Google is introducing restrictions to millions of phones.
Google’s campaign to narrow the security gap between Android and iPhone has taken another twist this week, with a major new change to the way in which apps work on your phone. Such security improvements are always welcome. But surprisingly this will severely restrict older phones, pushing all users to newer models—if your device is not one of those newer ones, you’ll need to upgrade.
Google says it is now “actively combating bad actors who try to deceive users or spread malware, and giving you tools to combat abuse.” As I’ve reported before, Google’s Play Integrity API enables app developers to prevent users installing or updating apps from unofficial sources—direct installs and third-party stores included, which obviously cuts down the risk of malicious copycat or manipulated apps finding their way onto phones. While Play Protect now monitors apps regardless of their source, Google wants Play Store to be used as a default for installs and updates.
Google says “apps that use Play Integrity features have seen 80% less unauthorized usage on average compared to other apps.” And now it is going further—much further. “Starting today, we’re changing the technology that powers the Play Integrity API on all devices running Android 13 and above to make it faster, more reliable, and more private for users.” But beyond performance improvements, these changes will “make greater use of, hardware-backed security signals… making it significantly harder and more costly for attackers to bypass.”
Those signals include the strength of a device’s security before an app’s use is approved. That means how recently a device installed a security update, and whether there has been “a security update within the last year on devices running Android 13 and above. This update gives apps with higher security needs, like banking and finance apps, governments, and enterprise apps, more ways to tailor their level of protection for sensitive features, like transferring money.”
Google’s confirmed changed introduces a clear dividing line between older new newer phones, and those on support and those not. “Your app could respond differently to the legacy ‘meets-strong-integrity’ definition on devices running Android 12 and lower than to the enhanced definition on devices running Android 13 and higher.”
Only around 55% of Android devices currently run Android 13, 14 and 15, with some where between 500 million and 1 billion of the remaining 1.5 to 2 billion active Android devices ruining obsolete versions of the OS. This is a huge issue for the Android ecosystem and helps fuel its reputation for being a much riskier option that iPhone, which exercises far more universal control over its install base.
Global Android OS versions
Zimperium’s Global Mobile Threat Report warns that 14% of all Android phones used within enterprises “cannot be upgraded, leaving them susceptible to exploitation.” The equivalent number of risky iPhones is just 1%.
According to ESET’s Jake Moore, these phones “can be left vulnerable to attack as criminals look for any vulnerabilities that aren’t patched and target people’s data. When phones and tablets are left without patch management, they miss out on all the latest security updates. They may be safe for the first few weeks or even months after their support has come to an end, but over time, even if the devices seem healthy, they could still easily be targeted by newly located vulnerabilities.”
Nico Chiaraviglio, Chief Scientist at Zimperium, told me that “Android faces higher malware risks, primarily due to its open ecosystem, which allows third-party app stores and application sideloading. While Apple’s App Store review process creates an illusion of perfect security, malware and apps that violate Apple’s terms of service can and do still slip through or exploit zero-days. iOS’s strict app isolation is a double-edged sword – it prevents malicious apps from analyzing system behavior, but also hinders mobile threat detection apps from detecting malware.”
It’s this issue that Google is tacking with update after update, including its Play Store cull and low-quality threshold and warnings. It’s also why Samsung has gone further and defaulted to maximum restrictions on new devices.
While Android 15 is notable for its security updates, Chiaraviglio also warns that “the fragmented nature of Android updates across vendors and carriers may impact these security enhancements’ effectiveness by increasing the number of bugs that can be exploited.” This is the model, region, carrier scheduling that drip feeds updates out across a month, compared to Apple’s everyone, everywhere all at once approach.
The new API is available now for existing Play Integrity API users wanting to deploy this for their apps right away, for all other developers else it will become mandatory from May 2025. You can expect banking and other security apps to get onboard with this quickly, to close down some of the current Android attack surface. I would expect many other apps to follow, making it much harder to use a phone with no recent updates. That means millions of users needing a 2025 upgrade.