The Android system manages access to sensitive APIs by permission enforcement. An application (app) must declare proper permissions before invoking specific Android APIs. However, there is no official documentation providing the complete list of permission-protected APIs and the corresponding permissions to date. Researchers have spent significant efforts extracting such API protection mapping from the Android API framework, which leverages static code analysis to determine if specific permissions are required before accessing an API. Nevertheless, none of them has attempted to analyze the protection mapping in the native library (\emph{i.e.}\xspace, code written in C and C++), an essential component of the Android framework that handles communication with the lower-level hardware, such as cameras and sensors. While the protection mapping can be utilized to detect various security vulnerabilities in Android apps, such as permission over-privilege, imprecise mapping will lead to false results in detecting such security vulnerabilities. To fill this gap, we thereby propose to construct the protection mapping involved in the native libraries of the Android framework to present a complete and accurate specification of Android API protection. We develop a prototype system, named \textsc{NatiDroid}, to facilitate the cross-language static analysis and compare its performance with two state-of-the-practice tools, termed \textsc{Axplorer} and \textsc{Arcade}. We evaluate \textsc{NatiDroid} on more than 11,000 Android apps, including system apps from custom Android ROMs and third-party apps from the Google Play. Our \textsc{NatiDroid} can identify up to 464 new API-permission mappings, in contrast to the worst-case results derived from both \textsc{Axplorer} and \textsc{Arcade}, where approximately 71% apps have at least one false positive in permission over-privilege. We have disclosed all the potential vulnerabilities detected to the stakeholders.