
Improving app security and performance on Google Play for years to come - ingve
http://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html
======
izacus
The important part of context here:

If you targeted APIs before Android 6.0 (e.g. you targeted API Level 21 -
Lollipop), you didn't have to ask users for permissions to access contacts,
sms, SD card and other data. Which made all the new security improvements in
Android rather moot - scummy apps (like Snapchat :P) just didn't update their
API levels, kept collecting personal data without asking for permission... AND
didn't implement improvements of new OSes because they wanted to keep
collecting data without restriction.

This is finally great news for Android security.

~~~
orb_yt
> you didn't have to ask users for permissions to access contacts, sms, SD
> card and other data

This isn't true. Android 6.0 introduced runtime permissions, where permissions
could be granted in the context of the application. Previously, the
permissions still had to be granted, but they were granted before the
application was installed.

~~~
fatwa
You get asked when you install the app but nobody looks at that huge list of
permissions, especially if not accepting means you don't get to use the app

~~~
adrianmonk
There's a huge difference between apps being able to do stuff without ever
asking permission and apps asking permission but users choosing to ignore it
and just say yes to everything.

~~~
arbie
While I agree with permission overload at install time, users pay more
attention when permission prompts come up one at a time at first-use. It also
gives the app a reason to stagger in permissions only when the feature is
used, lest the user loses interest and drops off.

------
kartickv
Google shouldn't wait till Nov to fix the loophole of apps bypassing some
permissions by declaring an older target SDK version. Give developers a
quarter's notice, and update Android and Google Play services to enforce these
permissions starting March 2018.

Developers who don't prioritise their users' privacy even after being given a
quarter's notice can have their apps break.

------
Mayzie
But what if my phone manufacturer refuses to provide Android Oreo? My phone
(LG v20) was released in late 2016 and was the first to support Nougat (7.0).

What about others in this situation where stupid manufacturers refuse to
upgrade their Android software?

~~~
craftyguy
Pick a phone next time that is from a manufacturer who has a reputation for
staying up to date with Android.

But, the sad reality is that no manufacturers anywhere will provide OS updates
for more than 2 years, and many are MUCH less than that. They expect you to
throw them away and buy new ones. Or, they expect you to not notice since they
don't want to 'burn cash' on porting new updates.

Nevermind that the 'android device support model' is a dumpster fire. Android
(specifically AOSP, but google's spin too) _needs_ to be a rolling distro to
make it easier for manufacturers to support older devices (but no guarrantee
they will care..). Shitting a monolithic update on them once a year doesn't
work.

The 'smartphone industry' is an incredibly wasteful industry.

~~~
mastax
Project Treble[0] is a good 80% solution which makes it much easier to run
mainline AOSP on new devices [1]. Ports still need to fix device-specific
bugs, and camera image processing optimizations won't work unless they're
implemented beneath the HAL (or hacked into a custom ROM). You'll also need a
modern (8.0) unlocked device. Besides those caveats, it's a big improvement.

[0]:
[https://source.android.com/devices/architecture/treble](https://source.android.com/devices/architecture/treble)
[1]: [https://forum.xda-developers.com/project-
treble/trebleenable...](https://forum.xda-developers.com/project-
treble/trebleenabled-device-development/experimental-phh-treble-t3709659)

------
on_and_off
Awesome news !

I have been hoping to see this happen for a while.

No point in adding new optimizations and security requirements in the new
Android releases if devs can opt out of them by targeting a very old Android
version.

As a dev, I feel vindicated for having pushed the organizations I worked at to
closely follow the new releases.

As a user, I am happy I soon won't have to check the manifest of the apps I
install

------
yjftsjthsd-h
Anyone know what the "security metadata" is? Just Google signing the APK in
addition to the developer signing it? Not sure how that helps, but not sure
what else it would be.

~~~
richdougherty
More info further down the article:

> ... adding a small amount of security metadata on top of each APK to verify
> that it was officially distributed by Google Play. ... The metadata we're
> adding to APKs is like a Play badge of authenticity for your Android app. >
> > ... the small metadata addition, which is inserted into the APK Signing
> Block ...

Yes it looks like an additional signature.

> ... this metadata will enable new distribution opportunities for developers
> in the future and help more people keep their apps up to date.

This suggests that you may be able to distribute signed APKs outside the Play
store (e.g. host the APK yourself and email a link to beta testers?).

~~~
puzzle
Torrent-style P2P updates? Installation over Bluetooth for users without
connectivity or with expensive plans? I might be in the same room and already
have this app I just recommended to you...

~~~
yjftsjthsd-h
It could also just be HTTP/S from the developer's site, which already happens.

~~~
puzzle
And that could be a way to circumvent the GFW.

------
yegle
I'm curious why the first required version is Android 8.0 (API version 26),
instead of Android 8.1 (API version 27)...

~~~
on_and_off
From what I remember, 27 does not change the security model in any way, it
just adds a couple of small features.

Their point is that you should target the latest major release. Ideally you
should target the latest release, period.

I don't really care if an app targets 26 instead of 27 though. if an app
targets 20 though, I definitely resent that a lot.

~~~
stevenwoo
Android Studio tells me API 20 targets about 70 percent of android devices.
API 26 targets less than one percent of android devices. What apps are you
using that target API 26? I had to develop an app for a customer in Mexico two
years ago and the customer made us target API 15 because they wanted to
maximize app compatibility.

~~~
izacus
Do look up the difference between TARGETING (compiling against) an API and
supportning MINIMUM API.

Different settings in your build.gradle ;) You can target 27 while still
supporting 15.

~~~
stevenwoo
Thanks for your patience!

------
paule89
From a users perspective: This is great.

