如何检测和避免在第三方库中使用私有API

Question

Now that Apple is running some kind of static analysis to automatically check for private API use, a number of people have been caught because of the Three20 library. I use another third-party library (which I compile myself from code) and I would like to automatically audit it for private API use before I submit to Apple, so I can eliminate/re-write those parts.

If I run nm on my application executable, I get a list of symbols, and I am seeing symbols in there that I don't use. For example I see _AudioServicesPlaySystemSound, and if I search for "AudioServicesPlaySystemSound" in XCode I get no results. Is there any way to automatically discriminate calls to private APIs, for example I notice that Apple has a habit of naming them with an initial underscore.

However: if I deliberately include a call to a private API it doesn't show up in the output of nm , but it does show up if I run strings on the binary. Based on this, one idea I had was to compile a huge list of all private API calls into a huge table, and automatically search for them in the strings output. I haven't done that yet.

Does anyone have any tips on how to automatically catch this stuff so I'm only going through the review process once?

Answer 1

You could try running nm on the object files instead of the linked executable:

nm -g -j *.o  | sort | uniq

The objects should be in the build/<app>.build/*/<app>.build/Objects-normal sub-directory.

You're seeing a reference to AudioServicesPlaySystemSound because one of the functions you did call in turn calls AudioServicesPlaySystemSound .

Objective C calls won't generally show up in nm dumps, you'll need to use otool for that:

otool -ov <object file>

Answer 2

Use this dev tool, App Scanner . It scans your .app file for private API methods. A future release will also check for private API instance variables.