The Play Store created some controversy last month after announcing plans to remove apps that used Accessibility Services for any purpose that didn't directly relate to disabled users. While Google is reconsidering the best implementation for the Accessibility Services policy, a separate announcement introduces additional policies intended to help make apps distributed through the Play Store more secure and possibly improve performance. Over the next two years, developers will be required to target a recent SDK version in their app updates and provide 64-bit versions of native apps if they aren't already. The Play Store will also begin adding some new metadata to APKs for verification purposes, but most developers shouldn't need to worry about this.

New Requirements

Target API level

Starting in late 2018, all new and updated apps will be required to target an SDK that is no more than 1 year older than the current codename release.

For example, following the release of Android P, developers will only be able to publish apps targeting Android 8.0 Oreo (API 26) or above. With the release of Android Q in the following year, the new minimum target API level will become P (likely API 28), and so on. The phrasing of the policy appears to center on the major codename releases, which means mid-term updates like 8.1 (API 27) will probably not factor in.

As a reminder, target API level is different from minimum API level. As the name implies, minimum API level is used to declare the lowest version of Android an app supports. The target API level is technically defined as the version of the operating system an app was tested to work with; but in more practical terms, it's used to define a set of behaviors an app expects from the operating system. For example, an app can target API 26 (Android 8.1) while having a minimum API of 14 (Android 4.0). The reason this exists is to tell future versions of Android that certain assumptions were made in the development of an app so the OS can make the proper allowances. See Ian Lake's post for a more in-depth explanation.

This policy is meant to push apps into using recent versions of the SDK that include higher-performance code and rely on fewer exceptions to maintain backwards compatibility – e.g. Apps targeting Android 5.0 so they don't have to implement runtime permissions. It will also encourage developers to support many of the power-saving and security features added along the way.

The target API level requirement will go into effect for new apps in August 2018. Enforcement for updates to existing apps will not go into effect until November 2018.

Note: Future versions of Android

Buried in the text of Google's blog post was a throw-away statement that future versions of Android will also enforce API level restrictions. It's technically not specific as to whether older apps will only lose certain functions or if they will be blocked entirely. There are also no details about how flexible the limits will be.

Future Android versions will also restrict apps that don’t target a recent API level and adversely impact performance or security.

This makes some sense given that most apps built in the Android 1.x days are mostly inoperable on recent versions. Unfortunately, it may also mean some perfectly operational apps will be locked out. This will especially impact games since they are often left alone once the initial release and bug fixes are rolled out.

64-bit support

The other new requirement will be leveled at apps distributing native code. In preparation for hardware architectures that do not support 32-bit code, Google Play will begin requiring 64-bit support. Developers are free to either bundle 64-bit code alongside their 32-bit code in the same APK, or they can (and should) distribute a variant for each architecture using the Play Store's multiple APK system.

Enforcement of the 64-bit requirement won't go into effect until August 2019. Google is scheduling a long lead-up to give developers plenty of time to plan for a transition.

What happens to older apps?

Apps that aren't receiving updates will be left alone, at least for now. The new requirements only apply when updates are sent to the Play Store, so nothing will happen to existing APKs if a developer takes a very long time to release an update or abandons an app entirely.

Unfortunately, the target SDK requirement may also discourage some developers from updating older apps if it becomes too much work to support API changes with each passing year.

Play Store security metadata

Google's announcement included one last detail about a new practice going into effect in early 2018. The Play Store will begin inserting "a small amount of security metadata" into APKs. This will serve as verification that an APK passed through the Play Store and prove its authenticity.

The process will be completely transparent to developers and no additional steps are necessary. However, this is a detail worth noting if you run any comparisons between an original APK and one downloaded from the Play Store. The blog post also notes that the maximum APK size limits will be adjusted to allow for the extra data, though that should be a trivial adjustment.