tools/apkcheck/README.txt - fp2-dev/platform/development - Gitiles

 Android APK Checker

 This compares the set of classes, fields, and methods used by an Android
 application against the published API.  It identifies and reports the
 use of any unpublished members or methods.

 The public API description files live in the source tree, in
 frameworks/base/api/.  The tip-of-tree version is in "current.xml",
 and each officially released API has a numbered file (e.g. "6.xml").
 They're generated from the sources, and can take into acount javadoc
 annotations like "@hide" in comments.

 The dependency set for an APK can be generated with "dexdeps".  It finds
 all classes, fields, and methods that are referenced by classes.dex but not
 defined locally.  The tool can't easily tell anything about a dependency
 beyond the name (e.g. whether a class is a static or non-static inner
 class), so while the output from dexdeps is similar in structure to the
 API XML file, it has much less detail.


 ==== Usage ====

 % apkcheck [options] public-api.xml apk1.xml ...

 Provide the public API data file of choice, and one or more XML files
 generated by dexdeps.  The time required to parse and manipulate the
 public API XML file is generally much larger than the time required to
 analyze the APK, so if you have a large set of APKs it's best to run them
 through in large batches.

 Options:

   --help
     Show options summary.

   --uses-library=<lib.xml>
     Load additional public API list.  This is intended for APKs that
     use "uses-library" directives to pull in external libraries.  Since
     the external libraries are not part of the public API, their use
     would otherwise be flagged as illegal by apkcheck.

   --ignore-package=<package-name>
     Ignore errors generated by references to the named package (e.g.
     "com.google.android.maps").  Warnings will be generated instead.
     Useful for ignoring references to shared library content when
     XML API data is not available.

   --[no-]warn
     Enable or disable warning messages.  These are disabled by default.

   --[no-]error
     Enable or disable error messages.  These are enabled by default.  If
     you disable both warnings and errors you will only see a summary.

 In some cases involving generic signatures it may not be possible
 to accurately reconstruct the public API.  Some popular cases have
 been hard-coded into the program.  They can be included by specifying
 "--uses-library=BUILTIN".

 Example use:

 % dexdeps out/target/product/sapphire/system/app/Gmail.apk > Gmail.apk.xml
 % apkcheck --uses-library=BUILTIN frameworks/base/api/current.xml Gmail.apk.xml
 Gmail.apk.xml: summary: 0 errors, 15 warnings


 ==== Limitations ====

 The API XML files have some ambiguous entries and are missing important
 pieces.  A summary of the issues follows.

 (1) Class names are not in binary form

 Example:

  type="android.os.Parcelable.Creator"

 This could be a Creator class in the package android.os.Parcelable,
 or Parcelable.Creator in the package android.os.  We can guess based on
 capitalization, but that's unreliable.

 The API XML does specify each package in a <package> tag, so we should have
 the full set of packages available.  From this we can remove one element
 at a time from the right until we match a known package.  This will work
 unless "android.os" and "android.os.Parcelable" are both valid packages.


 (2) Public enums are not enumerated

 Enumeration classes are included, and always have two methods ("valueOf"
 and "values").  What isn't included are entries for the fields representing
 the enumeration values.  This makes it look like an APK is referring
 to non-public fields in the class.

 If apkcheck sees a reference to an unknown field, and the field's defining
 class appears to be an Enum (the superclass is java.lang.Enum), we emit
 a warning instead of an error.


 (3) Public annotation methods are not listed

 Annotation classes have trivial entries that show only the class name
 and "implements java.lang.annotation.Annotation".  It is not possible
 to verify that a method call on an annotation is valid.

 If apkcheck sees a method call to an unknown method, and the class appears
 to be an annotation (extends Object, implements Annotation, defines no
 fields or methods), we emit a warning instead of an error.


 (4) Covariant return types

 Suppose a class defines a method "public Foo gimmeFoo()".  Any subclass
 that overrides that method must also return Foo, so it would seem that
 there's no need to emit a method entry for gimmeFoo() in the subclasses.

