If you targeted APIs before Android 6.0 (e.g. you targeted API Level 21 - Lollipop), you didn't have to ask users for permissions to access contacts, sms, SD card and other data. Which made all the new security improvements in Android rather moot - scummy apps (like Snapchat :P) just didn't update their API levels, kept collecting personal data without asking for permission... AND didn't implement improvements of new OSes because they wanted to keep collecting data without restriction.
This is finally great news for Android security.
This isn't true. Android 6.0 introduced runtime permissions, where permissions could be granted in the context of the application. Previously, the permissions still had to be granted, but they were granted before the application was installed.
Apart from the security implications it will also decrease fragmentation of Android versions and encourage manufacturers to update their OS versions.
Not even the August 2019 deadline prevents that.
So really, there's nothing in here that stops personal data collection.
Yea, now only Google is collecting an absurd amount of information on you. They don't like competition, so I'm surprised it took this long for them to implement this.
Developers who don't prioritise their users' privacy even after being given a quarter's notice can have their apps break.
What about others in this situation where stupid manufacturers refuse to upgrade their Android software?
But, the sad reality is that no manufacturers anywhere will provide OS updates for more than 2 years, and many are MUCH less than that. They expect you to throw them away and buy new ones. Or, they expect you to not notice since they don't want to 'burn cash' on porting new updates.
Nevermind that the 'android device support model' is a dumpster fire. Android (specifically AOSP, but google's spin too) needs to be a rolling distro to make it easier for manufacturers to support older devices (but no guarrantee they will care..). Shitting a monolithic update on them once a year doesn't work.
The 'smartphone industry' is an incredibly wasteful industry.
So with this change, a developer can still release a brand new app that runs on Android phones which are 5 years old if they want. They just have to make sure that app is aware of how the newer releases work too.
I have been hoping to see this happen for a while.
No point in adding new optimizations and security requirements in the new Android releases if devs can opt out of them by targeting a very old Android version.
As a dev, I feel vindicated for having pushed the organizations I worked at to closely follow the new releases.
As a user, I am happy I soon won't have to check the manifest of the apps I install
> ... adding a small amount of security metadata on top of each APK to verify that it was officially distributed by Google Play. ... The metadata we're adding to APKs is like a Play badge of authenticity for your Android app.
> ... the small metadata addition, which is inserted into the APK Signing Block ...
Yes it looks like an additional signature.
> ... this metadata will enable new distribution opportunities for developers in the future and help more people keep their apps up to date.
This suggests that you may be able to distribute signed APKs outside the Play store (e.g. host the APK yourself and email a link to beta testers?).
Their point is that you should target the latest major release.
Ideally you should target the latest release, period.
I don't really care if an app targets 26 instead of 27 though. if an app targets 20 though, I definitely resent that a lot.
Different settings in your build.gradle ;) You can target 27 while still supporting 15.
You can target the very latest API version, while still being compatible with whatever API version you want.