Register now for Android Dev Summit 2019!

Behavior changes: all apps

The Android Q platform includes behavior changes that may affect your app. The following behavior changes apply to all apps when they run on Android Q, regardless of targetSdkVersion. You should test your app and then modify it as needed to support these properly, where applicable.

Make sure to also review the list of behavior changes that only affect apps targeting Android Q.

Non-SDK interface restrictions

To help ensure app stability and compatibility, the platform started restricting which non-SDK interfaces your app can use in Android 9 (API level 28). Android Q includes updated lists of restricted non-SDK interfaces based on collaboration with Android developers and the latest internal testing. Our goal is to make sure that public alternatives are available before we restrict non-SDK interfaces.

If you will not be targeting Android Q, some of these changes might not immediately affect you. However, while you can currently use non-SDK interfaces that are part of the greylist (depending on your app's target API level), using any non-SDK method or field always carries a high risk of breaking your app.

If you are unsure if your app uses non-SDK interfaces, you can test your app to find out. If your app relies on non-SDK interfaces, you should begin planning a migration to SDK alternatives. Nevertheless, we understand that some apps have valid use cases for using non-SDK interfaces. If you cannot find an alternative to using a non-SDK interface for a feature in your app, you should request a new public API.

To learn more, see Updates to non-SDK interface restrictions in Android Q and see Restrictions on non-SDK interfaces.

Gestural Navigation

Beginning with Android Q, users can enable gestural navigation across the device. If a user enables gestural navigation, this affects all apps on the device, whether or not the app targets Q. For example, if the user swipes in from the edge of the screen, the system interprets that gesture as a Back navigation, unless an app specifically overrides that gesture for portions of the screen.

To make your app compatible with gestural navigation, you'll want to extend the app content from edge to edge, and handle conflicting gestures appropriately. For information, see the Gestural navigation documentation.

NDK

Android Q includes the following NDK changes.

Shared objects cannot contain text relocations

Android 6.0 (API level 23) disallowed use of text relocations in shared objects. Code must be loaded as-is, and must not be modified. This change improves app load times and security.

In Android Q Beta 1 and 2, SELinux enforces this restriction on apps targeting Android 8.0 (API level 26) and higher. Starting in Android Q Beta 3, the restriction is enforced on apps targeting Android Q (API level 29) and higher. If these apps continue to use shared objects that contain text relocations, they are at high risk of breaking.

Changes to Bionic libraries and dynamic linker paths

Starting in Android Q, several paths are no longer regular files but symbolic links. Apps that have been relying on the paths being regular files might break:

  • /system/lib/libc.so -> /apex/com.android.runtime/lib/bionic/libc.so
  • /system/lib/libm.so -> /apex/com.android.runtime/lib/bionic/libm.so
  • /system/lib/libdl.so -> /apex/com.android.runtime/lib/bionic/libdl.so
  • /system/bin/linker -> /apex/com.android.runtime/bin/linker

These changes apply to the 64-bit variants of the file as well, with lib/ replaced with lib64/.

For compatibility, new symlinks are provided at the old paths, for example /system/lib/libc.so is now a symlink to /apex/com.android.runtime/lib/bionic/libc.so, and so on. So dlopen(“/system/lib/libc.so”) continues to work, but apps will find the difference when they actually try to examine the loaded libraries by reading /proc/self/maps or similar, which is not usual but we’ve found that some apps do that as part of their anti-hacking process. If so, the new /apex/… paths should be added as valid paths for the Bionic files.

System binaries/libraries mapped to execute-only memory

Starting in Android Q, executable segments of system binaries and libraries are mapped into memory execute-only (non-readable) as a hardening technique against code-reuse attacks. Intentional and unintentional reads into memory segments marked as execute-only will throw a SIGSEGV -- whether from bug, vulnerability, or intentional memory introspection.

You can identify whether a crash was caused by this change by examining the related tombstone file in /data/tombstones/. An execute-only related crash will contain the following abort message:

Cause: execute-only (no-read) memory access error; likely due to data in .text.

To work around this issue, developers may mark execute-only segments as read+execute by calling mprotect(), for example to perform memory inspection. However, we strongly recommend setting it back to execute-only afterwards as this provides better protection for your app and users.

