Save the date! Android Dev Summit is coming to Sunnyvale, CA on Oct 23-24, 2019.

Behavior changes: all apps

The Android Q platform includes behavior changes that may affect your app. The following behavior changes apply to all apps when they run on Android Q, regardless of 'targetSdkVersion'. You should test your app and then modify it as needed to support these properly, where applicable.

Make sure to also review the list of behavior changes that only affect apps targeting Android Q.

Non-SDK interface restrictions

To help ensure app stability and compatibility, the platform started restricting which non-SDK interfaces your app can use in Android 9 (API level 28). Android Q includes updated lists of restricted non-SDK interfaces based on collaboration with Android developers and the latest internal testing. Our goal is to make sure that public alternatives are available before we restrict non-SDK interfaces.

If you will not be targeting Android Q, some of these changes might not immediately affect you. However, while you can currently use non-SDK interfaces that are part of the greylist (depending on your app's target API level), using any non-SDK method or field always carries a high risk of breaking your app.

If you are unsure if your app uses non-SDK interfaces, you can test your app to find out. If your app relies on non-SDK interfaces, you should begin planning a migration to SDK alternatives. Nevertheless, we understand that some apps have valid use cases for using non-SDK interfaces. If you cannot find an alternative to using a non-SDK interface for a feature in your app, you should request a new public API.

To learn more, see Updates to non-SDK interface restrictions in Android Q and see Restrictions on non-SDK interfaces.

NDK

Android Q includes the following NDK changes.

Shared objects cannot contain text relocations

Android 6.0 (API level 23) disallowed use of the use of text relocations in shared objects. Code must be loaded as-is, and must not be modified. This change improves app load times and security.

In Android Q Beta 1 and 2, SELinux enforces this restriction on apps targeting Android 8.0 (API level 26) and higher. If such apps continue to use shared objects that contain text relocations, they are at high risk of breaking.

System binaries/libraries mapped to execute-only memory

Starting in Android Q, executable segments of system binaries and libraries are mapped into memory execute-only (non-readable) as a hardening technique against code-reuse attacks. Intentional and unintentional reads into memory segments marked as execute-only will throw a SIGSEGV -- whether from bug, vulnerability, or intentional memory introspection.

You can identify whether a crash was caused by this change by examining the related tombstone file in /data/tombstones/. An execute-only related crash will contain the following abort message:

Cause: execute-only (no-read) memory access error; likely due to data in .text.

To work around this issue, developers may mark execute-only segments as read+execute by calling mprotect(), for example to perform memory inspection. However, we strongly recommend setting it back to execute-only afterwards as this provides better protection for your app and users.

Calls to ptrace are unaffected, so ptrace debugging is not impacted.

Security

Android Q includes the following security change.

Removed execute permission for app home directory

Untrusted apps that target Android Q can no longer invoke exec() on files within the app's home directory. This execution of files from the writable app home directory is a W^X violation. Apps should load only the binary code that's embedded within an app's APK file.

In addition, apps that target Android Q cannot in-memory modify executable code from files which have been dlopen()ed. This includes any shared object (.so) files with text relocations.

Wi-Fi Direct broadcasts

On Android Q, the following broadcasts related to Wi-Fi Direct are no longer sticky:

If your app has relied on receiving these broadcasts at registration because they had been sticky, use the appropriate get() method at initialization to obtain the information instead.

SYSTEM_ALERT_WINDOW on Go devices

Apps running on Android Q (Go edition) devices cannot receive the SYSTEM_ALERT_WINDOW permission. This is because drawing overlay windows uses excessive memory, which is particularly harmful to the performance of low-memory Android devices.

If an app running on a Go edition device running Android 9 or lower receives the SYSTEM_ALERT_WINDOW permission, the app retains the permission even if the device is upgraded to Android Q. However, apps which do not already have that permission cannot be granted it after the device is upgraded.

If an app on a Go device sends an intent with the action ACTION_MANAGE_OVERLAY_PERMISSION, the system automatically denies the request, and takes the user to a Settings screen which says that the permission isn't allowed because it slows the device. If an app on a Go device calls Settings.canDrawOverlays(), the method always returns false. Again, these restrictions do not apply to apps which received the SYSTEM_ALERT_WINDOW permission before the device was upgraded to Q.

Warnings for apps targeting older Android versions

In Android Q, the platform will warn users the first time they run any app that targets a platform version lower than Android 6.0 (API level 23). If the app requires the user to grant permissions, the user is also given an opportunity to adjust the app's permissions before the app is allowed to run for the first time.

Due to Google Play's target API requirements, a user would only see these warnings if they run an app that has not been updated recently. For apps that are distributed through other stores, similar target API requirements are also being introduced in 2019. For more information about these requirements, see Expanding target API level requirements in 2019.

SHA-2 CBC cipher suites removed

The following SHA-2 CBC cipher suites have been removed from the platform:

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

These cipher suites are less secure than the similar cipher suites that use GCM, and most servers either support both the GCM and CBC variants of these cipher suites or support neither of them.

App usage

Android Q introduces the following behavior changes related to app usage:

  • UsageStats app usage improvements -- Android Q now accurately tracks app usage with UsageStats when apps are used in split-screen or picture-in-picture mode. Additionally, Android Q can now track instant app usage.

  • Per-app grayscale -- Android Q can now set apps to a grayscale display mode.

  • Per-app distraction state -- Android Q can now selectively set apps to a "distraction state" where their notifications are suppressed and they will not appear as suggested apps.

  • Suspension and playback -- In Android Q, suspended apps are no longer able to play audio.

android.preference library is now deprecated

The android.preference library is now deprecated. Developers should instead use the AndroidX preference library, part of Android Jetpack. For additional resources to aid in migration and development, check out the updated Settings Guide along with our public sample app and reference documentation.