Tag Archives: Android

Trust but verify attestation with revocation

Posted by Rob Barnes & Shawn Willden, Android Security & Privacy Team

Billions of people rely on their Android-powered devices to securely store their sensitive information. A vital component of the Android security stack is the key attestation system. Android devices since Android 7.0 are able to generate an attestation certificate that attests to the security properties of the device’s hardware and software. OEMs producing devices with Android 8.0 or higher must install a batch attestation key provided by Google on each device at the time of manufacturing.

These keys might need to be revoked for a number of reasons including accidental disclosure, mishandling, or suspected extraction by an attacker. When this occurs, the affected keys must be immediately revoked to protect users. The security of any Public-Key Infrastructure system depends on the robustness of the key revocation process.

All of the attestation keys issued so far include an extension that embeds a certificate revocation list (CRL) URL in the certificate. We found that the CRL (and online certificate status protocol) system was not flexible enough for our needs. So we set out to replace the revocation system for Android attestation keys with something that is flexible and simple to maintain and use.

Our solution is a single TLS-secured URL (https://android.googleapis.com/attestation/status) that returns a list containing all revoked Android attestation keys. This list is encoded in JSON and follows a strict format defined by JSON schema. Only keys that have non-valid status appear in the list, so it is not an exhaustive list of all issued keys.

This system allows us to express more nuance about the status of a key and the reason for the status. A key can have a status of REVOKED or SUSPENDED, where revoked is permanent and suspended is temporary. The reason for the status is described as either KEY_COMPROMISE, CA_COMPROMISE, SUPERSEDED, or SOFTWARE_FLAW. A complete, up-to-date list of statuses and reasons can be found in the developer documentation.

The CRL URLs embedded in existing batch certificates will continue to operate. Going forward, attestation batch certificates will no longer contain a CRL extension. The status of these legacy certificates will also be included in the attestation status list, so developers can safely switch to using the attestation status list for both current and legacy certificates. An example of how to correctly verify Android attestation keys is included in the Key Attestation sample.

Expand your app beyond mobile to reach Android users at large

Posted by Sameer Samat, Vice President, Platforms & Ecosystems

dark theme graphic illustration with geometric shapes and Android 2019 logo

From day one, we designed Android to be a flexible, adaptive platform.

Most people picture a smartphone when they think of Android, but Android also powers an amazing number of large-screen devices. In fact, there are more than 175 million Android tablets with the Google Play store,1 making Android tablets a vital form factor for Google and our OEM partners today. Android apps also run on Chrome OS laptops, and the number of monthly active users who enabled Android apps grew 250% in just the last year.2

Here at Google, we’re excited to see how you can take advantage of large-screen formats - including Samsung’s new Galaxy Tab S6, the upcoming Lenovo™ Smart Tab M8 with Google Assistant, the upcoming Samsung Fold, and other devices launching this week at IFA. Our OEM partners are building experiences that help users every day:

image of two quotes

From the start, Android was designed as a platform that could handle multiple screen sizes. Over the years, we’ve continued to add functionality for developers to accommodate new devices and form factors.

  • We started with a phone. Developers could write Android apps that would work on phones of all sizes, all over the world. Part of what made this work was Android’s resource and layout system, which enabled applications to smoothly adapt to different screen sizes.
  • In Android 3.0 Honeycomb, we added support for tablets. In particular, capabilities like Fragments allow you to create applications that work across vastly different form factors.
  • Android 7 Nougat brought multi-window and multi-display capabilities, including the ability to drag-and-drop across apps. Meanwhile, Chrome OS added the capability to run Android applications on laptops. With some adjustments to handle different inputs and windowing dynamics, you could now reach app users in a desktop-style environment.
Android’s layout system helps applications smoothly resize and adjust their layout interactively.

Android’s layout system helps applications smoothly resize and adjust their layout interactively.

