Security Behavior Changes

Android P introduces a number of behavior changes that enhance the security of your app and the devices that run them. This page describes the platform changes that are most important for third-party app developers to keep in mind.

Behavior changes affecting all apps

Android P adds several capabilities that improve your app's security, regardless of which version your app targets.

TLS implementation changes

The system's TLS implementation has undergone several changes in Android P:

Stricter Seccomp filter

We've further restricted the system calls that are available to apps. Apps aren't affected, however, if they use the Bionic library and don't make system calls directly.

Support for ChaCha20 stream cipher

The Android platform now supplies implementations of the ChaCha20 cipher as described in RFC 7539, both in unadorned stream cipher form, ChaCha20/None/NoPadding, and in ChaCha20 + Poly1305 AEAD form, ChaCha20/Poly1305/NoPadding.

Legacy encryption support

Android P devices that ship with Keymaster 4 support the Triple Data Encryption Algorithm, or Triple DES. If your app interoperates with legacy systems that require Triple DES, use this type of cipher when encrypting sensitive credentials.

Wi-Fi permissions

A number of the Wi-Fi methods have been modified in Android P to enhance the user's privacy. The WifiManager and WifiP2pManager methods that may expose the user’s location information or personally identifiable information data are further restricted. These methods are:

This information is also removed from the NetworkStateChange broadcast. App should instead call WifiManager.getConnectionInfo().

When you access scan results and connection information, you must hold the ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION location permission. This is also applied to triggering Wi-Fi scans, which additionally requires ACCESS_WIFI_STATE or CHANGE_WIFI_STATE.

System broadcasts from Wi-Fi also have all SSIDs, BSSIDs, connection information, and scan results removed.

Telephony permissions

When device location is OFF, no results are returned. This applies to the following methods: getAllCellInfo(), listen(), getCellLocation(), and getNeighboringCellInfo().

Behavior changes affecting apps targeting Android P

Android P adds several capabilities that improve your app's security, but only if it targets Android P.

Network TLS enabled by default

If your app targets Android P, the isCleartextTrafficPermitted() method returns false by default. As a result, if your app needs to enable cleartext for specific domains, you need to explicitly set cleartextTrafficPermitted to true in your app's Network Security Configuration.

Web-based data directories separated by process

In order to improve app stability and data integrity in Android P, apps can no longer share a single WebView data directory among multiple processes. Typically, such data directories store cookies, HTTP caches, and other persistent and temporary storage related to web browsing.

In most cases, your app should use classes from the android.webkit package, such as WebView and CookieManager, in only one process. For example, you should move all Activity objects that use a WebView into the same process. You can more strictly enforce the "one process only" rule by calling disableWebView() in your app's other processes. This call prevents WebView from being initialized in those other processes by mistake, even if it's being called from a dependent library.

If your app must use instances of WebView in more than one process, you must assign a distinct data directory suffix for each process, using the WebView.setDataDirectorySuffix() method, before using a given instance of WebView in that process. This method places web data from each process in its own directory that's inside your app's data directory.

Per-app SELinux domains

Apps that target Android P can no longer share data with other apps using world-accessible Unix permissions. This change improves the integrity of the Android Application Sandbox, particularly the requirement that an app's private data is accessible only by that app.

To share files with another another app, use a content provider or shared space in external storage.

Connectivity data counting and multipath

The system now counts network traffic on networks that aren't the current default (for example, cell traffic while the device is on Wi-Fi), and provides NetworkStatsManager APIs to query for that traffic.

ConnectivityManager.getMultipathPreference() now returns a value based on the aforementioned network traffic. New in Android P, it returns true on cell data, but when more than a certain amount of said traffic happens in a day, it starts returning false. Applications running on Android P are expected to call and honor this hint.

The callbacks (ConnectivityManager.NetworkCallback) that the system sends to apps now include VPNs, which make it much easier for apps to listen for connectivity events without having to mix sync/async calls and using limited APIs. Additionally, it means that things work correctly on a device with two simultaneous Wi-Fi networks or two simultaneous cell networks.

DNS privacy

Android P apps should honor the private DNS APIs, and ensure that if the system resolver is doing DNS-over-TLS, any built-in DNS client either uses encrypted DNS (to the same hostname as the system) or is disabled in favor of the system resolver.