Android 14 Set To Block Certain Outdated Apps From Being Installed

To help reduce the potential for malware, Android 14 will begin fully blocking the installation of apps that target outdated versions of Android. 9to5Google reports: For years now, the guidelines for the Google Play Store have ensured that Android developers keep their apps updated to use the latest features and safety measures of the Android platform. Just this month, the guidelines were updated, requiring newly listed Play Store apps to target Android 12 at a minimum. Up to this point, these minimum API level requirements have only applied to apps that are intended for the Google Play Store. Should a developer wish to create an app for an older version, they can do so and simply ask their users to sideload the APK file manually. Similarly, if an Android app hasn’t been updated since the guidelines changed, the Play Store will continue serving the app to those who have installed it once before.

According to a newly posted code change, Android 14 is set to make API requirements stricter, entirely blocking the installation of outdated apps. This change would block users from sideloading specific APK files and also block app stores from installing those same apps. Initially, Android 14 devices will only block apps that target especially old Android versions. Over time though, the plan is to increase the threshold to Android 6.0 (Marshmallow), with Google having a mechanism to “progressively ramp [it] up.” That said, it will likely still be up to each device maker to decide the threshold for outdated apps or whether to enable it at all. The report notes that it’ll still be possible to install an outdated version of an app “through a command shell, by using a new flag.”

Read more of this story at Slashdot.

Android 13 Is Running On 5.2% of All Devices Five Months After Launch

According to the latest official Android distribution numbers from Google, Android 13 is running on 5.2% of all devices less than six months after launch. 9to5Google reports: According to Android Studio, devices running Android 13 now account for 5.2% of all devices. Meanwhile Android 12 and 12L now account for 18.9% of the total, a significant increase from August’s 13.5% figure. Notably, while Google’s chart does include details about Android 13, it doesn’t make a distinction between Android 12 and 12L. Looking at the older versions, we see that usage of Android Oreo has finally dropped below 10%, with similar drops in percentage down the line. Android Jelly Bean, which previously weighed in at 0.3%, is no longer listed, while KitKat has dropped from 0.9% to 0.7%. Android 13’s 5.2% distribution number “is better than it sounds,” writes Ryan Whitwam via ExtremeTech: These numbers show an accelerating pickup for Google’s new platform versions. If you look back at stats from the era of Android KitKat and Lollipop, the latest version would only have a fraction of this usage share after half a year. That’s because the only phones running the new software would be Google’s Nexus phones, plus maybe one or two new devices from OEMs that worked with Google to deploy the latest software as a marketing gimmick.

The improvements are thanks largely to structural changes in how Android is developed and deployed. For example, Project Treble was launched in 2017 to re-architect the platform, separating the OS framework from the low-level vendor code. This made it easier to update devices without waiting on vendors to provide updated drivers. We saw evidence of improvement that very year, and it’s gotten better ever since.

Read more of this story at Slashdot.

Google Reports Decline In Android Memory Safety Vulnerabilities As Rust Usage Grows

Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company provided an update, while highlighting the decline in memory safety vulnerabilities. 9to5Google reports: Google says the “number of memory safety vulnerabilities have dropped considerably over the past few years/releases.”; Specifically, the number of annual memory safety vulnerabilities fell from 223 to 85 between 2019 and 2022. They are now 35% of Android’s total vulnerabilities versus 76% four years ago. In fact, “2022 is the first year where memory safety vulnerabilities do not represent a majority of Android’s vulnerabilities.”

That count is for “vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through our vulnerability rewards program (VRP) and vulnerabilities reported internally.” During that period, the amount of new memory-unsafe code entering Android has decreased: “Android 13 is the first Android release where a majority of new code added to the release is in a memory safe language. ”

Rust makes up 21% of all new native code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android’s Virtualization framework (AVF), and “various other components and their open source dependencies.” Google considers it significant that there have been “zero memory safety vulnerabilities discovered in Android’s Rust code” so far across Android 12 and 13. Google’s blog post today also talks about non-memory-safety vulnerabilities, and its future plans: “… We’re implementing userspace HALs in Rust. We’re adding support for Rust in Trusted Applications. We’ve migrated VM firmware in the Android Virtualization Framework to Rust. With support for Rust landing in Linux 6.1 we’re excited to bring memory-safety to the kernel, starting with kernel drivers.

Read more of this story at Slashdot.

Android’s App Store Privacy Section Starts Rolling Out Today

An anonymous reader quotes a report from Ars Technica: Following in the footsteps of iOS 14, Google is rolling out an app privacy section to the Play Store on Tuesday. When you look up an app on the Play Store, alongside sections like “About this app” and “ratings and reviews,” there will be a new section called “Data privacy & security,” where developers can explain what data they collect. Note that while the section will be appearing for users starting today, it might not be filled out by developers. Google’s deadline for developers to provide privacy information is July 20. Even then, all of this privacy information is provided by the developer and is essentially working on the honor system.

Here’s how Google describes the process to developers: “You alone are responsible for making complete and accurate declarations in your app’s store listing on Google Play. Google Play reviews apps across all policy requirements; however, we cannot make determinations on behalf of the developers of how they handle user data. Only you possess all the information required to complete the Data safety form. When Google becomes aware of a discrepancy between your app behavior and your declaration, we may take appropriate action, including enforcement action.”

