Banking apps can now require you to install Android security updates

by · Android Police

Key Takeaways

  • Google's Play Integrity API can now flag devices that haven't installed security updates in over a year.
  • Developers can choose to restrict app features to actively updated devices, potentially enhancing overall security.
  • The change could negatively impact users of niche phones with few or no security patches, or those wishing to unlock bootloaders and root devices.

Google works constantly to ensure Android is as secure as possible for the average user, which includes giving developers the tools they need to minimize the risk of fraud. A recent change to the Play Integrity API, which verifies the authenticity of software and devices to protect sensitive operations, now allows tools like banking apps to recognize devices that haven't received an Android security patch in over a year, and lower their trust level, potentially restricting features related to important personal data.

Android developer-speak, simplified

The relatively straightforward update could impact a lot of users

Source: Android Police

The official release from the Android Developers Blog uses slightly esoteric jargon, but the update's not actually very complicated. The Play Integrity API, which allows apps to communicate with the operating system, now lets the OS return updated verdicts when the program essentially asks, "Is this phone secure enough to run this function on?"

The key verdict update allows an app to respond with an answer of "meets strong integrity", although similar responses exist to indicate a phone or tablet meets "device" or "basic" integrity. The strong integrity label now verifies if a device has received an Android security update within the last year — not an app or Play Store update, but one of the OS-wide system updates that comes directly from a device's manufacturer. It remains to be seen how widely the enhanced protocol's strictest requirements will be implemented, but they'll likely be confined mostly to finance, government, and business software.

This gives developers the option to require their app's users to use actively updated phones and tablets. In theory, this change could enhance security across the board. In practice, there are quite a few people using software like bank-adjacent fintech services on phones that no longer receive Android updates. While that likely includes minimal Android Police readers (who tend to be savvy enthusiasts on or near the cutting edge), those people do exist. In fact, some unique and excellent phones, such as the impressively tiny Unihertz Jelly Star, rarely or never receive full system security updates.

Related

Android security patches don't matter as much as you think

You're not that screwed when they stop

Posts 1

Despite common outcry from various tech-loving online communities, a lack of patches isn't nearly the security death sentence it may have been when Android was still a fledgling OS. In its 15-plus years, Android has seen considerable refinement, and is remarkably secure at this point. Furthermore, Google Play Services and individual app updates cover a significant portion of potential exploits on their own (although, of course, not every obscure potential means of ingress). Additionally, most exploits require specifically targeted attacks, physical access to a device, a personal failure to avoid phishing or other scams, or some combination of the three.

Nonetheless, Android now allows developers to opt into this enhanced security label, with automatic platform-wide adoption coming in May 2025. At any rate, Google isn't requiring devs to apply these to every app function, but merely giving them the choice. Included in that choice is a potential tiered response interpretation: In the Android Developers' example, an app could treat Android 12 phones differently than Android 13 phones when responding with the strong, device, or basic integrity labels.

Related

5 ways Google nerfed custom ROMs and rooting

Rooting is rarely worth it nowadays, and there are some major drawbacks

Posts

Naturally, that's one specific change out of a few related ones. Play Integrity now also makes it easier for apps to gather relevant device information such as APK authenticity, Google Play Protect on-off status, and whether other apps or services or running that could compromise security by, for example, surreptitiously recording the screen.

The developer-focused update explainer also strongly implies Play Integrity's increased reliance on an intact, verifiable bootloader. This is where Android Police's faithful power-users could, and probably should, raise an eyebrow or two. For all the work device manufacturers have done to lock consumers' paid-for hardware behind proprietary Android skins, this security enhancement could be yet another nail in the increasingly well-sealed coffin of custom ROMs — and it's not Google's first time hamstringing rooting, ROMs, and in-depth customization.

Related

How to use Shizuku for ADB rootless mods on any Android device

Modding your device without root access just got a lot better

Posts 6