  • Now, in Android 10, we’ve made even more enhancements for development on large screens. We’ve improved multi-window capabilities, making it easier to use multiple apps in parallel. We also continued improving multi-display support, enabling more multi-monitor use cases. And we made it easy for you to experiment and test new form factors by adding dedicated emulator for foldables as well as publishing a foldables guide.

By optimizing your app to take advantage of different form factors, developers have an opportunity to deliver richer, more engaging experiences to millions of users on larger screens. And if you don’t have access to physical devices, the Android Emulator supports all of the form factors mentioned above, from Chrome OS to phones and tablets.


Developers of apps like Mint, Evernote, and Asphalt are just a few who have seen success from taking their existing APK to larger screens.

image of a single quote from Damien Marchi, VP of Marketing at Gameloft

To learn more about optimizing your Android apps for richer experiences on tablets, Chrome OS laptops, foldables, and more, join us at the Android Developer Summit on October 23-24 — either in person or via the livestream — or check out our recap videos on YouTube.

Sources:

[1] The number of tablets only accounts for devices that have the Google Play Store installed (for example, this excludes tablets in China); the actual number of tablets capable of running Android applications is much larger.

[2] Google Internal Data, March 2018 to March 2019.

A new way to pay on Google Play Store — via UPI

https://lh6.googleusercontent.com/TZq0nw_gxo1FS4-m6aMq4PhbuyTbFeM2C_cyfSuW7TuTsNOsKdB34yWPf8VbJFabCgKTo176WkYLXACl174goOK77s4SPH5do3GSiyAsy2xVrchg5npdklmrbL4Zy82fjWEal-3X
The Google Play Store helps people find their favorite apps, games, movies, TV shows, music, books and more, on the device of their choice. With more than 2 billion active users in 190+ countries around the world, Play is also an important distribution platform for developers to build a global audience.


Indian app developers are already building successful businesses on the Google Play Store, offering a range of great apps across categories, and we are committed to helping them grow. One way to make this happen is to make it even easier for people to pay for apps and in-app content, which is why we are pleased to add Unified Payment Interface (UPI) as a new payment method to the existing roster of credit or debit card, net banking, direct carrier billing, and gift cards options.
UPI has grown over 50 times since its launch in August 2017, clocking 918 million transactions in August 2019 alone. A payment system that enables transfers, directly from one bank account to another, its ease and convenience has helped it outpace all other forms of digital payment in India. Users across the country are now choosing UPI for everything from utility bill payments, mobile recharges, in-store transactions and much more, and we’re pleased to bring its convenience to millions of users on Google Play.


Over the next few weeks on the Play Store in India, UPI will show up as a new payment option for purchasing apps, games, and in-app content using your preferred UPI app including BHIM, Google Pay, Paytm and PhonePe. Simply link your UPI ID (VPA or Virtual Payment Address) in Google Play Store Billing, and use your bank account to conveniently make app and in-app purchases.


The addition of UPI as a payment option on the Google Play Store allows even more people to enjoy premium apps, games, and in-app content, while helping developers and creators reach a wider audience for their apps and content.

Posted by Saurabh Agarwal, Head of Google Play Retail & Payments Activation - India, Vietnam & New Zealand

10 things to know about Android 10

https://1.bp.blogspot.com/-1m5fpSI-6n8/XW9U2K1ZmUI/AAAAAAAAA4Y/jJ-kRw1JXkoEgFeJyE5ZidZqAp_bulAjwCLcBGAs/s1600/Screenshot%2B2019-09-04%2Bat%2B11.36.25%2BAM.png


Android 10 is here! With this release, we focused on making your everyday life easier with features powered by on-device machine learning, as well as supporting new technologies like Foldables and 5G. At the same time, with almost 50 changes related to privacy and security, Android 10 gives you greater protection, transparency, and control over your data. This builds on top of our ongoing commitment to provide industry-leading security and privacy protections on Android. We also built new tools that empower people of all abilities, and help you find the right balance with technology.

