和先前版本一樣,Android 17 也包含可能會影響應用程式的行為變更。以下行為變更僅適用於指定 Android 17 以上版本的應用程式。如果您的應用程式指定 Android 17 以上版本,建議您視情況修改應用程式,以支援這些行為。
此外,無論應用程式的 targetSdkVersion 為何,請務必查看對所有 Android 17 應用程式有影響的行為變更清單。
核心功能
Android 17 包含下列異動項目,這類變更會修改或擴充 Android 系統的各種核心功能。
MessageQueue 的新無鎖實作
Beginning with Android 17, apps targeting Android 17 (API level 37)
or higher receive a new lock-free implementation of
android.os.MessageQueue. The new implementation improves performance and
reduces missed frames, but may break clients that reflect on MessageQueue
private fields and methods.
For more information, including mitigation strategies, see MessageQueue behavior change guidance.
靜態最終欄位現在無法修改
Apps running on Android 17 or higher that target
Android 17 (API level 37) or higher cannot change static final fields. If
an app attempts to change a static final field by using reflection, it will
cause an IllegalAccessException. Attempting to modify one of these fields
through JNI APIs (such as SetStaticLongField()) will cause the app to crash.
無障礙設定
Android 17 進行下列變更,提升無障礙功能。
支援複雜 IME 實體鍵盤輸入的無障礙功能
This feature introduces new AccessibilityEvent and TextAttribute
APIs to enhance screen reader spoken feedback for CJKV language input. CJKV IME
apps can now signal whether a text conversion candidate has been selected during
text composition. Apps with edit fields can specify text change types when
sending text changed accessibility events.
For example, apps can specify that a text change occurred during text
composition, or that a text change resulted from a commit.
Doing this enables accessibility
services such as screen readers to deliver more precise feedback based on the
nature of the text modification.
App adoption
IME Apps: When setting composing text in edit fields, IMEs can use
TextAttribute.Builder.setTextSuggestionSelected()to indicate whether a specific conversion candidate was selected.Apps with Edit Fields: Apps that maintain a custom
InputConnectioncan retrieve candidate selection data by callingTextAttribute.isTextSuggestionSelected(). These apps should then callAccessibilityEvent.setTextChangeTypes()when dispatchingTYPE_VIEW_TEXT_CHANGEDevents. Apps targeting Android 17 (API level 37) that use the standardTextViewwill have this feature enabled by default. (That is,TextViewwill handle retrieving data from the IME and setting text change types when sending events to accessibility services).Accessibility Services: Accessibility services that process
TYPE_VIEW_TEXT_CHANGEDevents can callAccessibilityEvent.getTextChangeTypes()to identify the nature of the modification and adjust their feedback strategies accordingly.
隱私權
Android 17 包含下列異動項目,可提升使用者隱私權。
視情況啟用 ECH (Encrypted Client Hello)
Android 17 introduces platform support for Encrypted Client Hello (ECH), a TLS extension that enhances user privacy by encrypting the Server Name Indication (SNI) in the TLS handshake. This encryption helps prevent network observers from easily identifying the specific domain your app is connecting to.
For apps targeting Android 17 (API level 37) or higher, ECH is opportunistically used for TLS connections. ECH is active only if the networking library used by the app (for example, HttpEngine, WebView, or OkHttp) has integrated ECH support and the remote server also supports the ECH protocol. If ECH cannot be negotiated, the connection automatically falls back to a standard TLS handshake without SNI encryption.
To allow apps to customize this behavior, Android 17 adds a new
<domainEncryption> element to the Network Security Configuration file.
Developers can use <domainEncryption> within <base-config> or
<domain-config> tags to select an ECH mode (for example,
"opportunistic", "enabled", or "disabled") on a global or per-domain
basis.
For more information, see the Encrypted Client Hello documentation.
以 Android 17 為目標的應用程式必須取得區域網路權限
Android 17 導入 ACCESS_LOCAL_NETWORK 執行階段權限,可防止使用者在未經授權的情況下存取本機網路。由於這項權限屬於現有的「NEARBY_DEVICES」權限群組,因此如果使用者已授予其他「NEARBY_DEVICES」權限,系統就不會再次提示。這項新規定可防止惡意應用程式利用不受限制的區域網路存取權,暗中追蹤使用者及建立數位指紋。只要宣告並要求這項權限,應用程式就能探索區域網路 (LAN) 上的裝置並與之連線,例如智慧住宅裝置或投放接收器。
以 Android 17 (API 級別 37) 以上版本為目標的應用程式,現在有兩種方式可與區域網路裝置保持通訊:採用系統中介的隱私權保護裝置挑選器來略過權限提示,或在執行階段明確要求這項新權限,以維持區域網路通訊。
詳情請參閱「區域網路權限」說明文件。
在實體裝置上隱藏密碼
如果應用程式指定 Android 17 (API 級別 37) 以上版本,且使用者使用實體輸入裝置 (例如外接鍵盤),Android 作業系統會將新的 show_passwords_physical 設定套用至密碼欄位中的所有字元。根據預設,這項設定會隱藏所有密碼字元。
Android 系統會顯示最後輸入的密碼字元,協助使用者確認密碼是否輸入錯誤。不過,使用較大的外接鍵盤時,這項功能就沒那麼必要。此外,配備外接鍵盤的裝置通常螢幕較大,因此他人看到您輸入密碼的風險也較高。
如果使用者透過觸控螢幕操作裝置,系統會套用新的 show_passwords_touch 設定。
安全性
Android 17 在裝置和應用程式安全性方面有以下改進。
活動安全性
In Android 17, the platform continues its shift toward a "secure-by-default" architecture, introducing a suite of enhancements designed to mitigate high-severity exploits such as phishing, interaction hijacking, and confused deputy attacks. This update requires developers to explicitly opt in to new security standards to maintain app compatibility and user protection.
