Demystifying Android Non-SDK APls: Measurement and Understanding

During the Android app development, the SDK is essential, which provides rich APIs to facilitate the implementations of functional-ities. However, in the Android framework, there still exist plenty of non-SDK APIs that are not well documented. These non-SDK APIs can be invoked through unconventional ways, such as Java reflection. On the other hand, these APIs are not stable and may be changed or even removed in future Android versions, providing no guarantee for compatibility. From Android 9 (API level 28), Google began to strictly restrict the use of non-SDK APIs, and the corresponding checking mechanism has been integrated into the Android OS. In this work, we systematically study the use and design of Android non-SDK APIs. Notably, we propose four research questions covering the restriction mechanism, the present usage status, malicious usage, and the API list evolution. To answer these questions, we conducted a large-scale measurement based on over 200K apps and the source code of three recent Android versions. As a result, a series of exciting and valuable findings are obtained. For example, Google's restriction is not strong enough and can still be bypassed. Besides, app developers use only a tiny part of non-SDK APIs. Our work provides new knowledge to the research community and can help researchers improve the Android API designs.