Set up Design Secure Develop Configure Reference
Go to code
ART Data Enterprise Performance Permissions Power Updates

Namespaces for Native Libraries

Android 7.0 introduced namespaces for native libraries to limit internal API visibility and resolve situations when apps accidentally end up using platform libraries instead of their own. See the Improving Stability with Private C/C++ Symbol Restrictions in Android 7.0 Android Developers blog post for application-specific changes.

Architecture

The change separates system libraries from application libraries and makes it hard to use internal system libraries by accident (and vice versa).

Namespaces for native libraries

Figure 1. Namespaces for native libraries

Namespaces for native libraries prevent apps from using private-platform native APIs (as was done with OpenSSL). It also removes situations where apps accidentally end up using platform libraries instead of their own (as witnessed with libpng).

Adding additional native libraries

In addition to standard public native libraries, vendors may choose to provide additional native libraries accessible to apps by putting them under the /vendor library folder (/vendor/lib for 32 bit libraries and, /vendor/lib64 for 64 bit) and listing them in: /vendor/etc/public.libraries.txt

Starting from Android 8.0, vendor public libraries have the following additional restrictions and required setups:

  1. The native library in vendor must be properly labeled so it can be accessible to apps. If access is required by any apps (including third party apps), the library must be labeled as same_process_hal_file in a vendor-specific file_contexts file as follows: 
    /vendor/lib(64)?/libnative.so u:object_r:same_process_hal_file:s0
    where libnative.so is the name of the native library.
  2. The library, either directly or transitively via its dependencies, must not depend on system libraries other than VNDK-SP and LLNDK libraries. The list of VNDK-SP and LLNDK libraries can be found at development/vndk/tools/definition/tool/datasets/eligible-list-<version>-release.csv.

Updating apps to not use non-public native libraries

This feature is enabled only for applications targeting SDK version 24 or later; for backward compatibility, see Table 1. What to expect if your app is linking against private native libraries. The list of Android native libraries accessible to apps (also know as public native libraries) is listed in CDD section 3.1.1. Apps targeting 24 or later and using any non-public libraries should be updated. Please see NDK Apps Linking to Platform Libraries for more details.