Google has just announced app security and performance changes for developers on Google Play. The main motto is: Play Store requires new updated apps to target the most recent Android API level, compulsory 64-bit app versions by 2019. The primary highlight is the addition of security metadata to each APK.
Change #1: Targeting a Newer API Level
The current API level of 27 corresponds to the Android 8.1 release. Before that, API level 26 used to correspond Android 8.0 Oreo. From the coming August 2018, any new applications that are submitted to the Play Store must target at least API level 26.
However. In 2019, Google will increment the targetSdkVersion requirement following one year after each major Android release.
One may keep this in mind that these requirements are only for the target API level, and not for the minimum. That means users can still build applications that will work on older versions of Android (like Android Lollipop).
As for applications that will not be receiving any updates for the foreseeable future, nothing will change. Those applications will continue to exist, though of course, they will not be able to take advantage of any new features introduced in newer SDKs. If the developer of such an application wishes to update their app for any reason, then they will have to update their app to meet the requirements in the higher API level.
However, this is a boon for user security. Android 6.0 Marshmallow introduced runtime permissions, which guard certain sensitive permissions such as location or contacts access behind a dialogue that the user must accept. However, applications could get around runtime permissions by targeting an older API level. If an application targets this older API level, then permissions are granted during installation.
The new restrictions on background app execution implicit broadcast receivers in Android Oreo‘s. This API level will be a requirement in the future. Any user running Android Oreo will not have to worry that an app isn’t being optimized for Android Oreo’s new restrictions.
The previous requirements were affecting new applications or updated applications being submitted to the Play Store. But this sentence seems to suggest that a future version of Android will also place restrictions on applications that aren’t keeping up to date with recent API levels. Android 8.0 Oreo introduced runtime-only permissions (API 23), so Google could start gating new features behind such restrictions.
Change #2: 64-bit Support for Native Code
According to Google, over 40% of devices have 64-bit support. A huge number of flagship Android devices have chips built on a 64-bit architecture. The native libraries distributing apps are currently based on 32-bit code only, and 64-bit devices will still work due to backwards compatibility.
But as 64-bit code offers better performance, Google will require that developers whose apps utilize native libraries that uses 64-bit alternative to run on 64-bit only devices. Applications can include both a 32-bit and a 64-bit library. It can also distribute multiple versions of the APK with either library using the multiple APK feature in the Developer Console. This all modifications will take effect from August 2019, and does not affect applications that do not run any native code.
Change #3: Security Metadata to Ensure Authenticity
No actions are required on this part from developers. Instead, Google Play will control it automatically. Play Store may start adding a small amount of metadata to each APK. Google Play’s maximum APK size will be increased to account for this new metadata, but nothing would be altered in developers’ applications.