 However, it's possible to override gimmeFoo with "public MegaFoo
 gimmeFoo()" so long as MegaFoo is an instance of Foo.  In that case it
 is necessary to emit a new method entry, but the public API XML generator
 does not.

 If apkcheck can't find an exact match for a method reference, but can
 find a method that matches on everything but the return type, it will
 emit a warning instead of an error.  (We could be more thorough and try
 to verify that the return types are related, but that's more trouble than
 it's worth.)


 (5) Generic signatures

 When generic signatures are used, the public API file will contain
 entries like these:

  <parameter name="key" type="K">
  <parameter name="others" type="E...">
  <parameter name="map" type="java.util.Map&lt;? extends K, ? extends V&gt;">

 The generic types are generally indistinguishable from classes in the
 default package (i.e. that have no package name).  In most cases they're
 a single letter, so apkcheck includes a kluge that converts single-letter
 class names to java.lang.Object.

 This often works, but falls apart in a few cases.  For example:

  public <T extends Parcelable> T getParcelableExtra(String name) {
      return mExtras == null ? null : mExtras.<T>getParcelable(name);
  }

 This is emitted as:

  <method name="getParcelableExtra" return="T">

 which gets converted to java.lang.Object.  Unfortunately the APK wants
 a method with a more specific return type (android.os.Parcelable), so
 the lookup fails.

 There is no way to recover the actual type, because the generic signature
 details are not present in the XML.  This particular case will be handled
 as a covariant return type.  When the generic type is in the parameter
 list, though, this isn't handled so easily.

 These cases are relatively few, so they were handled by baking the
 signatures into the code (--uses-library=BUILTIN).  (At some point it
 may be worthwhile to try a little harder here.)


 (6) Use of opaque non-public types

 Some classes are not meant for public consumption, but are still referred
 to by application code.  For example, an opaque type might be passed to
 the app as a cookie.

 Another example is the Dalvik annotation classes, like
 dalvik.annotation.InnerClass.  These are emitted by "dx", and referenced
 from the DEX file, but not intended to be used by application code.

 If an APK refers to a non-public class, but doesn't access any fields
 or methods, a warning is emitted instead of an error.
	Android APK Checker

	This compares the set of classes, fields, and methods used by an Android
	application against the published API. It identifies and reports the
	use of any unpublished members or methods.

	The public API description files live in the source tree, in
	frameworks/base/api/. The tip-of-tree version is in "current.xml",
	and each officially released API has a numbered file (e.g. "6.xml").
	They're generated from the sources, and can take into acount javadoc
	annotations like "@hide" in comments.

	The dependency set for an APK can be generated with "dexdeps". It finds
	all classes, fields, and methods that are referenced by classes.dex but not
	defined locally. The tool can't easily tell anything about a dependency
	beyond the name (e.g. whether a class is a static or non-static inner
	class), so while the output from dexdeps is similar in structure to the
	API XML file, it has much less detail.


	==== Usage ====

	% apkcheck [options] public-api.xml apk1.xml ...

	Provide the public API data file of choice, and one or more XML files
	generated by dexdeps. The time required to parse and manipulate the
	public API XML file is generally much larger than the time required to
	analyze the APK, so if you have a large set of APKs it's best to run them
	through in large batches.

	Options:

	--help
	Show options summary.

	--uses-library=<lib.xml>
	Load additional public API list. This is intended for APKs that
	use "uses-library" directives to pull in external libraries. Since
	the external libraries are not part of the public API, their use
	would otherwise be flagged as illegal by apkcheck.

	--ignore-package=<package-name>
	Ignore errors generated by references to the named package (e.g.
	"com.google.android.maps"). Warnings will be generated instead.
	Useful for ignoring references to shared library content when
	XML API data is not available.

	--[no-]warn
	Enable or disable warning messages. These are disabled by default.

	--[no-]error
	Enable or disable error messages. These are enabled by default. If
	you disable both warnings and errors you will only see a summary.

	In some cases involving generic signatures it may not be possible
	to accurately reconstruct the public API. Some popular cases have
	been hard-coded into the program. They can be included by specifying
	"--uses-library=BUILTIN".