Here are the 10 things you should know, centered on innovation, security and privacy and digital wellbeing: 

Simpler, smarter, and more helpful



1. Smart Reply now suggests actions. So when someone sends you a message with an address or a YouTube video, you can open and navigate in Google Maps or open up the video in YouTube—no copying and pasting required. And Smart Reply now works across all your favorite messaging apps.
2. Come to the dark side… with Dark Theme. You can enable Dark Theme for your entire phone or for specific apps like Photos and Calendar. It’s easier on your eyes, and your phone battery too. 
3. Take advantage of larger, edge-to-edge screens with the new gesture navigation. With simple swipes, you can go backwards, pull up the homescreen, and fluidly move between tasks. After switching, you won’t want to go back to visible buttons. 
4. With a single tap, Live Caption will automatically caption videos, podcasts and audio messages across any app—even stuff you record yourself. Live Caption will become available this fall, starting with Pixel.

New privacy and security features put you in control

5. You can choose to only share location data with apps while you’re using them. You’ll also receive reminders when an app that you are not actively using is accessing your location, so you can decide whether or not to continue sharing. 
6. In a new Privacy section under Settings, you’ll find important controls like Web & App Activity and Ad Settings in one place. 
7. With Google Play system updates, important security and privacy fixes can now be sent to your phone from Google Play, in the same way your apps update. So you get these fixes as soon as they’re available, without having to wait for a full OS update. 

Find the right balance with technology for you and your family

8. You have greater control over where and when notifications will alert you. Mark notifications as “Silent” and they won’t make noise or appear on your lockscreen, so you're only alerted by notifications when you want to be.
9. Now Family Link is part of every device running Android 9 or 10, right in settings under Digital Wellbeing. Parents can use these tools to set digital ground rules like daily screen time limits, device bedtime, time limits on specific apps, and more. They can also review the apps children install on their devices, as well as their usage.
10. Want to be in the zone but not off the grid? Digital Wellbeing now brings you Focus mode. Select the apps you find distracting—such as email or the news—and silence them until you come out of Focus mode. Sign up for the Beta to try it.
There’s lots more in Android 10, including a new enterprise feature that lets you use different keyboards for your personal and work profiles, app timers for specific websites so you can balance your time on the web, new gender-inclusive emoji, and support for direct audio streaming to hearing aid devices. 
Android 10 begins rolling out to Pixel phones today, and we’re working with our partners to launch and upgrade devices to Android 10 this year. Learn more at android.com/10.


Posted by Dave Burke, VP of Engineering

See encryption status and security patch level for devices with basic mobile management

What’s changing 

We will now show more information about devices with basic mobile management in the G Suite Admin console. Specifically, admins will now be able to see the encryption state and the security patch level for Android devices. Previously, this information was only available for devices with advanced mobile management.

Who’s impacted 

Admins only

Why you’d use it 

Encryption state and security patch level are important pieces of information for assessing device security. There is less risk of a data leak from a lost or stolen mobile device if that device is encrypted and password protected. Devices with more recent security patch levels are typically less susceptible to attacks than devices with older patch levels.

By making this information available for more devices, we hope you can better understand potential security vulnerabilities, better track the progress of security improvement initiatives, and make access-level decisions and rules to help ensure data is secure in your organization.

How to get started 




Additional details 

Encryption status is available for Android devices with API level 11 (Android 3.0) and up, and security patch level is available for Android devices with API level 23 (Android M) and up.

  • You can see both encryption status and security patch level on the device detail page for each device in the Admin console. This is available to all G Suite customers. 
  • You can also see the security patch level in the devices audit logs at Admin console > Reports > Devices. Note that the devices audit log is only available to G Suite Business, G Suite Enterprise, and G Suite Enterprise for Education domains. 
  • You can set up rules based on this information to automate mobile management tasks


See encryption status and security patch level for devices with basic mobile management 


Helpful links 



Availability 

Rollout details 

  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on September 3, 2019 
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on September 3, 2019 


G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default.


Stay up to date with G Suite launches

Welcoming Android 10!

