Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Google Operating Systems

Android 14 Preview 1 is Out, Will Officially Ban Installation of Old Apps (arstechnica.com) 48

Android 14 is here -- or the first preview is, at least. From a report: Google is kicking off the months-long developer preview process for Android's latest version, which will get a final release in the second half of the year. Even with multiple previews, Google likes to keep the final set of Android features under wraps at least until its I/O conference in May, so we can't look at the features here to determine the scope of Android 14. These are just some of the features Google wants developers to have a head start on. The biggest news is that Android 14 will block the installation of old Android apps. As Android changes over the years, new APIs and increased security, privacy, or background processing restrictions could break old apps, but Android's backward-compatibility system keeps these old apps running. Apps can declare the newest version of Android they support via a "Target SDK" flag.

To prevent old apps from breaking, new features and app restrictions in, say, Android 12 only apply to apps that target Android 12 or above. Older apps will continue to run with the older set of restrictions they're used to. (A different setting, called "Minimum SDK," determines if a new app can run on an old Android OS.) The system works great for honest developers, but if you're building a piece of malware, it's an easy decision to target a very old version of Android. While you'll get access to fewer features, you'll also be subject to fewer security and privacy restrictions. For the first time, Android 14 will close this malware loophole by simply refusing to install old apps. The cutoff point is generous enough that it shouldn't cause anyone problems; any app targeting the 8-year-old Android 6.0 or below will be blocked. Google says it picked Android 6 because it's the version that introduced runtime permissions, the allow/deny boxes that pop up asking for things like camera access. In addition, "some malware apps use a targetSdkVersion of [Android 5.1] to avoid being subjected to the runtime permission model introduced in 2015 by Android 6.0," Google said.

This discussion has been archived. No new comments can be posted.

Android 14 Preview 1 is Out, Will Officially Ban Installation of Old Apps

Comments Filter:
  • Why can't they just come up with some way to enforce new permissions anyway, and if the app can't handle it then it just crashes and that's that?

    • Why can't they just come up with some way to enforce new permissions anyway, and if the app can't handle it then it just crashes and that's that?

      Because lazy developers don't always get around to fixing the things your newer OS broke, and the user experience suffers. The average smartphone user isn't a techie, and when things are constantly crashing they'll just assume Android has become unreliable crap and will buy an iPhone instead.

    • Why can't they just come up with some way to enforce new permissions anyway, and if the app can't handle it then it just crashes and that's that?

      I believe what you're describing to millions of fans of browser plugins, is begrudgingly known as The Firefox Effect.

      Perhaps that's why others avoid that particular method of third party support.

    • One way to do it would simply be to return no data if the older app hasn't been granted permissions. Or "fake" data that tells you about the issue.

      Like with contacts, it could return one fake contact named "Enable Permissions" with the note explaining what the user has to do.

      With photos the "library" the app sees could just be a single JPG with text explaining how to enable permissions, and so on.

      This would allow older apps to keep working and permissions would be respected, without having to worry about br

      • Such a thing won't work for all permissions though. For example, if some game wants access to the user storage in order to download assets (some games used to download assets to the user storage to avoid wasting space on what once was the separate apps partition), it will try to write the data, and then the write will either fail or it will pretend-succeed but when the game tries to read the data back it will only find a single JPG and none of the data it's looking for. It's a similar thing with networking
    • Why can't they just come up with some way to enforce new permissions anyway, and if the app can't handle it then it just crashes and that's that?

      Because it's incredibly stupid to break userland apps on an OS level and because of the way permissions are designed you'd be breaking 100% of apps since basically no apps ever requested no permissions.

    • Because when the app crashes, users will blame (rightfully) on the OS, not on the app... "it worked before the upgrade, now it doesn't, upgrade was bad, never upgrade again"

      • by dbialac ( 320955 )
        There's some truth to that for sure. Sometimes it works out to your favor. When Launcher 10 started showing ads and forcing a monthly fee that I'd already bought a lifetime unlocking for. I picked up that something was up from the fatigue description and sure enough, I was right. I didn't update and haven't since. That "feature" has never disappeared.
    • by dbialac ( 320955 )
      I can't help but wonder if "improving security" is a smoke screen for "improving tracking".
  • by Insanity Defense ( 1232008 ) on Wednesday February 08, 2023 @03:59PM (#63276401)

    So if you have other hardware controlled by a phone app (Roomba, lights, heating etc) when you upgrade your phone you may no longer be able to control the hardware if the manufacturer doesn't keep the software of old hardware up to date. So TWO companies can make your other hardware obsolete while it is still fully functional. FAIL!

    • by Luckyo ( 1726890 )

      To be fair to google, this was always the case, and this is not limited to google either.

    • by AmiMoJo ( 196126 )

      From TFA:

      adb install --bypass-low-target-sdk-block FILENAME.apk

      Not ideal for most consumers who don't know what ADB is, but the option is there. Given these apps would have to have been abandoned 8 years ago to not have got an update to the minimum API version, the balance between protecting everyone from malware and screwing a few users whose 8+ year old hardware and a relatively new phone combination result in reduced functionality (their Roomba will still work, just no app for it) seems about right to me

  • Is it oooh, ... Dark Mode for the Sound control widget, and a new way to select a calendar date ?

    This and Windows 11 with the Taskbar in a different place !

