Google announced several key policy changes for Android app developers to improve the security of users, Google Play, and apps provided by the service. It will go into effect between May 11 and November 1, 2022, giving developers plenty of time to adapt to the new changes.
According to BleepingComputer , some of the important changes related to cybersecurity and fraud include:
- 新的 API level target requirements。
- Loan applications with an annual interest rate (APR) of 36% or more are prohibited.
- Abuse of the Accessibility API is prohibited.
- New policy modification for permissions to install packages from external sources.
new API level targets
As of November 1, 2022, all newly released/published apps must target the Android API level released within one year of the latest major Android release.
API level targeting requirement for newly released applications
Apps that fail to comply with this requirement will be rejected from the Play Store , Android's official app store . Existing apps that do not target an API level within two years of the latest major Android release will be removed from the Play Store.
API level targeting requirement for existing applications
This change is designed to force app developers to adopt stricter API policies to support newer Android versions , typically better permissions management and revocation, notification anti-hijacking, data privacy enhancements, phishing detection, and more.
The reasoning behind it is simple, Google explained in a blog post : "Users with the latest devices or those who are fully concerned about Android updates want to take full advantage of all the privacy and security protections Android offers. Extending our target level API requirements will Protect users from installing older applications that may not have these protections." Users who need more time to migrate can apply for a 6-month extension.
The move is expected to force some outdated apps to adopt safer practices, but it will also inevitably push some projects that are no longer actively developed outside the Play Store, leading users to turn to unknown sources to get the apps they want APK, increasing the risk of malware infection.
Accessibility API abuse
Android's Accessibility API allows developers to create applications that can be used by people with disabilities, allowing the creation of different ways to control devices and use their applications. However, this feature is often abused by malware to perform actions on Android devices without the user's permission or even their knowledge.
As such, Google's new strategy further limits how it can be used:
- Change user settings without the user's permission, or prevent the user's ability to disable or uninstall any application or service; unless authorized by a parent or guardian through a parental control application, or by an authorized administrator through enterprise management software.
- Bypass Android's built-in privacy controls and notifications;
- Change or exploit the user interface in a way that deceptively or otherwise violates the Google Play Developer Policy.
Policy for package fetching
Google has also tightened the "REQUEST_INSTALL_PACKAGES" permission. Effective July 11, 2022, for all apps using API level 25 (Android 7.1) and above.
Many malicious app publishers submit harmless code to the Play Store to get their submission approved, but users unknowingly introduce malicious modules after downloading and installing them. Google wants to tighten regulation by enforcing a new permissions policy. To use this permission, your application's core functionality must include sending or receiving app packages, enabling user-initiated installation of app packages.
The functionality allowed now will be limited to web browsing or searching, communication services that support attachments, file sharing, transfer or management, and enterprise device management.
Except for device management purposes, the REQUEST_INSTALL_PACKAGES permission must not be used to perform self-updates, modifications, or bundle other APKs in the asset file. All updates or installations of packages must comply with Google Play's Device and Network Abuse Policy and must be initiated and driven by the user.