Calls to ptrace are unaffected, so ptrace debugging is not impacted.

Security

Android Q includes the following security change.

Removed execute permission for app home directory

Untrusted apps that target Android Q can no longer invoke exec() on files within the app's home directory. This execution of files from the writable app home directory is a W^X violation. Apps should load only the binary code that's embedded within an app's APK file.

In addition, apps that target Android Q cannot in-memory modify executable code from files which have been dlopen()ed. This includes any shared object (.so) files with text relocations.

Wi-Fi Direct broadcasts

On Android Q, the following broadcasts related to Wi-Fi Direct are no longer sticky:

If your app has relied on receiving these broadcasts at registration because they had been sticky, use the appropriate get() method at initialization to obtain the information instead.

Wi-Fi Aware capabilities

Android Q adds support to ease TCP/UDP Socket creation using Wi-Fi Aware datapaths. To create a TCP/UDP socket connecting to a ServerSocket, the client device needs to know the IPv6 address and port of the server. This previously needed to be communicated out-of-band, such as by using BT or Wi-Fi Aware layer 2 messaging, or discovered in-band using other protocols, such as mDNS. With Android Q, the information can be communicated as part of the network setup.

The server can do either of the following:

  • Initialize a ServerSocket and either set or obtain the port to be used.
  • Specify the port information as part of the Wi-Fi Aware network request.

The following code sample shows how to specify port information as part of the network request:

Kotlin

val ss = ServerSocket()
val ns = WifiAwareNetworkSpecifier.Builder(discoverySession, peerHandle)
  .setPskPassphrase("some-password")
  .setPort(ss.localPort)
  .build()

val myNetworkRequest = NetworkRequest.Builder()
  .addTransportType(NetworkCapabilities.TRANSPORT_WIFI_AWARE)
  .setNetworkSpecifier(ns)
  .build()

Java

ServerSocket ss = new ServerSocket();
WifiAwareNetworkSpecifier ns = new WifiAwareNetworkSpecifier
  .Builder(discoverySession, peerHandle)
  .setPskPassphrase(“some-password”)
  .setPort(ss.getLocalPort())
  .build();

NetworkRequest myNetworkRequest = new NetworkRequest.Builder()
  .addTransportType(NetworkCapabilities.TRANSPORT_WIFI_AWARE)
  .setNetworkSpecifier(ns)
  .build();

The client then performs a Wi-Fi Aware network request to obtain the IPv6 and the port supplied by the server:

Kotlin


val callback = object : ConnectivityManager.NetworkCallback() {
  override fun onAvailable(network: Network) {
    ...
  }
  
  override fun onLinkPropertiesChanged(network: Network,
      linkProperties: LinkProperties) {
    ...
  }
  
  override fun onCapabilitiesChanged(network: Network,
      networkCapabilities: NetworkCapabilities) {
    ...
    val ti = networkCapabilities.transportInfo
    if (ti is WifiAwareNetworkInfo) {
       val peerAddress = ti.peerIpv6Addr
       val peerPort = ti.port
    }
  }
  override fun onLost(network: Network) {
    ...
  }
};

connMgr.requestNetwork(networkRequest, callback)

Java

callback = new ConnectivityManager.NetworkCallback() {
  @Override
  public void onAvailable(Network network) {
    ...
  }
  @Override
  public void onLinkPropertiesChanged(Network network,
      LinkProperties linkProperties) {
    ...
  }
  @Override
  Public void onCapabilitiesChanged(Network network,
      NetworkCapabilities networkCapabilities) {
    ...
    TransportInfo ti = networkCapabilities.getTransportInfo();
    if (ti instanceof WifiAwareNetworkInfo) {
       WifiAwareNetworkInfo info = (WifiAwareNetworkInfo) ti;
       Inet6Address peerAddress = info.getPeerIpv6Addr();
       int peerPort = info.getPort();
    }
  }
  @Override
  public void onLost(Network network) {
    ...
  }
};

connMgr.requestNetwork(networkRequest, callback);

SYSTEM_ALERT_WINDOW on Go devices

Apps running on Android Q (Go edition) devices cannot receive the SYSTEM_ALERT_WINDOW permission. This is because drawing overlay windows uses excessive memory, which is particularly harmful to the performance of low-memory Android devices.

