With 2.5 billion users worldwide, Google has a responsibility to make its Android operating system as secure as possible. But the company has at times struggled to adequately vet apps in the Google Play Store, allowing malicious programs through that thousands or millions of users go on to download. With Google’s release of the Android 11 Beta on Wednesday, though, the company is taking steps to make it more difficult for rogue apps to grab your data, even when they do slip by.
Google has worked for years to incrementally tighten Android security under the hood. And the release of Android 11 is particularly focused on expanding privacy improvements, to give you more control over what your apps can access, and providing more ways to distribute software updates across Android’s fragmented and disjointed device population.
Android 10 addressed some of this as well, requiring that app developers request permissions and then reaffirm user choices more often. Android 11 adds a feature that allows developer to request one-time permissions for things like the microphone, camera, or location as an alternative to all or nothing. You can share your location with a friend through a chat app once, for example, without granting indefinite location access or having to remember to wade back into settings to revoke the permission later.
“We can see that people are actually leveraging these features from Android 10 and thinking about their choices when they’re giving apps access to permissions,” says Charmaine D’Silva, an Android product manager who works on privacy. “So building on that this time, we’ve added even more controls.”
Android 11 will also rein in apps that you don’t use very often, automatically revoking permissions if you don’t open it for a still undetermined period of time. If you start using the app again, you can always reinstate its access, but the permission won’t be lurking forgotten. Google plans to experiment with different cutoffs after 60 to 90 days, with the goal of eliminating stray permissions without breaking functionality.
“We’ve seen in our data that people have a lot of apps on their devices that they may have used a couple of times and then forgot about,” D’Silva says. “They don’t uninstall it because they don’t have a need to, but the app still has permissions associated with it. So this new feature is a permissions auto-reset—sort of a hygiene check.”
Beginning with apps that debut after Android 11, the permission auto-reset feature will be on by default and something for developers to factor into their plans. Existing apps for Android 10 and below won’t have the feature on by default, but users will still be able to toggle a control to turn it on. Google says that eventually it wants to turn permission auto-reset on by default for almost every app, but the company wants to ease it in so the change doesn’t inadvertently break functionality for older apps.
Android 11 will also see an expansion of Google’s Project Mainline program, which uses Google Play Services to “mainline” software updates like critical security patches directly to users’ devices rather than having to wait for each individual manufacturer to tailor an update for their devices. Android’s decentralized, adaptable nature is one of its core and beloved attributes. But it has limited Google’s ability to centrally distribute important updates.
Project Mainline works by conceptually breaking the Android operating system into chunks and creating the infrastructure for each of those chunks to be updated through the Google Play Store. In Android 10, Google debuted 10 of these modules that could receive updates. Android 11 will add 12 more, including a permissions module, and one for Android’s Scoped Storage feature, which is becoming mandatory in Android 11 and limits the “scope” or extent of what data apps can access on a user’s device. In response to the Covid-19 pandemic, Google also used Mainline to distribute its new contact-tracing framework.