We have recently developed a state-of-the-art static analysis tool for uncovering API compatibility issues in Android apps. Applying this tool to open source apps on F-droid, we have exposed a few instances of compatibility issues and submitting them to development teams for a fix.
For your app, we have found that this project has accessed the following APIs which are available only on an API level higher than the declared minSdkVersion and which are accessed without proper protection. In other words, if those APIs get called at runtime, it will trigger a NoSuchMethodError and thus result in a crash of the running application.
Note that, because of the nature of the static analysis, we cannot confirm whether the flagged APIs would actually be called at runtime (e.g., unreachable code). However, we still believe that those APIs, which may cause compatibility issues, should not be accessed or at least be accessed with proper protections.
In addition to the aforementioned APIs (i.e., backward-compatibility), which could cause app crashes if accessed, we have also identified that this project has also accessed some APIs that have been removed from the latest public SDK, making the app possibly suffer from forward-compatibility issues.
We would be very much appreciated if you can acknowledge to us that those reported APIs are indeed problematic for the project’s long-term stability. please let us know if you need any more information relating to this issue report.
Dear developers,
We have recently developed a state-of-the-art static analysis tool for uncovering API compatibility issues in Android apps. Applying this tool to open source apps on F-droid, we have exposed a few instances of compatibility issues and submitting them to development teams for a fix.
For your app, we have found that this project has accessed the following APIs which are available only on an API level higher than the declared minSdkVersion and which are accessed without proper protection. In other words, if those APIs get called at runtime, it will trigger a NoSuchMethodError and thus result in a crash of the running application.
<android.app.backup.BackupAgentHelper: void addHelper(java.lang.String,android.app.backup.BackupHelper)>:[8,25] <android.app.backup.BackupAgentHelper: void onRestore(android.app.backup.BackupDataInput,int,android.os.ParcelFileDescriptor)>:[8,25] <android.app.backup.BackupManager: void(android.content.Context)>:[8,25]
<android.app.backup.BackupAgentHelper: void onBackup(android.os.ParcelFileDescriptor,android.app.backup.BackupDataOutput,android.os.ParcelFileDescriptor)>:[8,25]
<android.app.backup.BackupManager: void dataChanged()>:[8,25]
Note that, because of the nature of the static analysis, we cannot confirm whether the flagged APIs would actually be called at runtime (e.g., unreachable code). However, we still believe that those APIs, which may cause compatibility issues, should not be accessed or at least be accessed with proper protections.
In addition to the aforementioned APIs (i.e., backward-compatibility), which could cause app crashes if accessed, we have also identified that this project has also accessed some APIs that have been removed from the latest public SDK, making the app possibly suffer from forward-compatibility issues.
<org.apache.http.params.BasicHttpParams: void()>:[1,22]
<org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager: void (org.apache.http.params.HttpParams,org.apache.http.conn.scheme.SchemeRegistry)>:[1,22]
<org.apache.http.conn.scheme.PlainSocketFactory: org.apache.http.conn.scheme.PlainSocketFactory getSocketFactory()>:[1,22]
<org.apache.http.client.methods.HttpPost: void (java.lang.String)>:[1,22]
<org.apache.http.Header: org.apache.http.HeaderElement[] getElements()>:[1,22]
<org.apache.http.impl.client.AbstractHttpClient: void addResponseInterceptor(org.apache.http.HttpResponseInterceptor)>:[1,22]
<org.apache.http.conn.scheme.SchemeRegistry: void ()>:[1,22]
<org.apache.http.client.methods.HttpGet: void (java.lang.String)>:[1,22]
<org.apache.http.message.BasicNameValuePair: void (java.lang.String,java.lang.String)>:[1,22]
<org.apache.http.conn.scheme.SchemeRegistry: org.apache.http.conn.scheme.Scheme register(org.apache.http.conn.scheme.Scheme)>:[1,22]
<org.apache.http.impl.client.AbstractHttpClient: org.apache.http.client.CredentialsProvider getCredentialsProvider()>:[1,22]
<org.apache.http.HttpResponse: void setEntity(org.apache.http.HttpEntity)>:[1,22]
<org.apache.http.client.CredentialsProvider: void setCredentials(org.apache.http.auth.AuthScope,org.apache.http.auth.Credentials)>:[1,22]
<org.apache.http.impl.client.DefaultHttpClient: void (org.apache.http.conn.ClientConnectionManager,org.apache.http.params.HttpParams)>:[1,22]
<org.apache.http.client.entity.UrlEncodedFormEntity: void (java.util.List,java.lang.String)>:[1,22]
<org.apache.http.HttpResponse: org.apache.http.HttpEntity getEntity()>:[1,22]
<org.apache.http.HttpEntity: org.apache.http.Header getContentEncoding()>:[1,22]
<org.apache.http.entity.HttpEntityWrapper: void (org.apache.http.HttpEntity)>:[1,22]
<org.apache.http.auth.UsernamePasswordCredentials: void (java.lang.String,java.lang.String)>:[1,22]
<org.apache.http.HeaderElement: java.lang.String getName()>:[1,22]
<org.apache.http.HttpMessage: void addHeader(java.lang.String,java.lang.String)>:[1,22]
<org.apache.http.conn.scheme.Scheme: void (java.lang.String,org.apache.http.conn.scheme.SocketFactory,int)>:[1,22]
<org.apache.http.HttpEntity: java.io.InputStream getContent()>:[1,22]
<org.apache.http.impl.client.BasicResponseHandler: void ()>:[1,22]
<org.apache.http.impl.client.AbstractHttpClient: void addRequestInterceptor(org.apache.http.HttpRequestInterceptor)>:[1,22]
<org.apache.http.client.methods.HttpEntityEnclosingRequestBase: void setEntity(org.apache.http.HttpEntity)>:[1,22]
<org.apache.http.HttpMessage: boolean containsHeader(java.lang.String)>:[1,22]
We would be very much appreciated if you can acknowledge to us that those reported APIs are indeed problematic for the project’s long-term stability. please let us know if you need any more information relating to this issue report.