To "improve the security of the APP ecosystem", Google sets new Android API level requirements

Recently, Google reiterated that the China Telecommunications Terminal Industry Association needs to require Android apps in major app stores of third-party manufacturers such as Huawei, Oppo, Vivo, Xiaomi, Baidu, Alibaba, and Tencent to reach API level 26 (Android 8.0) or higher in 2019 to "enhance the security of the app ecosystem." Google also stated that it will require all new apps to reach API level 28 (Android 9) or higher by August 2019, and require existing apps to be upgraded to API level 28 or higher by November 2019.

[[257920]]

Google says the target API level will "increase annually" and that existing apps that haven't received updates will not be affected by the changes.

"Thanks to the efforts of thousands of app developers, Android users now more than ever enjoy apps that use modern APIs, which deliver significant security and privacy benefits. For example, during 2018, more than 150,000 apps added support for runtime permissions, giving users fine-grained control over the data they share," Edward Cunningham, product manager on the Android security and privacy team, wrote in a blog post. "More than 95% of the spyware we detect outside of the Play Store intentionally targets API level 22 or lower, and avoids runtime permissions even when installed on recent Android versions."

In addition to these new policies, Google said that with Developer Options enabled on a device, Google Play Protect — an automatic security solution that scans more than 50 billion apps on billions of devices every day — will warn users when they try to install an app from any source that doesn't target a recent API level.

"For example, a user with an Android 6.0 (Marshmallow) device will be warned when installing any new app that targets API level 22 or lower," Cunningham explained. "A device running Android 8.0 (Oreo) or higher will also be warned when installing a new APK that targets API level 25 or lower."

Google issued the above notice after it said it would continue to improve its automated systems to help root out unscrupulous developers from the Google Play Store, and after researchers from security firms Eset and Trend Micro found malicious Android apps on the Play Store that were designed to steal cryptocurrency and trick users into downloading and installing Trojans. In a recent blog post, the company revealed that the number of apps rejected and suspended from the Play Store grew by more than 55% and 66% respectively in 2018, while thousands of apps that did not comply with the Play Store's user data and privacy policies were rejected or removed.

Google announced late last year that it had paid out more than $15 million since launching its bug bounty program in November 2010. It also said it regularly conducts "static" and "dynamic" analyses of apps for inappropriate content, imposters and PHAs, and "intelligently" leverages user engagement and feedback data to help find bad apps with "greater accuracy and efficiency."