Google to Require Seamless Update System Beginning With Android 11

In non-COVID-19 news, Google is apparently going to start requiring manufacturers to implement its “seamless update” system beginning with Android 11.

Essentially, Android 11 will require devices to have a separate system partition that is an identical copy of the main partition. When an updated to Android is available, the update installs itself on the second partition. When that installation is finished, the phone is rebooted, and the secondary partition becomes the primary partition.

The intent here is to reduce the downtime that can come with some Android updates, as well as always having a good partition that can be booted to if an update goes awry.

The system partition, by the way, is apparently relatively small on a typical Android device–it clocked in at about 320 megabytes on the 2016 Pixel 1.

80% of Android Apps Use TLS to Encrypt Traffic

Back in 2018, Google announced that beginning with Android 9, it would prevent apps from using unencrypted connections by default. As of December 2019, Google notes that 80 percent of all apps in the Google Play store use TLS, and that rises to 90 percent of all apps targeting Android 9 and higher.

Android 7 (API level 24) introduced the Network Security Configuration in 2016, allowing app developers to configure the network security policy for their app through a declarative configuration file. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain.

Today, we’re happy to announce that 80% of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90% of them encrypting traffic by default.

Since November 1 2019, all app (updates as well as all new apps on Google Play) must target at least Android 9. As a result, we expect these numbers to continue improving. Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.

That last sentence is a bit concerning. If app developers want to explicitly make their apps communicate through unencrypted connections, that’s fine, but as far as I can tell there is no way that consumers are made aware of this.

Just as modern browsers warn me that the website I’m visiting doesn’t use encryption, Google should inform users when they are using apps that do so as well. I’d be happy with a notification on the Google Play store page for such apps that “This app sends network traffic over unencrypted channels” or something like that.

(Yes, users could set up a packet analysis tool to look at the data their phone is sending, but they shouldn’t have to do so).

HTTrack Website Copier for Android

HTTrack Website Copier is a free, open source solution for making local mirrors of websites. What I didn’t realize until recently is that there is an Android version of the utility available on the Google Play Store.

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. Simply open a page of the “mirrored” website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.

Android’s SMS & Call Log Restrictions

For several years now, I and a lot of other Android users have used the free, open source app SMS Backup+ to backup call logs and text messages. What made SMS Backup+ such a great app is that not only did it do traditional backups, but it also allowed users to push the call log to Google Calendar and send every SMS to a GMail account, with custom tagging.

But SMS Backup+ is about to become a casualty of Google’s efforts to better protect its users’ privacy–efforts which often seem to also be aimed at further closing what was once a much more open ecosystem than its competitors (and one of the things that attracted many users to Android rather than iOS).

Google has been burned repeatedly by Android malware that is able to access SMS and call logs, and use that to spy on users or exploit that ability to defraud users.

In an effort to better protect users, Google decided to limit which apps can access SMS and Call Log permissions.

Google Play restricts the use of high risk or sensitive permissions, including the SMS or Call Log permission groups.

If your app does not require access to Call Log or SMS permissions, you must remove these permissions from your app’s manifest. Details on policy compliant alternative implementation are also detailed below.

If you believe your app meets the policy requirements for acceptable use or is eligible for an exception, you should declare any Call Log or SMS permissions directly through the Play Console.

Apps that fail to meet policy requirements or submit a Declaration Form may be removed from Google Play.

. . .

For apps requesting access to the SMS or Call Log permissions, the intended and permitted uses include default SMS handling, default phone handling, or Assistant handling capability.

Apps must be actively registered as the default SMS, Phone, or Assistant handler before prompting users to accept any of the above permissions and must immediately stop the use of the permission when they no longer are the default handler.

Notice that backing up SMS or Call Logs, much less pushing SMS message into something like GMail is not on the list of “intended and permitted uses.” I assume Google wants users who wish to maintain backups up SMS messages to use its own Android backup services rather than rely on third party tools. That’s one less security headache for Google, presumably.

The developer of SMS Backup+, Jan Berkel, says he did apply for an exception to the new policy, but was denied,

Hello everyone. I’m sorry about this situation, SMS Backup+ will no longer have access to Gmail, mainly because it’s not an email reading app.

I applied for an exception but it was declined, as expected. Vanilla IMAP might work, but for how long I wonder. And it’s very tricky to set up for a casual user. Unfortunately the Android platform is getting more and more closed.

I’m not sure what to do at this point, either remove the app from the store or release a new version which removes the automatic account setup, since that is broken / will be broken soon.

There are still ways to get backups of SMS and Call Logs and push them to Google Calendar or Gmail, but these will require a lot more technical savvy and effort on the part of users. And even those workarounds may soon be on the Google chopping block.

And with that, a highly useful app that likely had hundreds of thousands of users will disappear and, with it, the functionality that those users found helpful.