On April 6, Google announced several key policy updates for Android app developers to improve the security of users, Google Play, and related apps.
These new policies will be rolled out and effective between May 11 and November this year, giving developers plenty of time to adapt to these new changes. Among them, updates related to cybersecurity and fraud have become the focus, including:
1. New API level target requirements
2. Loan applications with an annual interest rate (APR) of 36% or more are prohibited
3. Abuse of accessibility APIs is prohibited
4. Install the package’s permission policy update from an external source
New API level requirements
The new policy requires that as of November 1, 2022, all newly released applications must be benchmarked against the API level matched within one year of the release of the latest Android system version, otherwise, they will not be listed on Google Play, and existing applications that are not benchmarked for the corresponding API level within two years will be removed by Google Play.
API-level targeting requirements for newly released apps
API-level targeting requirements for existing apps
This change is intended to require application developers to adopt stricter API policies to support newer Android versions to better rights management and revocation, notification anti-hijacking, data privacy enhancements, phishing detection, screen launch throttling, and more for current security threats.
But this policy is not perfect, this is always a passive strategy for developers, for applications that need more time to migrate to the current API level, Google said that it can provide up to 6 months of deferral measures, but also can not guarantee that some applications will abandon Google Play and move to other places to release, when users download from these “wild” channels often have greater security risks.
Restrict accessibility API abuse
Android’s Accessibility API allows developers to create applications that are accessible to people with disabilities, allowing different ways to control devices and use their applications. However, malware often abuses this feature to perform actions on devices without the user’s permission or even knowledge. To this end, Google’s new policy further restricts the following chaos:
1. Change user settings without user permission, or prevent users from disabling or uninstalling any application or service, unless authorized by a parent or guardian through a parental control application, or authorized by an authorized administrator through enterprise management software.
2. Bypass Android’s built-in privacy controls and notifications.
3. Alter or exploit the user interface in a deceptive or otherwise contrary to Google Play Developer Policies.
Tighten the package collection policy
Another key policy change announced by Google tightens the “REQUEST_INSTALL_PACKAGES” permission. Some malicious apps submit seemingly normal code to pass the review when uploaded to Google Play but hide the ability to download malicious module packages after installation, and users will mistakenly think that it is a software update to approve the corresponding action or download directly in the background in an invisible way. Google hopes to close this loophole.
The new REQUEST_INSTALL_PACKAGES policies will go into effect on July 11th, 2022, for all apps using API level 25 (Android 7.1) and above. At that time, applications that use this privilege will only be able to obtain digitally signed packets when they are installed or updated, and may not perform self-update, modification, or bundle other APKs in the file.