Google has announced several important policy changes for Android app developers that will improve the security of users, Google Play, and the apps available through the service.
These new developer requirements will be in effect from May 11th through November 1st, 2022, allowing developers plenty of time to adjust.
The following are the most important policy changes related to cybersecurity and fraud that will be implemented:
- New API level target requirements.
- Banning of loan apps whose Annual Percentage Rate (APR) is 36% or higher.
- Prohibiting the abuse of the Accessibility API.
- New policy changes for the permission to install packages from external sources.
All newly released/published apps must target an Android API level released within one year of the most recent major Android version release starting November 1, 2022.
Those who do not comply with this criterion will have their apps banned from the Play Store, Android's official app store.
Existing apps that do not target an API level within two years of the most recent major Android version will be eliminated from the Play Store and become undiscoverable.
This change is intended to compel app developers to follow the tougher API regulations that underpin newer Android releases, such as better permission management and revoking, notification anti-hijacking, data privacy enhancements, phishing detection, splash screen limits, and other features.
According to Google's blog article on the new policy: "users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer."
App developers who require extra time to migrate to more recent API levels can request a six-month extension, albeit this is not guaranteed. Many outdated apps will be forced to adopt better secure methods as a result of this policy change.
Accessibility API abuse
The Accessibility API for Android enables developers to design apps that are accessible to people with disabilities, enabling the creation of new ways to operate the device using its applications.
However, malware frequently exploits this capability to do actions on an Android smartphone without the user's permission or knowledge.
As noted below, Google's new policies further restrict how this policy can be applied:
- Change user settings without their permission or prevent the ability for users to disable or uninstall any app or service unless authorized by a parent or guardian through a parental control app or by authorized administrators through enterprise management software;
- Workaround Android built-in privacy controls and notifications; or
- Change or leverage the user interface deceptively or otherwise violates Google Play Developer Policies.
Google has also released a policy change that tightens the "REQUEST INSTALL PACKAGES" permission.
Many malicious software publishers hide package-fetching technology that downloads malicious modules after installation to have their submission accepted on the Play Store.
Users interpret these activities as "request to update" or "download new content," and they either authorise the action when presented with the corresponding prompt or don't notice because it occurs in the background.
Google aims to narrow this loophole by imposing new permission requirements, bringing light to an area that was previously unregulated.
Apps that use this permission must now only fetch digitally signed packages, and self-updates, code modifications, or bundling of APKs in the asset file will still require the user's authorization. For all apps using API level 25 (Android 7.1) or higher, the new REQUEST INSTALL PACKAGES policies will enter into force on July 11th, 2022.