If an app running on a Go edition device running Android 9 or lower receives the SYSTEM_ALERT_WINDOW permission, the app retains the permission even if the device is upgraded to Android Q. However, apps which do not already have that permission cannot be granted it after the device is upgraded.

If an app on a Go device sends an intent with the action ACTION_MANAGE_OVERLAY_PERMISSION, the system automatically denies the request, and takes the user to a Settings screen which says that the permission isn't allowed because it slows the device. If an app on a Go device calls Settings.canDrawOverlays(), the method always returns false. Again, these restrictions do not apply to apps which received the SYSTEM_ALERT_WINDOW permission before the device was upgraded to Q.

Warnings for apps targeting older Android versions

In Android Q, the platform will warn users the first time they run any app that targets a platform version lower than Android 6.0 (API level 23). If the app requires the user to grant permissions, the user is also given an opportunity to adjust the app's permissions before the app is allowed to run for the first time.

Due to Google Play's target API requirements, a user would only see these warnings if they run an app that has not been updated recently. For apps that are distributed through other stores, similar target API requirements are also being introduced in 2019. For more information about these requirements, see Expanding target API level requirements in 2019.

SHA-2 CBC cipher suites removed

The following SHA-2 CBC cipher suites have been removed from the platform:

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

These cipher suites are less secure than the similar cipher suites that use GCM, and most servers either support both the GCM and CBC variants of these cipher suites or support neither of them.

App usage

Android Q introduces the following behavior changes related to app usage:

  • UsageStats app usage improvements -- Android Q now accurately tracks app usage with UsageStats when apps are used in split-screen or picture-in-picture mode. Additionally, Android Q can now track instant app usage.

  • Per-app grayscale -- Android Q can now set apps to a grayscale display mode.

  • Per-app distraction state -- Android Q can now selectively set apps to a "distraction state" where their notifications are suppressed and they will not appear as suggested apps.

  • Suspension and playback -- In Android Q, suspended apps are no longer able to play audio.

HTTPS connection changes

If an app running Android Q passes null into setSSLSocketFactory(), an IllegalArgumentException now occurs. In previous versions, passing null into setSSLSocketFactory() had the same effect as passing in the current default factory.

android.preference library is now deprecated

The android.preference library is now deprecated. Developers should instead use the AndroidX preference library, part of Android Jetpack. For additional resources to aid in migration and development, check out the updated Settings Guide along with our public sample app and reference documentation.

ZIP file utility library changes

Android Q introduces the following changes to classes in the java.util.zip package, which handles ZIP files. These changes make the library's behavior more consistent between Android and other platforms that use java.util.zip.

Inflater

In previous versions, some methods in the Inflater class threw an IllegalStateException if they were invoked after a call to end(). In Android Q, these methods throw a NullPointerException instead.

ZipFile

The constructor for ZipFile that takes arguments of type File, int, and Charset no longer throws a ZipException if the supplied ZIP file doesn't contain any files.

ZipOutputStream

The finish() method in ZipOutputStream no longer throws a ZipException if it tries to write an output stream for a ZIP file that doesn't contain any files.

Camera changes

Many camera-using apps assume that if the device is in a portrait configuration, then the physical device is also in the portrait orientation, as described in Camera orientation. This was a safe assumption in the past, but that has changed with the introduction of new form factors, such as foldables. That assumption on these devices can lead to either incorrectly rotated or scaled (or both) display of the camera viewfinder.

Applications that target API level 24 or above should explicitly set android:resizeableActivity and provide necessary functionality to handle multi-window operation.

Battery usage tracking

Beginning with Android Q, SystemHealthManager resets its battery usage statistics whenever the device is unplugged after a major charging event. Broadly speaking, a major charging event is either: The device has been fully charged, or the device has gone from mostly depleted to mostly charged.

Before Android Q, the battery usage statistics reset whenever the device was unplugged, no matter how little change there had been to the battery level.