Bypassing Android P Hidden API Restrictions: Three Practical Methods

Based on a source‑code analysis of Android P (Preview 1), the article first explains how the system distinguishes hidden from public methods/fields and how it identifies whether a call originates from user code or system code. The restriction relies on special bits in access_flags_ and a check of the caller’s ClassLoader (BootstrapClassLoader vs. application class loader).

Bypass Method 1 – Provided Module : By creating a separate Java library module (e.g., libfakeandroid ) and declaring the missing hidden classes (such as android.app.ActivityThread ) inside it, the project can compile against the hidden API. At runtime the real system class is used, allowing calls like ActivityThread.currentActivityThread() without log warnings. This approach works when the hidden class is absent from the compile‑time android.jar .

Bypass Method 2 – ClassLoader Spoofing : The second technique confuses the second distinction point by forcing the caller’s class loader to be the BootstrapClassLoader. This is achieved by invoking the exported native function SetClassLoader (found in art/runtime/mirror/class.h ) with a ObjPtr<mirror::Class> obtained via the exported ToClass helper. A custom my_dlsym resolves the symbols, and after calling makeHiddenApiAccessable , a helper class ReflectionHelper performs all reflective lookups, eliminating the warning logs.

Bypass Method 3 – Access‑Flag Manipulation : The third method targets the first distinction point by clearing the hidden bits in the access_flags_ of the target Method or Field . By obtaining the jmethodID , casting it to ArtMethod* , and modifying its flags, the API is treated as public. The article shows how to hook Class.getDeclaredMethod (native implementation) to retrieve the internal mirror::Method object and convert it to ArtMethod* . This approach requires hooking but leaves existing code untouched.

Each method’s advantages and drawbacks are discussed: Method 1 is simple and stable but limited to public/default members; Method 2 works for all hidden APIs without hooking but depends on native symbol availability; Method 3 preserves existing code but demands complex hooking and may break in future releases.

The article concludes that developers can choose the most suitable technique based on their project’s constraints and the specific hidden APIs they need to access.