Android security depends on secure apps and Google has some big plans.
Google has made some significant announcements on its Android Developers Blog centering around some new policies developers will need to follow to continue publishing to the Play Store. Google says that starting in August 2018 all new apps submitted will need to target Android Oreo, and in November 2018 updates to existing apps will need to do the same. In addition, starting early in 2018 there will be some extra metadata added to the app file (the .apk file) to verify it’s authenticity and in August 2019 all apps will be required to provide a 64-bit version even if they target any native Android libraries.
In the second half of 2018, Play will require that new apps and app updates target a recent Android API level. This will be required for new apps in August 2018, and for updates to existing apps in November 2018. This is to ensure apps are built on the latest APIs optimized for security and performance.
In August 2019, Play will require that new apps and app updates with native libraries provide 64-bit versions in addition to their 32-bit versions.
Additionally, in early 2018, Play will start adding a small amount of security metadata on top of each APK to further verify app authenticity. You do not need to take any action for this change.
Google says these changes are to help make the apps we use as secure as Android itself. They’ve given some simple examples that explain just how these changes will help here.
Right now, a developer can upload an app targeted towards an old version of Android and not ask for permission to see things like camera data or location when you first run it because those became official with Android Marshmallow (API 23). Adding metadata to use as a check for authenticity makes sense here because that can be used to separate apps that were downloaded from Google Play from other sources for installations (as well as be used for copy protection if Google wanted to do so), and requiring 64-bit versions of apps is getting things ready for application processors that don’t support 32-bit binaries.
A side effect of these changes will affect how manufacturers update devices as well as the practice of selling new devices with older versions of Android.
Next August, all new apps submitted to Google Play will have to be targeted for Android Oreo. In November, updates for existing apps will also need to be targeted for Oreo. These requirements will advance each year so apps in August 2019 will need to target the next version of Android. Each year the same thing happens and new apps or updates to existing apps won’t be accepted unless they target a recent version.
Existing apps that don’t get updated will be allowed to stay, and the development tools will still allow the creation of apps targeted for old versions. But Google Play won’t. Apps designed for old software don’t make use of Android’s newer features and are less secure because of it.
When your phone can’t run the app you want because the software is old, you’ll notice.
As a result, companies who sell phones with old versions or forget about those phones when it comes time to update them will stand out because the products won’t have access to new or newly updated apps. Google says they encourage developers to do what they can to make apps backward compatible, but we all know how things go when they’re only suggested or encouraged. Look at the state of tablet apps on Google Play as an example here. These changes will effectively shut out phones with old versions when it comes to the newest apps.
We expect to hear plenty more about these new policies before they go into effect and have some questions about how the new "authenticity" metadata will be used to get answered. But we like the idea of Google doing what it can when it comes to keeping our data safer and the apps that want to use it in check a little better.
December 19, 2017 at 03:51PM