Google has announced several key policy changes for Android application developers that will increase the security of users, Google Play, and the apps offered by the service.
These new developer requirements will take effect between May 11th through November 1st, 2022, giving developers enough time to adjust to the new changes.
Among the list of policy changes that will be introduced, the most important ones related to cybersecurity and fraud include:
New API level target requirements.
Banning of loan apps whose Annual Percentage Rate (APR) is 36% or higher.
Prohibiting the abuse of the Accessibility API.
New policy changes for the permission to install packages from external sources.
New API level targets
Starting from November 1, 2022, all newly released/published apps must target an Android API level released within one year from the latest major Android version release.
Those that fail to abide by this requirement will be rejected from inclusion in the Play Store, Android’s official app store.
Existing apps that do not target an API level within two years of the latest major Android version will be removed from the Play Store and will no longer be discoverable.
This change aims to force app developers to adopt the stricter API policies that underpin newer Android releases, typically better permission management and revoking, notification anti-hijacking, data privacy enhancements, phishing detection, splash screen restrictions, and more.
As Google explains in the blog post about the new policy: “users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer.”
App developers that need more time to migrate to more current API levels may request a six-month extension, although this is not guaranteed for everyone.
This policy change is expected to force many outdated apps to adopt more secure practices but will also inevitably push several projects that are no longer actively developed outside the Play Store.
One side effect of the latter could be people turning to obscure sources to get an APK of their favorite app, only to get scammed and infect themselves with malware.
Accessibility API abuse
Android’s Accessibility API allows developers to create apps that can be used by those with disabilities, allowing the creation of different ways to control the device and use its applications.
However, this feature is commonly abused by malware [1, 2] to perform actions on an Android device without the user’s permission or even knowledge.
Google’s new policies further restrict how this policy can be used, as listed below.
Change user settings without their permission or prevent the ability for users to disable or uninstall any app or service unless authorized by a parent or guardian through a parental control app or by authorized administrators through enterprise management software;
Work around Android built-in privacy controls and notifications; or
Change or leverage the user interface in a way that is deceptive or otherwise violates Google Play Developer Policies.
Policy for package fetching
Another key policy change announced by Google tightens the “REQUEST_INSTALL_PACKAGES” permission.
Many malicious app publishers submit innocuous code onto the Play Store to have their submission approved but hide package-fetching functionality that downloads malicious modules after installation.
Users see these actions as “request to update” or “download additional content,” so they approve of the action when served the associated prompt or don’t see anything because it happens in the background.
Google wants to close this loophole by enforcing new policies for the permission, shedding light on a previously poorly regulated space.
The functions allowed now will be limited to web browser, search, communication, file sharing, file transfer, file management, and enterprise device management.
Apps using this permission must now fetch only digitally signed packages, while the user’s consent will still not allow self-updates, code modifications, or bundling of APKs in the asset file.
The new REQUEST_INSTALL_PACKAGES policies will go into effect on July 11th, 2022, for all apps using API level 25 (Android 7.1) and above.