In a blog post today, Google has announced major upcoming changes to applications submitted to the Play Store. These changes are designed to improve security for the end user by requiring that developers target newer API levels. Furthermore, Google will also start requiring that applications that distribute native libraries also provide 64-bit versions of those libraries. These changes won't take affect until mid-2018 and mid-2019 respectively, though, so developers will have plenty of time to work on updates to address these new requirements. Let's dive a little deeper into what these changes mean for developers and end users alike.


Change #1: Targeting a Newer API Level

The most current API level is 27, which corresponds with the Android 8.1 release. Before that is API level 26 which corresponds to Android 8.0 Oreo. Starting August 2018, any new applications that are submitted to the Play Store must target at least API level 26. Furthermore, starting November 2018, updates to existing applications must also target API level 26 or higher.

These requirements aren't static, however. In 2019, Google will increment the targetSdkVersion requirement following one year after each major Android release. For instance, 1 year following the release of Android P, applications must target API level 28 or higher.

Keep in mind that these requirements are only for the target API level, and not for the minimum. That means you can still build applications that will work on older versions of Android such as Android Lollipop. This is important because there are still millions of users who are running older Android versions on their devices. What minimum API level should you implement? Follow @minSdkVersion on Twitter to keep up to date on when you should be changing that.

As for applications that will not be receiving any updates for the foreseeable future, nothing will change. Those applications will continue to exist, though of course they will not be able to take advantage of any new features introduced in newer SDKs. If the developer of such an application wishes to update their app for any reason, then they will have to update their app to meet the requirements in the higher API level.

This is a boon for user security. Android 6.0 Marshmallow introduced runtime permissions, which guard certain sensitive permissions such as location or contacts access behind a dialog that the user must accept. However, applications could get around runtime permissions by targeting an older API level. If an application targets this older API level, then permissions are granted during installation.

In addition, Android Oreo's new restrictions on background app execution, implicit broadcast receivers, and background location limits are only a requirement for applications that target API level 26. Since this API level will be a requirement in the future, that means any user running Android Oreo will not have to worry that an app isn't being optimized by Android Oreo's new restrictions.

A Note on Future Android Versions

There is one clause in this new requirement that is interesting. To quote the blog post:

Future Android versions will also restrict apps that don't target a recent API level and adversely impact performance or security.

Whereas the previous requirement only affects new applications or updated applications being submitted to the Play Store, this sentence seems to suggest that a future version of Android will also place restrictions on applications that aren't keeping up to date with recent API levels. Android 8.0 Oreo introduced runtime-only permissions which require that an application target API level 23, so Google could start gating new features behind such restrictions.

Change #2: 64-bit Support for Native Code

The majority of flagship Android devices have chips built on a 64-bit architecture. According to Google, over 40% of devices have 64-bit support. Apps that distribute native libraries can currently be based on 32-bit code only, and 64-bit devices will still work due to backwards compatibility.

However, since 64-bit code can offer better performance, Google will require that developers whose apps utilize native libraries must have a 64-bit alternative to run on 64-bit only devices. Applications can include both a 32-bit and a 64-bit library, or distribute multiple versions of the APK with either library using the multiple APK feature in the Developer Console. This requirement will take effect starting August 2019, and does not affect applications that do not run any native code.

Change #3: Security Metadata to Ensure Authenticity

This last change requires no action on the part of developers. Instead, this will be handled by Google Play automatically. The Play Store will start adding a small amount of metadata to each APK which will verify that an application was officially distributed by the Google Play Store. Google Play's maximum APK size will be increased to account for this new metadata, but nothing should be altered in developers' applications.


Source: Google