    What a time to be alive.
  • by xack ( 5304745 ) on Wednesday February 08, 2023 @04:08PM (#63276427)
    Anything that is not constantly updated gets thrown in the trash. Meanwhile I can fire up an Atari emulator and play 50 year old roms.
  • You remember 8 years ago when we told you that our OS and platform was the most secure in the industry? Now, we really are. You can trust us. And if not, in another 8 years, we'll have things squared away, we promise.
  • Comment removed based on user account deletion
    • I initially hated this idea when I first started reading it, but as I started to think about the ramifications, it made me angry... that this hasn't ALREADY BEEN done. Imagine if real life worked like Android apparently does: if you're older than a law, you're not bound by it...

      Others in the thread have given a much better solution to this problem: If an old compatibility level is requested, provide a simple "all/nothing" option to either give it the data that's been requested, or give it false information. This was done with XPrivacy and PMP in that era; there's no reason Google couldn't do the same thing. It'd be an all/nothing in this case. Now, one could argue that it's not worth the development time to do this, or add some sort of sandboxing solution or such, but the point is

    • by Luckyo ( 1726890 )

      A better option would obviously be to just make this a setting you have to toggle in the OS. Just like the proper installation of apps from sources other than Play store needs to be enabled in settings now.

      Frankly, the fact that normal local installation of software is something you need to separately enable, while installation from Officially Certified And Properly Monetized Source is automatic tells you that this has nothing to do with security. It has everything to do with wanting a bigger piece of the p

  • by crow ( 16139 ) on Wednesday February 08, 2023 @04:19PM (#63276449) Homepage Journal

    What if they let older apps run, but blocked network access? How much in the way of malware would still do anything harmful without network access? Lots of legitimately older programs would then continue to run just fine, and in some cases better, as that would block ads (giving the creators an incentive to update them for once).

    Along these lines, what I really miss is having network access be a user-controllable permission. Yes, you can install a local VPN app like NetGuard that lets you do that, but it's a clunky hack solution for something that the OS should just do for you.

    • How much in the way of malware would still do anything harmful without network access?

      Absolute shitloads. Here's one example that took me a whole of 1.75seconds to come up with: malware pair, one using some old nasty security issue to exfiltrate data from sensitive apps and save it to the local device, and another that does something as innocuous as read a file from disk and upload it somewhere and would have no problem meeting the latest fancy security requirements.

  • by thegarbz ( 1787294 ) on Wednesday February 08, 2023 @04:44PM (#63276519)

    The Play Store has already made all apps that don't target API level 31 (Android 12) or newer undiscoverable. This means that if you want to install something from the Play Store the requirements are already far more restrictive than this (or API level 30 / Android 11 for wearable devices).

    A lot has changed in the security of mobile devices on a API level over the years so I'm honestly surprised it took them this long to plug the hole.

    • by AmiMoJo ( 196126 )

      Apple has been doing this for years too. Old apps get purged from the App Store, and because there is no side-loading it is impossible to back them up or re-install them any other way.

  • by Anonymous Coward

    Google is well aware that Android has two types of users:
    1. The ones who make conscious choices about what they install and run.
    2. The ones who Google (and the sellers of apps) can make money from.

    This change could protect a few more of those precious Type 2 users.
    And they don't give a shit about screwing Type 1.

  • Those cheap (Chinese) gadgets that you "control with your phone" will need to be tossed(again) You know, those, multicolor RGB light bulbs and LED strip lights. The phone conrtolled bird bath. The Smart Pet door. All the things that an app was written for ages ago and then forgotten. But good news, the manufacturer is happy to sell you a new load of gadgets that now work with Android 14.
  • put the old apps in a parallel environment with very limited capabilities. Google already has plenty of container technology in their company they could leverage. And something lightweight like nsjail [github.com], podman [github.com], or enroot [github.com] could be adapted to work if there was better integration of Binder and kernel namespaces, or at least a slow-path emulation of Binder for the legacy apps.

  • I have a bad feeling that my trusty HP 11C emulator - last updated in 2011 is going to be toast - works just fine though...
  • A sampling of 13 Android applets I like, revealed 2 needed Android 6 and 1 needed Android 9 (Microsoft Office). Everything else will run on Android 4 or Android 5.

    Most developers won't alienate their customers, so they will need to create a new product that supports Android 12-14: Expect Android software to become more expensive.

    As most slashdotters have realized, the problem isn't the software, it's Android OS automatically approving the "full internet access" permission: Which this policy, won't so

  • I have an app (Google Gesture Search) which allows you to write on the screen with your fingers (either cursive(!) or block.) It works great. It needs access to your contacts, and then maybe apps and files if you want it to also search over your installed apps or music. I've literally had it for years (a decade?), and it's the absolute FIRST app I sideload on any new Android phone. (v2.15, size: 5,347,191, SHA256: b96cf537f4a906f0eb44d16121f35ec8159218c1, target OS: Lollipop 5.0)

    any app targeting the 8-year-old Android 6.0 or below will be blocked.

    If Google doesn't want

    • Ahh, just read the article. (After the fact, but this IS slashdot, so whatever.) There *IS* a workaround, for now, according to the article:

      If you really still want to install an app that old, an ADB command line flag - "adb install --bypass-low-target-sdk-block FILENAME.apk" - will bypass the block.

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...