This week, Google announced the launch of the first Android 14 developer preview and shared information about the security and privacy improvements that will come with the platform update. It is expected to be available on devices in the fall and will include new features, APIs, and changes in behavior that could affect applications. The preview is designed to help developers become aware of these changes and test their apps for compatibility. One of the security enhancements is related to runtime receivers and builds on the changes made in Android 13, when developers were asked to specify if their broadcast receivers should be visible to other apps on the device. To protect apps from security risks, apps and services that use context-registered receivers and target Android 14 must specify a flag to indicate if the receiver should be exported to all other apps on the device. Android 14 also attempts to protect apps from malicious software that might intercept intents by restricting apps from sending intents internally that do not specify a package. Apps can now only send implicit intents to exported components and must either use an explicit intent to deliver to unexported components or mark the component as exported. To prevent malicious use of dynamic code loading, applications built for Android 14 must mark dynamically loaded files as read-only. Google advises developers to avoid dynamically loading code as this can lead to code injection or code tampering. To protect against malware versions that use an API level of 22, Android 14 will prevent the installation of applications that target an API level lower than 23. Applications with a targetSdkVersion lower than 23 will remain installed. Android 14 also comes with Credential Manager, a new Jetpack API that supports multiple sign-in methods, including federated sign-in solutions and passkeys, as well as the classic username and password pair. Currently in alpha, Credential Manager allows users to create passkeys and save them in Google Password Manager for passwordless authentication across devices, both on Android and Chrome.
This Cyber News was published on www.securityweek.com. Publication date: Thu, 09 Feb 2023 16:37:03 +0000