Once the section is up and running, developers will be expected to list what data they’re collecting, why they’re collecting it, and who they’re sharing it with. The support page features a big list of data types for elements like “location,” “personal info,” “financial info,” “web history,” “contacts,” and various file types. Developers are expected to list their data security practices, including explaining if data is encrypted in transit and if users can ask for data to be deleted. There’s also a spot for “Google Play’s Families Policy” compliance, which is mostly just a bunch of US COPPA and EU GDPR requirements. Google says developers can also indicate if their app has “been independently validated against a global security standard.”

Read more of this story at Slashdot.

Volla Phone 22 Runs Ubuntu Touch Or a Privacy-Focused Android Fork Or Both

The Volla Phone 22, a new smartphone available for preorder via a Kickstarter campaign, is unlike any other smartphone on the market today in that it ships with a choice of the Android-based Volla OS or the Ubuntu Touch mobile Linux distribution. “It also supports multi-boot functionality, allowing you to install more than one operating system and choose which to run at startup,” writes Liliputing’s Brad Linder. Some of the hardware specs include a 6.3-inch FHD+ display, a MediaTek Helio G85 processor, 4GB of RAM, 128GB storage, 3.5mm audio jack and a microSD card reader. There’s also a 48-megapixel main camera sensor and replaceable 4,500mAh battery. From the report: While Volla works with the folks at UBPorts to ensure its phones are compatible with Ubuntu Touch, the company develops the Android-based Volla OS in-house. It’s based on Google’s Android Open Source Project code, but includes a custom launcher, user interface, and set of apps with an emphasis on privacy. The Google Play Store is not included, as this is a phone aimed at folks who want to minimize tracking from big tech companies. Other Google apps and services like the Chrome web browser, Google Maps, Google Drive, and Gmail are also omitted. The upshot is that no user data is collected or stored by Volla, Google, or other companies unless you decide to install apps that track your data. Of course, that could make using the phone a little less convenient if you’ve come to rely on those apps, so the Volla Phone might not be the best choice for everyone.

Volla OS also has a built-in user-customizable firewall, an App Locker feature for disabling and hiding apps, and optional support for using the Hide.me VPN for anonymous internet usage. The source code for Volla OS is also available for anyone that wants to inspect the code. The operating system also has a custom user interface including a Springboard that allows you to quickly launch frequently-used apps by pressing a red dot for a list, or by starting to type in a search box for automatic suggestions such as placing a phone call, sending a text message, or opening a web page. You can also create notes or calendar events from the Springboard or send an encrypted message with Signal. The phone is expected to ship in June at an early bird price of about $408.

Read more of this story at Slashdot.

Android’s Messages, Dialer Apps Quietly Sent Text, Call Info To Google

Google’s Messages and Dialer apps for Android devices have been collecting and sending data to Google without specific notice and consent, and without offering the opportunity to opt-out, potentially in violation of Europe’s data protection law. From a report: According to a research paper, “What Data Do The Google Dialer and Messages Apps On Android Send to Google?” [PDF], by Trinity College Dublin computer science professor Douglas Leith, Google Messages (for text messaging) and Google Dialer (for phone calls) have been sending data about user communications to the Google Play Services Clearcut logger service and to Google’s Firebase Analytics service.

“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” the paper says. “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.” The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection. […] Both pre-installed versions of these apps, the paper observes, lack app-specific privacy policies that explain what data gets collected — something Google requires from third-party developers. And when a request was made through Google Takeout for the Google Account data associated with the apps used for testing, the data Google provided did not include the telemetry data observed.

Read more of this story at Slashdot.

Google’s Messages App Can Now Handle iMessage Reactions

Google is updating the default “Messages” app to include a number of new features, such as the ability to handle iMessage “Tapbacks.” TechCrunch reports: Other coming updates include nudges to remind you to reply to messages you missed, separate tabs for business and personal messages, reminders about birthdays you may want to celebrate, support for sharper videos via a Google Photos integration and an expanded set of emoji mashups, among other things. After the update, reactions from iPhone users will be sent as an emoji on text messages on Android. As on iMessage, the emoji reaction — like love, laughter, confusion or excitement — will appear on the right side of the message. (On Android, it’s the bottom right.) This feature is first rolling out to Android devices set to English, but additional languages will follow. […] Android’s interpretation of which emoji to use varies slightly from iPhone, however. For instance, the “heart” reaction on Android becomes the “face with the heart eyes” emoji. And the iMessage’s exclamation mark reaction becomes the “face with the open mouth” emoji.

Google is also integrating Google Photos into the Message app to improve the video sharing experience. While the modern RCS standard allows people with Android devices to share high-quality videos with each other, those same videos appear blurry when shared with those on iPhone, as iMessage doesn’t support RCS. By sending the link to the video through Google Photos, iPhone users will be able to watch the video in the same high resolution. This feature will later include support for photos, too. This addition aims to push Apple to adopt the industry standard by shaming the company over video quality.

Read more of this story at Slashdot.