enable access, use the following adb
command:
adb shell settings put global hidden_api_policy 1
To reset the API enforcement policy to the default settings, use the following command:
adb shell settings delete global hidden_api_policy
- Android 9 (API level 28)
To enable access, use the following adb commands:
adb shell settings put global hidden_api_policy_pre_p_apps 1
adb shell settings put global hidden_api_policy_p_apps 1
To reset the API enforcement policy to the default settings, use the following commands:
adb shell settings delete global hidden_api_policy_pre_p_apps
adb shell settings delete global hidden_api_policy_p_apps
You can set the integer in the API enforcement policy to one of the following values:
- 0: Disable all detection of non-SDK interfaces. Using this setting disables
all log messages for non-SDK interface usage and prevents you from testing your
app using the
StrictMode
API. This setting is not recommended. - 1: Enable access to all non-SDK interfaces, but print log messages with
warnings for any non-SDK interface usage. Using this setting also lets you
test your app using the
StrictMode
API. - 2: Disallow usage of non-SDK interfaces that belong to the blocklist or are conditionally blocked for your target API level.
Questions about non-SDK interface lists
Where can I find the non-SDK API lists in the system image?
They are encoded in the field and method access flag bits in platform dex files. There is no separate file in the system image that contains these lists.
Are the non-SDK API lists the same on different OEM devices with the same Android versions?
OEMs can add their own interfaces to the blocklist (blacklist), but they cannot remove interfaces from the AOSP non-SDK API lists. The CDD prevents such changes and CTS tests ensure that the Android Runtime is enforcing the list.
Questions about the compatibility of related apps
Is there any restriction on non-NDK interfaces in native code?
The Android SDK includes Java interfaces. The platform started restricting access to non-NDK interfaces for native C/C++ code in Android 7 (API level 26). For more information, see Improving Stability with Private C/C++ Symbol Restrictions in Android N.
Is there any plan to restrict dex2oat or DEX file manipulation?
We don't have active plans to restrict access to the dex2oat binary, but we don't intend for the DEX file format to be stable or a public interface beyond the portions that are publicly specified in the Dalvik Executable format. We reserve the right to modify or eliminate dex2oat and the unspecified portions of the DEX format at any time. Also note that derived files produced by dex2oat such as ODEX (also known as OAT), VDEX, and CDEX are all unspecified formats.
What if a crucial third-party SDK (for example, an obfuscator) cannot avoid using non-SDK interfaces, but does commit to maintain compatibility with future Android versions? Can Android waive its compatibility requirements in this case?
We don't have plans to waive compatibility requirements on a per-SDK basis. If an SDK developer can only maintain compatibility by depending on interfaces in the unsupported (formerly grey) lists, they should begin planning a migration to SDK interfaces or other alternatives, and request a new public API whenever they cannot find an alternative to using a non-SDK interface.
Do non-SDK interface restrictions apply to all apps including system and first-party apps, not just third-party apps?
Yes, however, we exempt apps signed with the platform key and some system image
apps. Note that these exemptions only apply to apps that are part of the system
image (or updated system image apps). The list is intended only for apps that
build against the private platform APIs, rather than the SDK APIs (where
LOCAL_PRIVATE_PLATFORM_APIS := true
).