API Compatibility Issues

[lilicoding]

Dear developers,

We have recently developed a state-of-the-art static analysis tool for uncovering API compatibility issues in Android apps. Applying this tool to open source apps on F-droid, we have exposed a few instances of compatibility issues and submitting them to development teams for a fix.

For your app, we have found that this project has accessed the following APIs which are available only on an API level higher than the declared minSdkVersion and which are accessed without proper protection. In other words, if those APIs get called at runtime, it will trigger a NoSuchMethodError and thus result in a crash of the running application.

<javax.xml.transform.sax.SAXSource: org.xml.sax.InputSource getInputSource()>:[8,25]
<javax.xml.transform.Transformer: void transform(javax.xml.transform.Source,javax.xml.transform.Result)>:[8,25]
<javax.xml.transform.TransformerFactory: javax.xml.transform.TransformerFactory newInstance()>:[8,25]
<javax.xml.transform.sax.SAXResult: void setLexicalHandler(org.xml.sax.ext.LexicalHandler)>:[8,25]
<javax.xml.transform.TransformerFactory: javax.xml.transform.Templates newTemplates(javax.xml.transform.Source)>:[8,25]
<javax.xml.transform.sax.SAXResult: void setHandler(org.xml.sax.ContentHandler)>:[8,25]
<javax.xml.transform.Templates: javax.xml.transform.Transformer newTransformer()>:[8,25]
<javax.xml.transform.stream.StreamSource: void (java.lang.String)>:[8,25]
<javax.xml.transform.sax.SAXSource: void setInputSource(org.xml.sax.InputSource)>:[8,25]
<javax.xml.transform.sax.SAXSource: void ()>:[8,25]
<javax.xml.transform.sax.SAXResult: org.xml.sax.ContentHandler getHandler()>:[8,25]
<javax.xml.transform.sax.SAXResult: void ()>:[8,25]
<javax.xml.transform.stream.StreamSource: void (java.io.Reader)>:[8,25]
<javax.xml.transform.stream.StreamSource: void (java.io.InputStream)>:[8,25]
<javax.xml.transform.stream.StreamSource: void (java.io.File)>:[8,25]

Note that, because of the nature of the static analysis, we cannot confirm whether the flagged APIs would actually be called at runtime (e.g., unreachable code). However, we still believe that those APIs, which may cause compatibility issues, should not be accessed or at least be accessed with proper protections.

In addition to the aforementioned APIs (i.e., backward-compatibility), which could cause app crashes if accessed, we have also identified that this project has also accessed some APIs that have been removed from the latest public SDK, making the app possibly suffer from forward-compatibility issues.

<org.apache.http.impl.cookie.BasicClientCookie: void setPath(java.lang.String)>:[1,22]
<org.apache.http.HttpEntity: void consumeContent()>:[1,22]
<org.apache.http.cookie.Cookie: java.lang.String getName()>:[1,22]
<org.apache.http.client.HttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)>:[1,22]
<org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager: void (org.apache.http.params.HttpParams,org.apache.http.conn.scheme.SchemeRegistry)>:[1,22]
<org.apache.http.conn.scheme.PlainSocketFactory: org.apache.http.conn.scheme.PlainSocketFactory getSocketFactory()>:[1,22]
<org.apache.http.client.methods.HttpPost: void (java.lang.String)>:[1,22]
<org.apache.http.impl.cookie.BasicClientCookie: void setVersion(int)>:[1,22]
<org.apache.http.impl.cookie.BasicClientCookie: void (java.lang.String,java.lang.String)>:[1,22]
<org.apache.http.conn.scheme.SchemeRegistry: void ()>:[1,22]
<org.apache.http.client.methods.HttpGet: void (java.lang.String)>:[1,22]
<org.apache.http.message.BasicNameValuePair: void (java.lang.String,java.lang.String)>:[1,22]
<org.apache.http.conn.scheme.SchemeRegistry: org.apache.http.conn.scheme.Scheme register(org.apache.http.conn.scheme.Scheme)>:[1,22]
<org.apache.http.cookie.Cookie: java.lang.String getValue()>:[1,22]
<org.apache.http.StatusLine: int getStatusCode()>:[1,22]
<org.apache.http.protocol.BasicHttpContext: void ()>:[1,22]
<org.apache.http.cookie.Cookie: java.util.Date getExpiryDate()>:[1,22]
<org.apache.http.cookie.Cookie: int getVersion()>:[1,22]
<org.apache.http.client.entity.UrlEncodedFormEntity: void (java.util.List,java.lang.String)>:[1,22]
<org.apache.http.HttpResponse: org.apache.http.StatusLine getStatusLine()>:[1,22]
<org.apache.http.HttpResponse: org.apache.http.HttpEntity getEntity()>:[1,22]
<org.apache.http.impl.cookie.BasicClientCookie: void setExpiryDate(java.util.Date)>:[1,22]
<org.apache.http.impl.cookie.BasicClientCookie: void setDomain(java.lang.String)>:[1,22]
<org.apache.http.client.CookieStore: void clear()>:[1,22]
<org.apache.http.protocol.HttpContext: void setAttribute(java.lang.String,java.lang.Object)>:[1,22]
<org.apache.http.client.HttpClient: org.apache.http.params.HttpParams getParams()>:[1,22]
<org.apache.http.cookie.Cookie: java.lang.String getDomain()>:[1,22]
<org.apache.http.conn.scheme.Scheme: void (java.lang.String,org.apache.http.conn.scheme.SocketFactory,int)>:[1,22]
<org.apache.http.HttpEntity: java.io.InputStream getContent()>:[1,22]
<org.apache.http.cookie.Cookie: java.lang.String getPath()>:[1,22]
<org.apache.http.client.methods.HttpEntityEnclosingRequestBase: void setEntity(org.apache.http.HttpEntity)>:[1,22]
<android.app.Notification: void setLatestEventInfo(android.content.Context,java.lang.CharSequence,java.lang.CharSequence,android.app.PendingIntent)>:[1,22]
<org.apache.http.impl.client.DefaultHttpClient: void ()>:[1,22]
<org.apache.http.impl.client.AbstractHttpClient: org.apache.http.params.HttpParams getParams()>:[1,22]

We would be very much appreciated if you can acknowledge to us that those reported APIs are indeed problematic for the project’s long-term stability. please let us know if you need any more information relating to this issue report.

[adepasquale]

This project is currently in abandoned, unmaintained state (see #42).