As of August 1, 2018, Google will be much tougher with Android app developers. New apps uploaded to the Play Store must target Android 8.0 Oreo or higher. A few months later, every update for existing apps must do the same. It may seem like a simple rule, but it will have some serious implications.
In layman terms, when an app targets a specific version of Android, it hopes that it will have this version of Android installed on your smartphone. Note that I requested in the hope and not . While the app can still run on older or newer versions of Android, some features may be missing if your phone is running an older version than expected.
On November 1, 2018, the Google Play Store will no longer allow developers to upload an app, unless the update is designed specifically for Android 8.0 or later. This is true for any app that is currently in the Play Store, and the above-mentioned deadline of August 1 is for new apps being uploaded for the first time.
The same deadlines apply to this year's Android version 9.0 next year. Each year, developers will be forced to tailor their apps to an Android version that's not older than a year. If they are not, they will not be able to upload new apps or updates to their existing apps.
Why Developers Target Older Android Versions
Backward compatibility would make you think that app developers would always do this You want to target the latest version of Android to gain access to new features, but many do not , In addition to adding features and functionality, new versions of Android also define new rules – and some of these rules may be restrictive for app developers.
To get around this, many developers have older versions of Android from a time when current rules and restrictions did not exist. Things like Oreo's new background limitations make apps more battery-friendly, while potentially reducing functionality.
An important rule introduced in 2015 was the granular authorization system of Android Marshmallow. Apps targeting this version or higher must explicitly ask the user for permission to access specific sensors and data. For example, if an app wants to use your microphone, you'll need to see a message asking if this is possible.
What this means for malware apps
There are legitimate reasons to circumvent the new rules for background restrictions and permissions prompts, but not every developer targets old Android versions with good intentions. Here, the changes affect the most on malware.
Many apps are considered malware due to abuse of permissions. For example, a flashlight app really only requires permission to access your flashlight, but some of the offers in the Play Store use the pre-marshmallow entitlement model to request access to your microphone, your location, your contact list, and more in batches. The developers of the app could monetize their software by selling this information to marketers or researchers.
These old permission requests are grouped in a popup when the app is first installed, and many users simply tap OK without reading them. Malicious developers can take advantage of people's laxity by simply targeting an old Android version before Marshmallow.
Now this is coming to an end. All new apps and updates must be targeted to Android Oreo. This means that you must manually approve all permissions requested by an app. You can simply tap Deny to prevent a suspicious app from accessing this permission. Therefore, it is much harder for malicious apps to search for irrelevant data.
The second way these changes affect malware is through the new background execution restrictions implemented in Android Oreo. In short, if an app targets Oreo and your phone runs Android 8.0 or later, it can not be run silently in the background.
When you actively use an app, it is assumed to be running in the app foreground. In this situation and in some other rare cases, the app can perform arbitrary operations – after all, use the app so that the services it performs are inherently tasks that the user has authorized.
If you use not an app that targets Oreo, Android 8.0 and later builds will assume that it is running in the background. Once it has taken a back seat, the system gives the app a few minutes to stop all running processes, but then Android stops all app processes.
For malware apps, this means they can not keep the active data connections in the background longer to "call home", nor can they run services indefinitely to monitor your activity and information about you to collect. This severely limits the behavior of Android malware applications.
Developers of malware apps simply could not update their apps to avoid compliance with these new rules. However, outdated apps typically have a lower value in Play Store search results than their updated counterparts, so fewer users see them. At least there are some new hurdles for any dodgy developer who wants to upload a new malware app.
Overall, these new rules mark a major change in the Android ecosystem. Its effects extend well beyond malware – users using newer versions of Android should see many other benefits, including better battery life, split-screen support, more apps for higher-end screens, and even improved camera quality.