In this week’s newsletter:

  • Google Assistant can change compromised passwords for you
  • The May 2022 Android Security Bulletin
  • Big bonuses for security bugs found in Android 13
  • Android 13 fights back against malicious apps
  • The passwordless future is upon us
  • …and more nutritious info that’s part of a balanced breakfast ☕

In case you missed it

💁‍♂️ At I/O 2021, Google announced a feature for Assistant that would automatically change your compromised passwords. According to Max Weinbach on Twitter, that feature is rolling out now. Very cool. 

🔎 Third-party launchers may soon get access to the AppSearch API, which is currently only available to system apps. The preinstalled system intelligence app uses this API to index searchable data within apps, but it currently only shares that data with the system launcher. The Pixel’s new, much faster search experience on Android 12+ is built on this API.

🚨 The May 2022 Android Security Bulletin is out, and the accompanying update for Pixel devices finally includes a fix for the Dirty Pipe vulnerability. Pixel 6 users no longer need to install a beta release to be protected. 

⏫ Android 12 QPR3 Beta 3 started rolling out this week. There’s no official changelog, but there’s supposedly updated modem firmware and a new location for the battery widget

News for developers

  • Bug hunters will get a 50% bonus for reporting Android 13 bugs through May 26th. This applies to bugs found exclusively in Android 13 beta 1, though bugs found in older versions will still receive the standard reward. Get a-huntin’!
  • Curious about automating the building process for different flavors of your Android app? CI/CD pipelines with Fastlane and Github Actions may be just what you need. The guide from Kashif Mehmood on ProAndroidDev will show you how to get started. 
  • If you’re interested in Android development but don’t know where to start, the Android Developers blog is offering a free course on Android Basics with Jetpack Compose. It’s designed for beginners, with “no programming experience needed.” Looks like it’s time for one of you to build the next great Android app!
  • If you’re already familiar with Android app development, the Firebase blog is kicking off a new series on building apps with Jetpack Compose and Firebase. In fact, if you jump on Google’s Android Basics course, you should probably bookmark this one for later, too. 

Android Bytes: How to optimize Android for low RAM hardware

This episode features a spirited nerding out over how we’ve used and developed for devices with minuscule amounts of RAM. From the days of Project Svelte on Android KitKat all the way up to Android Go Edition with Oreo, we go far and wide while trying to patch up any potholes that could crash apps or the operating system itself. We’re joined by Nolen Johnson, part of the team at DirectDefense, and Sean Hoyt, LineageOS developer. Buckle in for a wild ride. 

Listen now

Android in the news

Android 13 drops the hammer on sideloaded apps with malicious intent: It’s no secret that malicious applications often leverage the power of Android’s Accessibility APIs to steal user data. These APIs are designed to aid users who may have trouble reading, hearing, or otherwise interacting with their device. The Accessibility APIs are incredibly powerful, and can give an app broad control of a device’s user interface and inputs. As a result, maliciously changing system settings and accessing sensitive data from are popular ways they’re abused..

And that’s exactly why malicious app developers use them. By taking advantage of these APIs, malicious apps can read everything on the screen, pull info from key presses, and more. I’m sure you can see why this is an issue. This double-edged sword isn’t lost on Google, mind you, as the company has routinely put more restrictions in place to prevent apps from using Accessibility APIs without a good reason

Up to this point, most of the restrictions were in place only for apps downloaded from the Google Play Store. If developers improperly or unjustifiably used Accessibility APIs, they risked being banned from the Play Store. And that has left the door wide open for sideloaded apps to do whatever they want, which is exactly how most Android malware spreads. 

In Android 13, the system now blocks accessibility services from apps that were sideloaded using the non-session-based package installation API — i.e. sideloaded apps that aren’t downloaded from an app store (including third-party stores like the Amazon Appstore or F-Droid). This means accessibility services will be restricted in Android 13 when you use Chrome to install an APK. But there’s a workaround for this, both on the user’s end and on the developer’s end, though.  

Mishaal has the full breakdown for this new feature and how it works over on the blog


Passkeys are official, starting with Android and Chrome: A couple of weeks ago, we talked about Google’s plans for a passwordless future by leveraging “passkeys.” This week, on national password day, the FIDO Alliance made passkeys official, and Google is bringing them to Android and Chrome. 

This year, Android and Chrome will implement FIDO sign-in standards for passwordless logins across devices, sites, and apps across all platforms. Your phone will store a cryptographically signed passkey that unlocks online accounts. The site, app, or device you’re logging in to will have the matching lock to this digital key, and the only thing that can open the lock is the key. You’ll never have to remember a password again. 

When an app requests a passkey on your phone, you’ll simply need to enter your authentication method. If you’re logging in on your computer, it will send a request to your phone and, again, you’ll enter the authentication method. Passkeys will sync across devices using cloud backups, so if you lose or replace your phone, you won’t lose access to your accounts. 

This is the first major step toward a truly passwordless future and an exciting advancement in account security.


Sharing content across devices just got easier: Nearby Share is a simple way to share files (or apps) with other nearby devices. It works really well when sharing from your device to someone else’s, but could be more streamlined when sharing across your own devices. That’s exactly what’s happening with the new Self Share feature, which allows you to easily share content across your own devices without having to authenticate or accept the file. 

Mishaal has a video demo of Self Share in action over on his Twitter.

Android Inside: LinkNYC

Back in 2016, New York City decided to replace its aging payphone system with a modern solution. The result was LinkNYC, a network of dedicated kiosks that offer free Wi-Fi, device charging, and access to city services, maps, and directions. These Android-based systems use large 55-inch touchscreens for users to interact with, but they double as advertising platforms throughout the city. There are currently 1,856 active Links across NYC.

The LinkNYC initiative was eventually expanded to the UK in partnership with UK carrier BT and dubbed as LinkUK. This is perhaps one of the more unique and powerful examples of Android as part of a versatile device solution. 

Android Dessert Bites 

Android Dessert Bites on eSIM.me and OpenEUICC

Contrary to popular belief, your phone doesn’t need a built-in eSIM to use an eSIM. It sounds weird, but removable eSIMs exist, which is how one company is able to bring eSIM support to any Android phone. Join me as I take a look at this ingenious product and fall down a rabbit hole of Android telephony APIs and GSMA standards.

Read More

What we’re reading

Computerworld’s JR Raphael explores Google’s Android Enterprise Recommended program, which aims to endorse Android devices for use in enterprise applications. It turns out that the program’s promises and results don’t directly align. Like, at all.

More From the Esper Blog