	Example use:

	% dexdeps out/target/product/sapphire/system/app/Gmail.apk > Gmail.apk.xml
	% apkcheck --uses-library=BUILTIN frameworks/base/api/current.xml Gmail.apk.xml
	Gmail.apk.xml: summary: 0 errors, 15 warnings


	==== Limitations ====

	The API XML files have some ambiguous entries and are missing important
	pieces. A summary of the issues follows.

	(1) Class names are not in binary form

	Example:

	type="android.os.Parcelable.Creator"

	This could be a Creator class in the package android.os.Parcelable,
	or Parcelable.Creator in the package android.os. We can guess based on
	capitalization, but that's unreliable.

	The API XML does specify each package in a <package> tag, so we should have
	the full set of packages available. From this we can remove one element
	at a time from the right until we match a known package. This will work
	unless "android.os" and "android.os.Parcelable" are both valid packages.


	(2) Public enums are not enumerated

	Enumeration classes are included, and always have two methods ("valueOf"
	and "values"). What isn't included are entries for the fields representing
	the enumeration values. This makes it look like an APK is referring
	to non-public fields in the class.

	If apkcheck sees a reference to an unknown field, and the field's defining
	class appears to be an Enum (the superclass is java.lang.Enum), we emit
	a warning instead of an error.


	(3) Public annotation methods are not listed

	Annotation classes have trivial entries that show only the class name
	and "implements java.lang.annotation.Annotation". It is not possible
	to verify that a method call on an annotation is valid.

	If apkcheck sees a method call to an unknown method, and the class appears
	to be an annotation (extends Object, implements Annotation, defines no
	fields or methods), we emit a warning instead of an error.


	(4) Covariant return types

	Suppose a class defines a method "public Foo gimmeFoo()". Any subclass
	that overrides that method must also return Foo, so it would seem that
	there's no need to emit a method entry for gimmeFoo() in the subclasses.

	However, it's possible to override gimmeFoo with "public MegaFoo
	gimmeFoo()" so long as MegaFoo is an instance of Foo. In that case it
	is necessary to emit a new method entry, but the public API XML generator
	does not.

	If apkcheck can't find an exact match for a method reference, but can
	find a method that matches on everything but the return type, it will
	emit a warning instead of an error. (We could be more thorough and try
	to verify that the return types are related, but that's more trouble than
	it's worth.)


	(5) Generic signatures

	When generic signatures are used, the public API file will contain
	entries like these:

	<parameter name="key" type="K">
	<parameter name="others" type="E...">
	<parameter name="map" type="java.util.Map<? extends K, ? extends V>">

	The generic types are generally indistinguishable from classes in the
	default package (i.e. that have no package name). In most cases they're
	a single letter, so apkcheck includes a kluge that converts single-letter
	class names to java.lang.Object.

	This often works, but falls apart in a few cases. For example:

	public <T extends Parcelable> T getParcelableExtra(String name) {
	return mExtras == null ? null : mExtras.<T>getParcelable(name);
	}

	This is emitted as:

	<method name="getParcelableExtra" return="T">

	which gets converted to java.lang.Object. Unfortunately the APK wants
	a method with a more specific return type (android.os.Parcelable), so
	the lookup fails.

	There is no way to recover the actual type, because the generic signature
	details are not present in the XML. This particular case will be handled
	as a covariant return type. When the generic type is in the parameter
	list, though, this isn't handled so easily.

	These cases are relatively few, so they were handled by baking the
	signatures into the code (--uses-library=BUILTIN). (At some point it
	may be worthwhile to try a little harder here.)


	(6) Use of opaque non-public types

	Some classes are not meant for public consumption, but are still referred
	to by application code. For example, an opaque type might be passed to
	the app as a cookie.

	Another example is the Dalvik annotation classes, like
	dalvik.annotation.InnerClass. These are emitted by "dx", and referenced
	from the DEX file, but not intended to be used by application code.

	If an APK refers to a non-public class, but doesn't access any fields
	or methods, a warning is emitted instead of an error.