"The first, which aims to reduce risks associated with unencrypted traffic, is related to the usesCleartextTraffic attribute. On apps targeting Android 17, if the attribute is set to 'true' but lacks a corresponding network security configuration, cleartext traffic will be blocked by default. Developers are advised to migrate to network security configuration files for more granular control."
"The introduction of support for HPKE via a new SPI enables developers to implement secure hybrid encryption combining public-key and symmetric (AEAD) mechanisms. The goal is to facilitate stronger, more efficient encrypted communication in apps."
"In Android 17, the platform continues its shift toward a 'secure-by-default' architecture, introducing a suite of enhancements designed to mitigate high-severity exploits such as phishing, interaction hijacking, and confused deputy attacks. This update requires developers to explicitly opt in to new security standards to maintain app compatibility and user protection."
Android 17 beta introduces privacy and security enhancements alongside performance, media, connectivity, and developer productivity improvements. UsesCleartextTraffic behavior changes will block cleartext by default on apps targeting Android 17 when no network security configuration is provided, and developers are advised to migrate to network security configuration files. A public SPI adds support for HPKE hybrid encryption, enabling combined public-key and AEAD symmetric mechanisms for stronger, more efficient encrypted communication. The platform shifts toward secure-by-default architecture, requires explicit developer opt-in for new standards, enables certificate transparency by default, adds an install-time localhost protection permission, and targets platform stability by March.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]