Posted by Stephanie Cuthbertson, Senior Director of Product Management, Android

After more than a year of development and months of testing by early adopters, we’re ready to introduce Android 10 to the world!

android 10 logo

Android 10 is built around three important themes. First, Android 10 is shaping the leading edge of mobile innovation with advanced machine-learning and support for emerging devices like foldables and 5G enabled phones. Next, Android 10 has a central focus on privacy and security, with almost 50 features that give users greater protection, transparency, and control. Finally, Android 10 expands users' digital wellbeing controls so individuals and families can find a better balance with technology.

Today we're releasing the Android 10 source code to Android Open Source Project (AOSP) and making it available to the broader ecosystem. We’re also starting the official Android 10 rollout to all three generations of Pixel devices worldwide. Many partner devices, including those in the Beta program, will receive the update by the end of the year.

Thank you for your support during this year’s Beta -- more than 200,000 of you tested early releases on 26 different Beta devices, reporting 20,000 unique issues. That’s on top of the many articles, discussions, surveys, and in-person meetings where you voiced your thoughts, and the work you did to make your apps compatible by today’s release. Your support and engagement are what make Android such an amazing platform. Together with our OEM partners you’ve created more excitement for this Android release than we’ve ever had. In fact, Android 10 will be available on more devices than any other previous release. Android is fortunate to have such a passionate community!

To get started developing for Android 10, visit developer.android.com/10.

What’s in Android 10?

Here’s a look at what’s in Android 10 and how you can use it today. Make sure to check out our Keyword blog for more too!

Innovation and new experiences

With Android 10 you can take advantage of the latest hardware and software innovations to build amazing app experiences for users.

Foldables - Building on robust multi-window support, Android 10 extends multitasking across app windows and provides screen continuity to maintain your app state as the device folds or unfolds. For details on how to optimize your apps for foldables, see the developer guide.

5G networks promise to deliver consistently faster speeds and lower latency, and Android 10 adds platform support for 5G and extends existing APIs to help you take advantage of these enhancements. You can use connectivity APIs to detect if the device has a high bandwidth connection and check whether the connection is metered. With these, your apps and games can tailor rich, immersive experiences to users over 5G.

Live Caption automatically captions media playing on users’ devices, from videos to podcasts and audio messages, across any app. The ML speech models run right on the phone, and no audio stream ever leaves the device. For developers, Live Caption is optional, but expands the audience for your apps and games by making your content more accessible with a single tap. Live Caption is coming to Pixel devices this fall, and we’re working closely with our partners to launch it broadly on devices running Android 10.

Smart Reply in notifications - Android 10 uses on-device ML to suggest contextual actions in notifications, such as smart replies for messages or opening a map for an address in the notification. We’ve built this feature with user privacy in mind, keeping the ML processing completely on the device. Your apps can take advantage of this feature right away, or you can opt-out if you’d rather generate your own suggestions.

mobile displaying Smart Reply notification

Smart Reply can suggest actions based on notification content.

Dark theme - Android 10 adds a system-wide dark theme that’s ideal for low light and helps save battery. You can build a custom dark theme for your app or let the system create one dynamically from your current theme. See the developer guide for details.

Dark theme to do lists

Dark theme in Google Keep

Gesture navigation - Android 10 introduces a fully gesture navigation mode that eliminates the navigation bar area and allows apps to use the full screen to deliver richer, more immersive experiences. Get started optimizing your app today.

gesture gif displaying closing of full screen map to display dinner with Layla in 30 min

Gesture navigation gives apps the full screen for content

Privacy for users

Privacy is a central focus in Android 10, from stronger protections in the platform to new features designed with privacy in mind. Building on previous releases, Android 10 includes extensive changes to protect privacy and give users control, with improved system UI, stricter permissions, and restrictions on what data apps can use. See the Android 10 developer site for details on how to support these in your apps.

Giving users more control over location data - Users have more control over their location data through a new permission option -- they can now allow an app to access location only while the app is actually in use (running in the foreground). For most apps this provides a sufficient level of access, while for users it’s a big improvement in transparency and control. To learn more about location changes, see the developer guide or our blog post.

notification displaying: Allow app 1 to access the device's location.

