Posted by Edward Cunningham, Android Security & Privacy Team
In a previous blog we described how API behavior changes advance the security and privacy protections of Android, and include user experience improvements that prevent apps from accidentally overusing resources like battery and memory.
Since November 2018, all app updates on Google Play have been required to target API level 26 (Android 8.0) or higher. Thanks to the efforts of thousands of app developers, Android users now enjoy more apps using modern APIs than ever before, bringing significant security and privacy benefits. For example, during 2018 over 150,000 apps added support for runtime permissions, giving users granular control over the data they share.
Today we're providing more information about the Google Play requirements for 2019, and announcing some changes that affect apps distributed via other stores.
Google Play requirements for 2019
In order to provide users with the best Android experience possible, the Google Play Console will continue to require that apps target a recent API level:
- August 2019: New apps are required to target API level 28 (Android 9) or higher.
- November 2019: Updates to existing apps are required to target API level 28 or higher.
Existing apps that are not receiving updates are unaffected and can continue to be downloaded from the Play Store. Apps can still use any
minSdkVersion, so there is no change to your ability to build apps for older Android versions.
For a list of changes introduced in Android 9 Pie, check out our page on behavior changes for apps targeting API level 28+.
Apps distributed via other stores
Targeting a recent API level is valuable regardless of how an app is distributed. In China, major app stores from Huawei, OPPO, Vivo, Xiaomi, Baidu, Alibaba, and Tencent will be requiring that apps target API level 26 (Android 8.0) or higher in 2019. We expect many others to introduce similar requirements – an important step to improve the security of the app ecosystem.
Over 95% of spyware we detect outside of the Play Store intentionally targets API level 22 or lower, avoiding runtime permissions even when installed on recent Android versions. To protect users from malware, and support this ecosystem initiative, Google Play Protect will warn users when they attempt to install APKs from any source that do not target a recent API level:
- August 2019: New apps will receive warnings during installation if they do not target API level 26 or higher.
- November 2019: New versions of existing apps will receive warnings during installation if they do not target API level 26 or higher.
- 2020 onwards: The target API level requirement will advance annually.
These Play Protect warnings will show only if the app's
targetSdkVersion is lower than the device API level. For example, a user with a device running Android 6.0 (Marshmallow) will be warned when installing any new APK that targets API level 22 or lower. Users with devices running Android 8.0 (Oreo) or higher will be warned when installing any new APK that targets API level 25 or lower.
Prior to August, Play Protect will start showing these warnings on devices with Developer options enabled to give advance notice to developers of apps outside of the Play Store. To ensure compatibility across all Android versions, developers should make sure that new versions of any apps target API level 26+.
Existing apps that have been released (via any distribution channel) and are not receiving updates will be unaffected – users will not be warned when installing them.
For advice on how to change your app’s target API level, take a look at the migration guide and this talk from I/O 2018: Migrate your existing app to target Android Oreo and above.
We're extremely grateful to the Android developers worldwide who have already updated their apps to deliver security improvements for their users. We look forward to making great progress together in 2019.