How to Bypass Android P Hidden API Restrictions: Three Proven Methods

Overview

This article is based on source code analysis of Android P (Preview 1) and implements three methods to bypass the restrictions on calling hidden APIs, all of which have been verified to work and can successfully invoke system hidden APIs.

Restriction Principle

Android limits user code from accessing hidden APIs by distinguishing two aspects: whether a Method or Field is hidden or public, and whether the caller is user code or system code. The runtime checks these via functions in art/runtime/hidden_api.h; if a hidden API is accessed, a warning log is emitted, and future versions may return null for the Method or Field.

The system determines the hidden status using reserved bits in the access_flags_ of each Method/Field, and identifies the caller by inspecting the ClassLoader of the calling class—if it is BootStrapClassLoader, the call is considered system code; otherwise, it is user code.

Bypass Methods

Method 1: Direct Call via Provided Module

Since the system only intercepts hidden API access when using reflection or JNI, a direct call can succeed. The core idea is to provide a custom android.jar or a provided module containing the needed hidden class (e.g., android.app.ActivityThread) and call ActivityThread.currentActivityThread() directly. This approach is simple, stable, and works for public or default visibility members, but cannot access protected or private members.

Method 2: ClassLoader Confusion via Reflection

This method confuses the second distinction point by making the system think the caller is part of the boot classloader. By using SetClassLoader (found in art/runtime/mirror/class.h) and the exported ToClass function from libart.so, the app’s classes can be assigned the bootstrap classloader. A custom ReflectionHelper then performs all reflective API lookups, eliminating warning logs.

Method 3: Access Flag Tampering

The third technique modifies the hidden flag bits in the access_flags_ of the target Method or Field, effectively making it public. By obtaining the ArtMethod* pointer (e.g., via Class.getDeclaredMethod implementation in native code) and altering the flags, hidden APIs become accessible. This method works without changing existing code but requires hooking internal functions, making it more complex.

Summary

The article presents three distinct approaches to invoke hidden APIs on Android P: a straightforward provided module method, a reflection‑based classloader manipulation, and a low‑level access‑flag alteration. Each method has its own advantages and limitations, allowing developers to choose the most suitable technique for their projects.