Mobile app developers must stay ahead of the curve with the latest operating system updates to deliver an excellent user experience. As the Android 15 release updates near the finish line this summer, Google is expected to release Android 15 in mid-August to coincide with the Pixel 9 series launch at the Made by Google event. Code named “Vanilla Ice Cream,” the forthcoming mobile operating system offers a suite of groundbreaking Android 15 security features and privacy enhancements to know about. These include Android 15 threat detection, improved fraud prevention measures, enhanced app permissions, app information handling and the innovative Android 15 Private Space feature designed to safeguard sensitive data.
Read this blog to get the scoop on key Android 15 security features and privacy enhancements to take advantage of in your mobile apps and their significance to mobile application security.
One of the most sought-after privacy features in Android 15 is Private Space.
Android 15 Sensitive App Permissions
Some important changes coming revolve around the declaration of Android 15 sensitive app permissions. Google Play Protect live threat detection actively scans apps and will automatically flag any permissions that might be deemed suspicious within the context of the application — for example, a calculator app declaring permissions to access the user’s SMS storage — and potentially result in the app being flagged and subsequently removed from the Google Play Store. This means that now more than ever, developers should only include permissions that are required by the Android app as part of its app’s manifest in order to avoid any issues or delays in releases.
Android 15 Screen Sharing Security
Updates to Android’s screen sharing and recording capabilities are also being made. Android 15 will grant mobile apps the ability to detect whenever a different app or service is recording it. This is done by detecting if activities owned by the registering process’s UID of the application are being recorded by invoking the addScreenRecordingCallback callback function, which requires the Manifest.permission.DETECT_SCREEN_RECORDING permission to be declared.
Additionally, Android 15 introduces partial screen sharing, which allows users to share or record just an app window rather than the entire device screen by leveraging callbacks to the MediaProjection class.
Android 15 Intent Filtering Capabilities
The Android Intent filtering mechanism allows mobile apps to handle specific types of intents, or messaging objects that can be used to request an action from another app component. Intent filters are declared in the app’s manifest file and specify the types of intents that the app can respond to.
New Android 15 Intent filtering capabilities will allow for more precise Intent resolution by leveraging the UriRelativeFilterGroup class, which includes a series of filtering objects that form a set of Intent matching rules that must each be satisfied, including URL query parameters, URL fragments, and blocking or exclusion rules which can be defined in the Android Manifest by using the new <uri-relative-filter-group> tag.
Additionally, apps that target Android 15 will now have better Intent filtering because intents that target specific components must accurately match the target’s intent filter specifications, meaning that the target Intent component needs to align with the receiving activity’s declared intent-filters. Also, intents that are used to start activities or services within the device must now have an action that’s clearly associated with them.
Google is updating Activities once again to be more secure and prevent malicious background apps from bringing other apps to the foreground, elevating their privileges, and abusing user interaction. This is done by leveraging the allowCrossUidActivitySwitchFromBelow attribute, which blocks apps that don’t match the top UID on the stack from launching activities.
Please note that these changes will apply to apps that meet all the following conditions:
- The app performing the launch targets Android 15
- The app on top of the task stack targets Android 15
- Any visible activity has opted into the new protections
Last but not least, changes to PendingIntent creators are being made in order to block background activity launches by default, which helps prevent apps from accidentally creating a PendingIntent that could be abused by an attacker. Additionally, apps won’t be brought to the foreground unless the PendingIntent sender explicitly allows it, which aims to prevent malicious apps from abusing the ability to start activities in the background.
Android 15 will also be able to prevent launching arbitrary activities from other apps into the app’s own task and better control how the top activity of a task stack can finish its task. These changes aim to reduce opportunities for malicious apps to phish users by creating activities that appear to be from other apps.
Android 15 Private Space
One of the most sought-after privacy features included in this release of the mobile OS is the Android 15 Private Space. In short, it allows the user to create a separate space within their device in which they can keep sensitive apps locked behind authentication. Mobile apps in the private space will show up in a separate container in the launcher, and will be hidden from the recents view, notifications, settings and from other apps when the private space is locked.
User-generated and downloaded content (such as media or files) and accounts are separated between the private space and the main space. Users can’t move existing apps and their data into the private space. Instead, users select an install option in the private space to install an app using whichever app store they prefer. Apps in the private space are installed as separate copies from any apps in the main space — that is, new copies of the same app.
Android 15 Selected Photos Access
Android 14 introduced the Selected Photos Access feature, which allows users to grant apps access to specific images and videos in their library rather than granting access to all media of a given type. Android 15 takes this feature to the next level by allowing apps to only highlight the most recently selected photos and videos when partial access to media permissions is granted by enabling the QUERY_ARG_LATEST_SELECTION_ONLY argument when querying the MediaStore class.
Android 15 End-to-End Encryption
The introduction of the E2eeContactKeysManager class facilitates Android 15 end-to-end encryption by providing an OS-level API for the storage of cryptographic public keys. It effectively integrates with the Contacts app within the platform in a centralized manner to provide more secure interactions between apps and services that use SMS, calls, contacts and similar components as a part of their functionality.
NowSecure Solutions Safeguard Android 15 Apps
The new Android enhancements demonstrate that users have growing expectations for mobile app security and privacy. Mobile app developers can build innovative mobile apps that delight users while delivering a safe experience with help from NowSecure software and services.
Integrating NowSecure Platform automated mobile application security testing directly into the dev toolchain enables developers to quickly find and fix security, privacy and compliance issues prior to release. NowSecure Academy training upskills developers in secure coding practices so they can avoid those mistakes and boost efficiency. NowSecure Services SDK pen testing helps devs ensure they choose secure components when building apps and NowSecure ADA MASA validation lends third-party validation to help Android apps stand apart in Google Play.