Key impacts for developers include:
- BAL hardening & improved opt-in: We are refining Background Activity
Launch (BAL) restrictions by extending protections to
IntentSender. Developers must migrate away from the legacyMODE_BACKGROUND_ACTIVITY_START_ALLOWEDconstant. Instead, you should adopt granular controls likeMODE_BACKGROUND_ACTIVITY_START_ALLOW_IF_VISIBLE, which restricts activity starts to scenarios where the calling app is visible, significantly reducing the attack surface. - Adoption tools: Developers should utilize strict mode and updated lint checks to identify legacy patterns and ensure readiness for future target SDK requirements.
預設啟用 CT
If an app targets Android 17 (API level 37) or higher, certificate transparency (CT) is enabled by default. (On Android 16, CT is available but apps had to opt in.)
更安全的 Native DCL - C
If your app targets Android 17 (API level 37) or higher, the Safer Dynamic Code Loading (DCL) protection introduced in Android 14 for DEX and JAR files now extends to native libraries.
All native files loaded using System.load() must be marked as read-only.
Otherwise, the system throws UnsatisfiedLinkError.
We recommend that apps avoid dynamically loading code whenever possible, as doing so greatly increases the risk that an app can be compromised by code injection or code tampering.
限制 CP2 資料檢視中的 PII 欄位
如果應用程式的目標是 Android 17 (API 級別 37) 以上版本,則聯絡人供應程式 2 (CP2) 會限制資料檢視畫面中的特定欄位,避免顯示個人識別資訊 (PII)。啟用這項變更後,系統會從資料檢視畫面中移除這些資料欄,以提升使用者隱私權。受限的資料欄包括:
如果應用程式使用 ContactsContract.Data 中的這些資料欄,可以改為透過與 RAW_CONTACT_ID 聯結,從 ContactsContract.RawContacts 中擷取資料。
在 CP2 中強制執行嚴格的 SQL 檢查
如果應用程式指定 Android 17 (API 級別 37) 以上版本,當您在沒有 READ_CONTACTS 權限的情況下存取 ContactsContract.Data 資料表時,聯絡人供應程式 2 (CP2) 會強制執行嚴格的 SQL 查詢驗證。
這項異動生效後,如果應用程式沒有 READ_CONTACTS 權限,查詢 ContactsContract.Data 資料表時,系統會設定 StrictColumns 和 StrictGrammar 選項。如果查詢使用的模式與這些模式不相容,系統會拒絕查詢並擲回例外狀況。
媒體
Android 17 包含下列媒體行為變更。
背景音訊強化
從 Android 17 開始,音訊架構會強制限制背景音訊互動,包括音訊播放、音訊焦點要求和音量變更 API,確保這些變更是由使用者刻意啟動。
所有應用程式都必須遵守部分音訊限制。不過,如果應用程式指定 Android 17 (API 級別 37),限制會更加嚴格。如果這些應用程式在背景與音訊互動,就必須執行前景服務。此外,應用程式也必須符合下列一或多項規定:
- 前景服務必須具備「僅限使用期間」權限。
- 應用程式必須具備精確鬧鐘權限,並與
USAGE_ALARM音訊串流互動。
如需更多資訊 (包括緩解策略),請參閱「背景音訊強化」。
裝置板型規格
Android 17 包含下列異動項目,可改善各種尺寸和板型規格裝置的使用者體驗。
平台 API 異動,可忽略大螢幕 (sw>=600dp) 的螢幕方向、大小調整和長寬比限制
We introduced Platform API changes in Android 16 to ignore orientation, aspect ratio, and resizability restrictions on large screens (sw >= 600dp) for apps targeting API level 36 or higher. Developers have the option to opt out of these changes with SDK 36, but this opt-out will no longer be available for apps that target Android 17 (API level 37) or higher.
For more information, see Restrictions on orientation and resizability are ignored.
連線能力
Android 17 導入下列變更,可提升藍牙 RFCOMM Socket 的一致性,並與標準 Java InputStream 行為保持一致。
RFCOMM 的 BluetoothSocket read() 行為一致
如果應用程式指定 Android 17 (API 級別 37) 為目標版本,從以 RFCOMM 為基礎的 BluetoothSocket 取得的 InputStream read() 方法,現在會在通訊端關閉或連線中斷時傳回 -1。
這項變更可讓 RFCOMM Socket 行為與 LE CoC Socket 一致,並符合標準InputStream.read()文件,該文件指出到達串流結尾時會傳回 -1。
如果應用程式只會擷取 IOException 來中斷讀取迴圈,就可能會受到這項變更影響,因此應更新 BluetoothSocket 讀取迴圈,明確檢查 -1 的傳回值。這樣可確保遠端裝置中斷連線或插座關閉時,迴圈會正確終止。如要查看建議的實作方式範例,請參閱「傳輸藍牙資料」指南中的程式碼片段。