Protecting location data in network scans - Most of the APIs for scanning networks already required the coarse location permission. Android 10 increases the protection around those APIs by requiring the fine location permission instead.

Preventing device tracking - Apps can no longer access non-resettable device identifiers that could be used for tracking, including device IMEI, serial number, and similar identifiers. The device's MAC address is also randomized when connected to Wi-Fi networks by default. Read the best practices to help you choose the right identifiers for your use case, and see the details here.

Securing user data in external storage - Android 10 introduces a number of changes to give users more control over files in external storage and the app data within them. Apps can store their own files in their private sandboxes, but must use MediaStore to access shared media files and use the system file picker to access shared files in the new Downloads collection. Learn more here.

Blocking unwanted interruptions - Android 10 prevents app launches from the background that unexpectedly jump into the foreground and take over focus from another app. Learn more here.

Security

On Android we’re always working to assess our ongoing security investments; we refer to this as measurable security. One way we measure our ongoing investments is through third party analyst research such as Gartner’s May 2019 Mobile OSs and Device Security: A Comparison of Platforms report (subscription required) which scored Android the highest possible rating in 26 out of 30 categories, ahead on multiple points from authentication to network security and malware protection. Read more about our long-term work on Security in Quantifying Measurable Security. But there is no finish line when it comes to Security. In Android 10, we’ve introduced even more features to keep users secure through advances in encryption, platform hardening, and authentication.

Storage encryption - All compatible devices launching with Android 10 are required to encrypt user data, and to make this more efficient, Android 10 includes Adiantum, our new encryption mode.

TLS 1.3 by default - Android 10 also enables TLS 1.3 by default, a major revision to the TLS standard with performance benefits and enhanced security.

Platform hardening - Android 10 also includes hardening for several security-critical areas of the platform, and updates to the BiometricPrompt framework with robust support for face and fingerprint in both implicit and explicit authentication. Read more about Android 10 security updates here.

Camera and media

Dynamic depth for photos - Apps can now request a Dynamic Depth image, which consists of a JPEG, XMP metadata related to depth related elements, and a depth and confidence map embedded in the same file. These let you offer specialized blurs and bokeh options in your app. Dynamic Depth is an open format for the ecosystem and we're working with our partners to bring it to devices running Android 10 and later.

image of a shaggy dog's profile with patio furniture in the background image of a shaggy dog's profile with patio furniture blurred out in the background. image of a shaggy dog's profile in grayscale and blurred out

With Dynamic Depth image you can offer specialized blurs and bokeh options in your app

Audio playback capture - Now any app that plays audio can let other apps capture its audio stream using a new audio playback capture API. In addition to enabling captioning and subtitles, the API lets you support popular use-cases like live-streaming games. We’ve built this new capability with privacy and copyright protection in mind, so the ability for an app to capture another app's audio is constrained. Read more in our blog post.

New audio and video codecs - Android 10 adds support for the open source video codec AV1, which allows media providers to stream high quality video content to Android devices using less bandwidth. In addition, Android 10 supports audio encoding using Opus - an open, royalty-free codec optimized for speech and music streaming, and HDR10+ for high dynamic range video on devices that support it.

Native MIDI API - For apps that perform their audio processing in C++, Android 10 introduces a native MIDI API to communicate with MIDI devices through the NDK. This API allows MIDI data to be retrieved inside an audio callback using a non-blocking read, enabling low latency processing of MIDI messages. Give it a try with the sample app and source code here.

Vulkan everywhere - Vulkan 1.1 is now a requirement on all 64-bit devices running Android 10 and higher, and a recommendation for all 32-bit devices. We already see significant momentum on Vulkan support in the ecosystem - among devices running Android N or above, over half support Vulkan 1.0.3 or better. With the new requirement in Android 10, we expect to see adoption rise even further in the coming year.

