Android security depends on secure apps and Google has some big plans.
Google has made some significant announcements on its Android Developers Blog centering around some new policies developers will need to follow to continue publishing to the Play Store. Google says that starting in August 2018 all new apps submitted will need to target Android Oreo, and in November 2018 updates to existing apps will need to do the same. In addition, starting early in 2018 there will be some extra metadata added to the app file (the .apk file) to verify it’s authenticity and in August 2019 all apps will be required to provide a 64-bit version even if they target any native Android libraries.
In the second half of 2018, Play will require that new apps and app updates target a recent Android API level. This will be required for new apps in August 2018, and for updates to existing apps in November 2018. This is to ensure apps are built on the latest APIs optimized for security and performance.
In August 2019, Play will require that new apps and app updates with native libraries provide 64-bit versions in addition to their 32-bit versions.
Additionally, in early 2018, Play will start adding a small amount of security metadata on top of each APK to further verify app authenticity. You do not need to take any action for this change.
Google says these changes are to help make the apps we use as secure as Android itself. They’ve given some simple examples that explain just how these changes will help here.
Right now, a developer can upload an app targeted towards an old version of Android and not ask for permission to see things like camera data or location when you first run it because those became official with Android Marshmallow (API 23). Adding