Google today said that it’ll require Android apps in major app stores from third-party manufacturers like Huawei, Oppo, Vivo, Xiaomi, Baidu, Alibaba, and Tencent to target API level 26 (Android 8.0) or higher in 2019, in a bid to “improve the security of the app ecosystem.” It also said it’ll require all new apps to target API level 28 (Android 9) or higher by August 2019, and mandate that updates to existing apps target API level 28 or higher by November 2019.
The target API levels will “advance annually,” Google says, and existing apps that aren’t receiving updates won’t be affected by the changes.
“Thanks to the efforts of thousands of app developers, Android users now enjoy more apps using modern APIs than ever before, bringing significant security and privacy benefits. For example, during 2018, over 150,000 apps added support for runtime permissions, giving users granular control over the data they share,” Edward Cunningham, product manager on the Android Security and Privacy Team, wrote in a blog post. “Over 95 percent of spyware we detect outside of the Play Store intentionally targets API level 22 or lower, avoiding runtime permissions even when installed on recent Android versions.”
In addition to those new policies, Google says that, on devices with Developer options enabled, Google Play Protect — an automated security solution that scans more than 50 billion apps on billions of devices each day — will begin to warn users when they attempt to install apps from any source that don’t target a recent API level.
“For example, a user with a device running Android 6.0 (Marshmallow) will be warned when installing any new [app] that targets API level 22 or lower,” Cunningham explained. “Users with devices running Android 8.0 (Oreo) or higher will be warned when installing any new APK that targets API level 25 or lower.”
The announcement comes after Google said it would continue to improve the automated systems that help root out unscrupulous developers in the Google Play Store — and after researchers with security firm Eset and Trend Micro discovered malicious Android apps hosted on the Play Store that were designed to steal cryptocurrency and trick users into downloading and installing a trojan. In a recent blog post, the company revealed that in 2018, the number of apps rejected and suspended from the Play Store increased by more than 55 percent and 66 percent, respectively, and that tens of thousands of apps not adherent to the Play Store’s user data and privacy policies were rejected or removed.
Google announced late last year that it’s paid out over $15 million since launching its bug bounty program in November 2010. And it said it’s regularly conducting both “static” and “dynamic” analyses of apps with inappropriate content, impersonators, and PHAs, and “intelligently” using user engagement and feedback data to help find bad apps with “higher accuracy and efficiency.”