Project: Mainline aka Google Play System
updates
● Updates/security patches faster
● Delivered via Google Play
● Components
○ Media Framework Components
○ Conscrypt
Image from android-developers.googleblog.com
@ScottyAB
Slide 9
Slide 9 text
Updatablity
Privacy
Platform hardening
@ScottyAB
Slide 10
Slide 10 text
Location
Storage
Connectivity
Device Ids
and more
@ScottyAB
Slide 11
Slide 11 text
Access to Location in Background
developer.android.com/training/location/receive-location-updates
● Tri state dialog
● System reminder about access to device
location in the background
● Graceful degradation i.e handle “deny and
don't ask again”
Slide 12
Slide 12 text
Background permission
android:name="android.permission.ACCESS_BACKGROUND_LOCATION"
Must declare if targeting Q
If targets P or lower system auto adds the permission during install
developer.android.com/training/location/receive-location-updates
@ScottyAB
Location: Foreground Service
developer.android.com/preview/privacy/device-location
Remember to declare FOREGROUND_SERVICE permission if targeting
P+
● New foreground Service Type
@ScottyAB
Slide 15
Slide 15 text
Location
External Storage
Connectivity
Device Ids
and more
@ScottyAB
Slide 16
Slide 16 text
What is the big change?
● You get a filtered view into external storage
● Use the MediaStore to access files from other apps
Slide 17
Slide 17 text
Scoped storage on Q
● With READ_EXTERNAL_STORAGE
● Accessing other apps files only if there are in media collections
○ Photos -> MediaStore.Images
○ Videos -> MediaStore.Video
○ Music -> MediaStore.Audio
@ScottyAB
Slide 18
Slide 18 text
Do you need external
storage permissions?
Slide 19
Slide 19 text
@ScottyAB
Slide 20
Slide 20 text
Fixed it
Warning: Scoped storage will be required in next year's major platform release for all apps, independent of target SDK
level.
@ScottyAB
Slide 21
Slide 21 text
Scoped storage will be required in
Android R for all apps!
Slide 22
Slide 22 text
Location
Storage
Connectivity restrictions
Device Ids
and more
@ScottyAB
Slide 23
Slide 23 text
● Cannot change the connection settings programmatically
○ WifiManager.setWifiEnabled()
○ manual configuration of the list of Wi-Fi networks is now
restricted to system apps*
● Suggest WiFi networks
○ WifiManager.addNetworkSuggestions(..)
○ Listen for broadcast
WifiManager.ACTION_WIFI_NETWORK_SUGGESTION_POST_CONNECTION
@ScottyAB
Location
Storage
Connectivity
Non resettable hardware IDs
And more
@ScottyAB
Slide 26
Slide 26 text
♀ Now require READ_PRIVILEGED_PHONE_STATE
If your app targets Android Q -> SecurityException
If your app targets API level 28 or below -> null or placeholder data (if
hold READ_PHONE_STATE permission) Otherwise, a
SecurityException occurs.
Restricted access to Device serial and IMEI
@ScottyAB
Slide 27
Slide 27 text
Location
Storage
Connectivity
Device Ids
And a whole lot more...
@ScottyAB
Slide 28
Slide 28 text
TLS 1.3 supported by default in Android Q
Enhanced security
40% faster with TLS 1.3 compared to TLS 1.2
Disable TLS 1.3 (only if you need to)
○ SSLContext.getInstance("TLSv1.2")
○ SSLSocket.setEnabledProtocols(..)
@ScottyAB
Slide 29
Slide 29 text
Oh, BTW
val url = URL("https://scottyab.com")
val httpsURLConnection = url.openConnection() as HttpsURLConnection
httpsURLConnection.sslSocketFactory = null
● HttpsURLConnection.setSSLSocketFactory(null) throws an
IllegalArgumentException
@ScottyAB
Slide 30
Slide 30 text
Run embedded DEX code directly from APK
● android:useEmbeddedDex=”true” in the
● Cannot use compressed DEX code
○ Reduced performance
○ Gradle: aaptOptions { noCompress 'dex' }
@ScottyAB
Slide 31
Slide 31 text
More non-SDK interface restrictions
Are you using reflection or JNI?
More restrictions in Q! (also some whitelisted)
StrictMode.VmPolicy.Builder().detectNonSdkApiUsage()
developer.android.com/preview/non-sdk-q
@ScottyAB
Slide 32
Slide 32 text
Misc Restrictions
Background activity starts blocked
Access to clipboard data
⚠ SYSTEM_ALERT_WINDOW on Android Q Go devices
@ScottyAB
Slide 33
Slide 33 text
Encryption libraries
@ScottyAB
Slide 34
Slide 34 text
Android X: Security
● minSdk: 23 (M)
● Safe and easy to use (based on Tink)
● AES256 GCM
● Implementations
○ EncryptedFile
○ EncryptedSharedPreferences
developer.android.com/topic/security/data
@ScottyAB
Slide 35
Slide 35 text
"androidx.security:security-crypto:1.0.0-alpha02"
https://gist.github.com/scottyab/5012ab75454a777a60ec433661aafa8b
@ScottyAB
Generate the Key/Alias
Adiantum: Encryption for the Next Billion Users
● For Devices without AES hardware support
○ Android Go Devices
○ Smartwatches
○ TVs
● File/Disk encryption
● Now part of the Android platform
@ScottyAB