Connectivity

Improved peer-to-peer and internet connectivity - We’ve refactored the Wi-Fi stack to improve privacy and performance, and also to improve common use-cases like managing IoT devices and suggesting internet connections -- without requiring the location permission. The network connection APIs make it easier to manage IoT devices over local Wi-Fi, for peer-to-peer functions like configuring, downloading, or printing. The network suggestion APIs let apps surface preferred Wi-Fi networks to the user for internet connectivity.

Wi-Fi performance modes - Apps can now request adaptive Wi-Fi by enabling high performance and low latency modes. These can be a great benefit where low latency is important to the user experience, such as real-time gaming, active voice calls, and similar use-cases. The platform works with the device firmware to meet the requirement with the lowest power consumption.

Android foundations

ART optimizations - Improvements in the ART runtime help your apps start faster, consume less memory, and run smoother -- without requiring any work from you. ART profiles delivered by Google Play let ART pre-compile parts of your app even before it's run. At runtime, Generational Garbage Collection makes garbage collection more efficient in terms of time and CPU, reduces jank, and helps apps run better on lower-end devices.

Startup time improvement - Profiles in Play bar chart

This chart shows the percentage improvement in startup time for specific apps when tested using Play profiles.

Neural Networks API 1.2 - We’ve added 60 new operations including ARGMAX, ARGMIN, quantized LSTM, alongside a range of performance optimizations. This lays the foundation for accelerating a much greater range of models -- such as those for object detection and image segmentation. We’re working with hardware vendors and popular machine learning frameworks such as TensorFlow to optimize and roll out support for NNAPI 1.2.

Faster updates, fresher code

With Android 10 we’re continuing our focus on bringing the new platform to devices more rapidly, working closely with our device-makers and silicon partners like Qualcomm. Project Treble has played a key role, helping us bring 18 partner devices into this year’s Beta program along with 8 Pixel devices -- more than double the number from last year. Even better, we expect those devices to get the official Android 10 update by the end of this year, and we’re working with several partners on other new flagship launches and updates. We’re seeing great momentum with Android 10 already, and more devices than any other previous Android release will be getting this new version in the months ahead.

Android 10 is also the first release to support Project Mainline (officially called Google Play system updates), our new technology for securing Android users and keeping their devices fresh with important code changes - direct from Google Play. With Google Play system updates, we’re able to update specific internal components across all devices running Android 10 and higher, without requiring a full system update from the device manufacturer. We’re expecting to bring the first updates to consumer devices over the next several months.

For developers, we expect these updates in Android 10 to help drive consistency of platform implementation broadly across devices, and over time bring greater uniformity that will reduce your development and testing costs.

Get your apps ready for Android 10!

Now with today’s public release of Android 10 and updates coming soon to devices, we’re asking all Android developers to update your current apps for compatibility as soon as possible to give your users a smooth transition to Android 10.

Here’s how to do it:

  • Install your app on Android 10: Install your current app from Google Play onto a Pixel or other device running Android 10 or an emulator, then test. Your app should look great and run well, with full functionality, and handle all of the Android 10 behavior changes properly. Watch for impacts from privacy changes, gesture navigation, changes to dynamic linker paths for Bionic libraries, and others.
  • Test with the Android 10 privacy features, such as the new location permissions, scoped storage, restrictions on background activity starts, changes to data and identifiers, and others. See the checklist of top privacy changes to get started, and review the privacy changes doc for more areas to test.
  • Test for uses of restricted non-SDK interfaces and move to public SDK or NDK equivalents instead. Details here.
  • Test the libraries and SDKs in your app: If you find an issue, try updating to the latest version of the SDK, or reach out to the SDK developer for help.
  • Update and publish your compatible app: When you’ve finished your testing and made any updates, we recommend publishing your compatible app right away. This helps you deliver a smooth transition to users as they update to Android 10.

Getting apps tested and ready for the new version of Android is crucial to faster platform updates throughout the ecosystem, so please prioritize this work if possible.

Enhance your app with Android 10 features and APIs

Next, when you're ready, dive into Android 10 and learn about the new features and APIs that you can use. Here are some of the top features to get started with.

