Google adopts new development strategy to improve Android security

Google has announced several key policy changes for Android app developers to improve the security of users, Google Play, and apps provided by the service. They will take effect between May 11 and November 1, 2022, giving developers enough time to adapt to the new changes.

According to BleepingComputer, some of the most important changes related to cybersecurity and fraud include:

• New API level target requirements.
• Loan applications with an annual percentage rate (APR) of 36% or more are prohibited.
• Abuse of the Accessibility API is prohibited.
• New policy modifications for permissions to install packages from external sources.

New API level targets

Starting November 1, 2022, all newly released/published apps must target an Android API level released within one year of the last major Android version.

API level targeting requirement for newly released applications

Apps that fail to comply with this requirement will be rejected from Android's official app store, the Play Store. Existing apps that do not target an API level that is within two years of the latest major Android version will be removed from the Play Store.

API level targeting requirement for existing applications

The change is intended to force app developers to adopt stricter API policies to support newer Android versions, typically with better permission management and revocation, notification anti-hijacking, data privacy enhancements, phishing detection, and more.

Google explained in a blog post that the reasoning behind this is simple: "Users with the latest devices or who are fully focused on Android updates want to take advantage of all the privacy and security protections that Android has to offer. Expanding our target level API requirements will protect users from installing older apps that may not have these protections." Users who need more time to migrate can apply for a 6-month extension.

The move is expected to force some outdated apps to adopt safer practices, but it will also inevitably push some projects that are no longer actively developed out of the Play Store, causing users to turn to unknown sources to obtain APKs of their desired apps, increasing the risk of malware infection.

Accessibility API Abuse

Android's Accessibility API allows developers to create applications that can be used by people with disabilities, allowing the creation of different ways to control the device and use its applications. However, this feature is often abused by malware to perform actions on Android devices without the user's permission or even knowledge.

Therefore, Google's new policy further restricts how it can be used:

• Change user settings without user permission, or prevent a user’s ability to disable or uninstall any application or service; unless authorized by a parent or guardian through a parental control application, or by an authorized administrator through enterprise management software.
• Bypass Android's built-in privacy controls and notifications;
• Alter or exploit the user interface in a manner that is deceptive or otherwise violates the Google Play Developer Policies.

Policy for package fetching

Google has also tightened the "REQUEST_INSTALL_PACKAGES" permission. It will take effect on July 11, 2022 and apply to all applications using API level 25 (Android 7.1) and above.

Many malicious app publishers submit harmless code to the Play Store to get their submission approved, but users unknowingly introduce malicious modules after downloading and installing. Google hopes to strengthen supervision by enforcing a new permission policy. To use this permission, the core functionality of your app must include: sending or receiving app packages, enabling user-initiated installation of app packages.

The functionality allowed will now be limited to web browsing or searching, communication services that support attachments, file sharing, transfer or management, and enterprise device management.

The REQUEST_INSTALL_PACKAGES permission must not be used to perform self-updates, modify, or bundle other APKs in asset files, except for device management purposes. All updates or installations of packages must comply with Google Play's Device and Network Abuse Policy and must be initiated and driven by the user.

This article is reproduced from OSCHINA

Title of this article: Google adopts new development strategy to improve Android security

Article URL: https://www.oschina.net/news/190791/google-dev-policy-changes-android-security