We recommend these for every app:

  • Dark Theme: Ensure a consistent experience for users who enable system-wide dark theme by adding a Dark Theme or enabling Force Dark.
  • Gesture navigation: Support gesture navigation in your app by going edge-to-edge and making sure your custom gestures are complementary to the system navigation gestures.
  • Optimize for foldables: Deliver seamless experiences on today’s innovative devices by optimizing for foldables.

We recommend these if relevant for your app:

  • More interactive notifications: If your notifications include messages, enable Smart Reply in notifications to engage users and let them take action instantly.
  • Better biometrics: If you use biometric auth, move to BiometricPrompt, the preferred way to support fingerprint auth on modern devices.
  • Audio playback capture: To support captioning or gameplay recording, enable audio playback capture in your app -- it’s a great way to reach more users and make your app more accessible.
  • Better codecs: For media apps, try AV1 for video streaming and HDR10+ for high dynamic range video. For speech and music streaming, you can use Opus encoding, and for musicians, a native MIDI API is available.
  • Better networking APIs: If your app manages IoT devices over Wi-Fi, try the new network connection APIs for functions like configuring, downloading, or printing.

To read about all of the new features and changes, visit the Android 10 developer site.

To get started developing, download the official API 29 SDK and tools into Android Studio 3.5 or higher. Then follow these instructions to configure your environment.

Coming to a device near you!

Android 10 will begin rolling out today to the three generations of Pixel phones -- Pixel 3 (and 3a), Pixel 2, and even the original Pixel! All Pixel devices will get the update over the next week, including those enrolled in this year’s Beta program. If you own a Pixel device, watch for your official over-the-air update coming soon!

As always, the system images for Pixel devices are available here for manual download and flash, and you can get the latest Android Emulator system images via the SDK Manager in Android Studio. For broader testing on other Treble-compliant devices, Generic System Images (GSI) are available here.

If you're looking for the Android 10 source, you'll find it here in the Android Open Source Project repository under the Android 10 branches.

What’s next?

We'll soon be closing the Android Beta issue tracker and Feedback app, but please keep the feedback coming! You can file a new issue against Android 10 in the AOSP issue tracker.

Thanks again to the many developers and early adopters who participated in the Android Beta program this year! You gave us great feedback, and filed thousands of issues that helped us to make the Android 10 platform great for consumers and developers.

We're looking forward to seeing your apps on Android 10!

10 things to know about Android 10

Android 10 is here! With this release, we focused on making your everyday life easier with features powered by on-device machine learning, as well as supporting new technologies like Foldables and 5G. At the same time, with almost 50 changes related to privacy and security, Android 10 gives you greater protection, transparency, and control over your data. This builds on top of our ongoing commitment to provide industry-leading security and privacy protections on Android. We also built new tools that empower people of all abilities, and help you find the right balance with technology.

Here are the 10 things you should know, centered on innovation, security and privacy and digital wellbeing: 

Simpler, smarter, and more helpful

1.Smart Reply now suggests actions. So when someone sends you a message with an address or a YouTube video, you can open and navigate in Google Maps or open up the video in YouTube—no copying and pasting required. And Smart Reply now works across all your favorite messaging apps.

2.Come to the dark side… with Dark Theme. You can enable Dark Theme for your entire phone or for specific apps like Photos and Calendar. It’s easier on your eyes, and your phone battery too. 

3.Take advantage of larger, edge-to-edge screens with the new gesture navigation. With simple swipes, you can go backwards, pull up the homescreen, and fluidly move between tasks. After switching, you won’t want to go back to visible buttons. 

4.With a single tap, Live Caption will automatically caption videos, podcasts and audio messages across any app—even stuff you record yourself. Live Caption will become available this fall, starting with Pixel.

New privacy and security features put you in control

5.You can choose to only share location data with apps while you’re using them. You’ll also receive reminders when an app that you are not actively using is accessing your location, so you can decide whether or not to continue sharing. 

6.In a new Privacy section under Settings, you’ll find important controls like Web & App Activity and Ad Settings in one place. 

7.With Google Play system updates, important security and privacy fixes can now be sent to your phone from Google Play, in the same way your apps update. So you get these fixes as soon as they’re available, without having to wait for a full OS update. 

Find the right balance with technology for you and your family

8.You have greater control over where and when notifications will alert you. Mark notifications as “Silent” and they won’t make noise or appear on your lockscreen, so you're only alerted by notifications when you want to be.

9.Now Family Link is part of every device running Android 9 or 10, right in settings under Digital Wellbeing. Parents can use these tools to set digital ground rules like daily screen time limits, device bedtime, time limits on specific apps, and more. They can also review the apps children install on their devices, as well as their usage.

10.Want to be in the zone but not off the grid? Digital Wellbeing now brings you Focus mode. Select the apps you find distracting—such as email or the news—and silence them until you come out of Focus mode. Sign up for the Beta to try it.

There’s lots more in Android 10, including a new enterprise feature that lets you use different keyboards for your personal and work profiles, app timers for specific websites so you can balance your time on the web, new gender-inclusive emoji, and support for direct audio streaming to hearing aid devices. 

Android 10 begins rolling out to Pixel phones today, and we’re working with our partners to launch and upgrade devices to Android 10 this year. Learn more at android.com/10.

Source: Android


Committed to a safer Google Play for Families

Posted by Kanika Sachdeva, Product Manager, Google Play

In May, we launched new Families policies to provide additional protections for children and families on Google Play. As part of this policy change, we’re requiring all developers to provide information on their app’s target audience and content via the Google Play Console by September 1st. Thanks to everyone who has completed it already. If you haven’t done so, please fill it out as soon as possible and consult our developer guide and training course for additional information.

Apps that include children in their target audience need to adhere to our new policy requirements including appropriate content, showing suitable ads (learn more), and disclosing personally identifiable information correctly. We’ve found that checking for these requirements takes longer than the normal review process, and can result in review times of up to 7 days (or longer in certain exceptional circumstances). Apps who submit inaccurate responses in the target audience and content section will also be subject to these reviews. You can find more details on Google Play’s app submission process in this Help Center article.

We respect that you are running a business and longer review times can impact how you work. Our goal is to prepare you for this change and minimize disruptions for you. These apps will be subject to extended reviews for every update, and you may need to update your processes to accommodate for additional review time. Suggestions for how to best adapt to this change include submitting your app at least a week before any important launch dates and (unless urgent) avoid resubmitting your app while it is under review.

These changes help make the Play Store safer through deeper and longer reviews, which is a tradeoff we think everyone is willing to make. Thanks for your continued support in building a positive and safe experience for all users on Google Play.

How useful did you find this blog post?

Expanding bug bounties on Google Play

Posted by Adam Bacchus, Sebastian Porst, and Patrick Mutchler — Android Security & Privacy

[Cross-posted from the Android Developers Blog]

We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes to Google Play Security Reward Program (GPSRP), as well as the launch of the new Developer Data Protection Reward Program (DDPRP).

Google Play Security Reward Program Scope Increases

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.

Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed.

To date, GPSRP has paid out over $265,000 in bounties. Recent scope and reward increases have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program.

Introducing the Developer Data Protection Reward Program

Today, we are also launching the Developer Data Protection Reward Program. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. It recognizes the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.

The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.

As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting!

Expanding bug bounties on Google Play

Posted by Adam Bacchus, Sebastian Porst, and Patrick Mutchler — Android Security & Privacy

We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes to Google Play Security Reward Program (GPSRP), as well as the launch of the new Developer Data Protection Reward Program (DDPRP).

Google Play Security Reward Program Scope Increases

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.

Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed.

To date, GPSRP has paid out over $265,000 in bounties. Recent scope and reward increases have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program.

Introducing the Developer Data Protection Reward Program

Today, we are also launching the Developer Data Protection Reward Program. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. It recognizes the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.

The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.

As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting!