After 5 releases, Google is preparing to update the Dalvik Executable Format (DEX) in Android 15 "Vanilla Ice Cream".
DEX v41 is in the works for Android 15. The last version, DEX v40, was released with Android 10.
DEX files contain the compiled code of Android applications. If you've ever opened up an APK file, I'm sure you've seen those classes.dex files before.
With version 41 of the DEX format, Google plans to "allow multiple dex files within [a] single 'container' (either a zip entry or a plain on-disk dex file). This allows sharing of string (and other) dex data, since the offsets can point to shared data payload."
It's a little confusing how the patch talks about multiple dex when "multidex" is already a thing, but what seems to be happening is that currently, "multidex" refers to splitting compiled code into multiple different individual DEX files (classesN.dex) whereas the new "multidex" refers to putting multiple DEX files in a single container.
How DEX files work under-the-hood is not my forte, so I asked
Anestis Bechtsoudis, a security researcher and creator of multiple open source DEX-related tools, what they thought of this change and whether the 64K method reference limit will be addressed by this. Here's what they had to say:
"
DEX v41 is in the works for Android 15. The last version, DEX v40, was released with Android 10.
DEX files contain the compiled code of Android applications. If you've ever opened up an APK file, I'm sure you've seen those classes.dex files before.
With version 41 of the DEX format, Google plans to "allow multiple dex files within [a] single 'container' (either a zip entry or a plain on-disk dex file). This allows sharing of string (and other) dex data, since the offsets can point to shared data payload."
It's a little confusing how the patch talks about multiple dex when "multidex" is already a thing, but what seems to be happening is that currently, "multidex" refers to splitting compiled code into multiple different individual DEX files (classesN.dex) whereas the new "multidex" refers to putting multiple DEX files in a single container.
How DEX files work under-the-hood is not my forte, so I asked
Anestis Bechtsoudis, a security researcher and creator of multiple open source DEX-related tools, what they thought of this change and whether the 64K method reference limit will be addressed by this. Here's what they had to say:
"
From what is [sic] looks like they introduce the concept of container that can host one or more dex files. The shared data section(s) of the container become sharable and this will allow external DEX files to reference them*. This is because their offsets are no longer relative but directly accessible from header.
From what is [sic] looks like they want to make some concept of dynamic loadable shared data to deduplicate event more (across different Apps / Services) common resources (to save disk space and memory when all frameworks are loaded).
Of course compact dex is no longer possible because you need relative offsets, thus they disabled it. But at any case it shouldn't be needed any more.
(1/2)๐23
Mishaal's Android News Feed
After 5 releases, Google is preparing to update the Dalvik Executable Format (DEX) in Android 15 "Vanilla Ice Cream". DEX v41 is in the works for Android 15. The last version, DEX v40, was released with Android 10. DEX files contain the compiled code ofโฆ
This patchset does not solve the 65535 max method limitation because on the DEX v41 spec the method ID remains a u2 (uint16_t). So the DEX compiler will still see a u2 space for methods and impose this limitation.
It's been a while I spent time with ART (thanks for the opportunity). Seems that Google is looking for more ways to improve performance. The way they reference the container shared data to external DEX at the loader level will be also interesting*. I think more patches are to be expected there."*Anestis cautions that this is just a theory and that allowing external DEX file references may not be Google's goal right now. Instead, they may simply "
want to improve how shared data are accessed from the runtime for the DEX files of the same bundle (considering the multiple passes of the ART compiler engines). This will enable them to make bigger service libraries and achieve smaller footprints by increasing the sizer of service jars without compromising performance."Here's the patchset for DEX v41. If you're an expert at ART and DEX and if you know more about this change, feel free to send me a DM or reply!
๐26โค1
Google Play has shared an article about the new features, tools, and updates they've been working on to keep the platform "safe and trustworthy". Here's a summary:
* The Google Play Console's App content page is adding more information to help you spot policy declaration deadlines through a new timeline view, help you understand why an app is in-scope for a particular declaration, and help find relevant policy issues alongside each declaration. Later this year, this page will not only show existing declarations but also upcoming declaration requirements and deadlines.
* A new notice on the Google Play SDK Index will help you "make more informed decisions about which version of an SDK may cause your app to violate Google Play policies." Also later this year, Google will inform you about SDK-related policy issues right on the Policy status page, in addition to Inbox messages and emails.
* You can go to the new Developer Help Community to ask about everything from Play Console changes to target API level requirements.
* The Google Play Strike Removal program is now available to all developers. This program "helps eligible developers get certain enforcement strikes removed after passing a related Play Academy training course."
* Google reiterates that the updated data safety form needs to be completed by Dec. 7, 2023. If your app allows users to create accounts, you'll need to provide a way for users to delete their account and/or data. Links to these forms should be submitted to Google Play so they can appear for users in the data safety section starting in early 2024.
* Lastly, Google Play is adding a new banner for the VPN app category that "emphasize[s] the importance of reviewing an appโs Data safety section before installing. When users search for 'VPN' apps in Google Play, theyโll see a banner that encourages them to look for a shield icon in the appโs Data safety section, which indicates that the app has completed an independent security review."
* The Google Play Console's App content page is adding more information to help you spot policy declaration deadlines through a new timeline view, help you understand why an app is in-scope for a particular declaration, and help find relevant policy issues alongside each declaration. Later this year, this page will not only show existing declarations but also upcoming declaration requirements and deadlines.
* A new notice on the Google Play SDK Index will help you "make more informed decisions about which version of an SDK may cause your app to violate Google Play policies." Also later this year, Google will inform you about SDK-related policy issues right on the Policy status page, in addition to Inbox messages and emails.
* You can go to the new Developer Help Community to ask about everything from Play Console changes to target API level requirements.
* The Google Play Strike Removal program is now available to all developers. This program "helps eligible developers get certain enforcement strikes removed after passing a related Play Academy training course."
* Google reiterates that the updated data safety form needs to be completed by Dec. 7, 2023. If your app allows users to create accounts, you'll need to provide a way for users to delete their account and/or data. Links to these forms should be submitted to Google Play so they can appear for users in the data safety section starting in early 2024.
* Lastly, Google Play is adding a new banner for the VPN app category that "emphasize[s] the importance of reviewing an appโs Data safety section before installing. When users search for 'VPN' apps in Google Play, theyโll see a banner that encourages them to look for a shield icon in the appโs Data safety section, which indicates that the app has completed an independent security review."
๐27๐ฅ4
Really impressed by how Microsoft has taken tools that were super basic and often mocked - Paint, Snipping Tool, Photos - and improved upon them with useful AI features.
* Microsoft announced last week that Paint is rolling out background removal support to Windows Insiders in the Canary and Dev channels.
* Today, Microsoft announced the Photos app will get background blur, content search for OneDrive-backed photos, location search, support for viewing motion photos captured by Samsung Galaxy and Google Pixel phones, and other improvements.
* Also today, Microsoft announced that Snipping Tool can now detect text in captured screenshots (OCR, finally!) I've been using Google Lens on my phone for this for so long. You can also use Quick Redact to automatically hide emails and phone numbers.
* Phone Link is getting updated with a new remote capture feature. Whenever a new photo is captured on your linked Android device, that photo can immediately be accessed and edited on your PC through Snipping Tool.
* Microsoft announced last week that Paint is rolling out background removal support to Windows Insiders in the Canary and Dev channels.
* Today, Microsoft announced the Photos app will get background blur, content search for OneDrive-backed photos, location search, support for viewing motion photos captured by Samsung Galaxy and Google Pixel phones, and other improvements.
* Also today, Microsoft announced that Snipping Tool can now detect text in captured screenshots (OCR, finally!) I've been using Google Lens on my phone for this for so long. You can also use Quick Redact to automatically hide emails and phone numbers.
* Phone Link is getting updated with a new remote capture feature. Whenever a new photo is captured on your linked Android device, that photo can immediately be accessed and edited on your PC through Snipping Tool.
๐36๐ฑ22โค8๐ค5๐ฅ4๐คฏ2
Through the new FlaggedApi annotation, Android 15 will make certain APIs public or hidden based on the value of an "aconfig" flag at build time.
Google will use this annotation to hide APIs under development while preparing the release of Android 15.
For example, the battery state of health API that I said would become public in Android 15 the other day will be guarded by the new "state_of_health_public" flag under the "os" namespace.
aconfig, as I mentioned before, is a new way to define feature flags at build time. It's similar to the DeviceConfig API, which lets Play Services remotely toggle flags, but aconfig also allows configuring flag values based on the build ID as well as setting certain flags to be read-only.
And now, it seems Google's going to use aconfig to gate the availability of new APIs as well while they're under development.
Google will use this annotation to hide APIs under development while preparing the release of Android 15.
For example, the battery state of health API that I said would become public in Android 15 the other day will be guarded by the new "state_of_health_public" flag under the "os" namespace.
aconfig, as I mentioned before, is a new way to define feature flags at build time. It's similar to the DeviceConfig API, which lets Play Services remotely toggle flags, but aconfig also allows configuring flag values based on the build ID as well as setting certain flags to be read-only.
And now, it seems Google's going to use aconfig to gate the availability of new APIs as well while they're under development.
๐25๐ค6
Google may have quietly walked back Android 14's work profile changes.
Back in July, I reported that Android 14 tweaked the behavior of the work profile so that when you press "pause", the OS actually pauses the profile instead of turning it off.
Google told me they made this change for 2 reasons:
1) Your notifications will be ready for you to view when you unpause the work profile (rather than getting a flood of notifications as apps sync).
2) It's easier to stay compliant with a company's update policy as apps can continue to get updates when the work profile is paused (they couldn't under the previous behavior as the work profile was off).
The change seemed like a win for users and enterprises, but some users were concerned about the potential battery implications. (Google told me that although the work profile technically continues running in the background, apps are suspended using the same method that Digital Wellbeing uses.)
Also, some users were concerned that work profile apps would continue seeing them as online. (Google told me that the burden lies with individual app developers in determining a user's online status through the
I don't know why, but it seems Google may have quietly reverted Android 14's work profile pausing behavior. Android Enterprise expert Jason Bayton discovered that "pausing" the work profile on his Pixel 6 Pro running Android 14 Beta 5.3 actually shuts it down, which is the behavior seen in Android 13 and earlier. Another work profile user, Tim Cappalli, also noticed the same on their Pixel 7 Pro running Android 14 Beta 5.3.
(1/2)
Back in July, I reported that Android 14 tweaked the behavior of the work profile so that when you press "pause", the OS actually pauses the profile instead of turning it off.
Google told me they made this change for 2 reasons:
1) Your notifications will be ready for you to view when you unpause the work profile (rather than getting a flood of notifications as apps sync).
2) It's easier to stay compliant with a company's update policy as apps can continue to get updates when the work profile is paused (they couldn't under the previous behavior as the work profile was off).
The change seemed like a win for users and enterprises, but some users were concerned about the potential battery implications. (Google told me that although the work profile technically continues running in the background, apps are suspended using the same method that Digital Wellbeing uses.)
Also, some users were concerned that work profile apps would continue seeing them as online. (Google told me that the burden lies with individual app developers in determining a user's online status through the
PM.isPackageSuspended() API or the ACTION_MY_PACKAGE_SUSPENDED broadcast.)I don't know why, but it seems Google may have quietly reverted Android 14's work profile pausing behavior. Android Enterprise expert Jason Bayton discovered that "pausing" the work profile on his Pixel 6 Pro running Android 14 Beta 5.3 actually shuts it down, which is the behavior seen in Android 13 and earlier. Another work profile user, Tim Cappalli, also noticed the same on their Pixel 7 Pro running Android 14 Beta 5.3.
(1/2)
๐ค19๐10๐คก10
Mishaal's Android News Feed
Google may have quietly walked back Android 14's work profile changes. Back in July, I reported that Android 14 tweaked the behavior of the work profile so that when you press "pause", the OS actually pauses the profile instead of turning it off. Googleโฆ
Oddly, though, I was not able to replicate this on my Pixel 6a or Pixel 6 Pro running Beta 5.3, and even stranger was that Jason was also unable to replicate this on his Pixel 7a running Beta 5.3!
I don't know why there's a discrepancy between our devices, but there's some more evidence the work profile behavior may have been reverted. Google quietly scrubbed their page for what's new in enterprise in Android 14 to remove references to the work profile change.
I reached out to Google for comment last week, but I didn't hear back from them. If you have a Pixel running Android 14 Beta 5.3 and you use a work profile, let me know if you see the new or old pausing behavior!
The best way to check is through ADB (so your policy may not let you):
(2/2)
I don't know why there's a discrepancy between our devices, but there's some more evidence the work profile behavior may have been reverted. Google quietly scrubbed their page for what's new in enterprise in Android 14 to remove references to the work profile change.
I reached out to Google for comment last week, but I didn't hear back from them. If you have a Pixel running Android 14 Beta 5.3 and you use a work profile, let me know if you see the new or old pausing behavior!
The best way to check is through ADB (so your policy may not let you):
dumpsys user | grep -A 3 "Work profile"
If you see State: SHUTDOWN or State: -1 when the work profile is paused, then it's the old behavior. If you see State: RUNNING_UNLOCKED, then it's the new behavior.(2/2)
๐36๐ฑ4๐2
Google Play seems to be rolling out an "automatically archive apps" toggle for more people. This feature, when enabled, will free up space when your storage runs low by automatically archiving apps you rarely use.
Previously, to opt into app archiving, you had to attempt to install an app when your phone was out of storage. Now, you can go to Play Store settings > General to opt in.
For more info on app archiving and auto-archiving on Google Play, refer to this post.
H/T Anh on my Discord
Previously, to opt into app archiving, you had to attempt to install an app when your phone was out of storage. Now, you can go to Play Store settings > General to opt in.
For more info on app archiving and auto-archiving on Google Play, refer to this post.
H/T Anh on my Discord
โค25๐22
Mishaal's Android News Feed
Google has deleted all code related to Fast Pair from AOSP. Fast Pair is Google's proprietary standard for simplifying the first time discovery and pairing of nearby devices over Bluetooth Low Energy. It's available on most Android devices through the Googleโฆ
So, as I suspected, Fast Pair code was deleted from AOSP because it wasn't being used by anyone.
And because it wasn't being used, it was just taking up space unnecessarily. Although HalfSheetUX was only a few megabytes in size, Mainline modules are served to many millions of people, a decent portion of whom are on metered connections.
Note: This has no implications for the Fast Pair feature you're already familiar with. Fast Pair started out as a feature bundled in Play Services and will remain that way for the foreseeable future. This news just means there's no longer an open source version of Fast Pair.
And because it wasn't being used, it was just taking up space unnecessarily. Although HalfSheetUX was only a few megabytes in size, Mainline modules are served to many millions of people, a decent portion of whom are on metered connections.
Note: This has no implications for the Fast Pair feature you're already familiar with. Fast Pair started out as a feature bundled in Play Services and will remain that way for the foreseeable future. This news just means there's no longer an open source version of Fast Pair.
๐ข45๐8โค4๐4๐ค1
The Android 14 beta hints that "virtual" DSDA might be coming to select Pixel phones, which could let you make a phone call on one SIM while simultaneously using mobile data from another!
Full details exclusive to Patreon/X subscribers.
Full details exclusive to Patreon/X subscribers.
๐47๐คก16๐ฅ5โค3๐คฏ1
Sources: To improve security, Google's making it (slightly) harder to contribute code to Android
To improve AOSP's supply chain security, all external code contributions will soon need approval from at least two Google reviewers.
Full details available here (no paywall).
To improve AOSP's supply chain security, all external code contributions will soon need approval from at least two Google reviewers.
Full details available here (no paywall).
๐คก50๐28๐ค4โค1
While we're waiting for the stable release of Android 14 and Android 14 QPR1 Beta 1, Google has just released a new Android 13 (QPR3)-based build for Pixel phones that has the September 2023 security patches!
Build ID: TQ3A.230901.001
Announcement on the Pixel community forum | Pixel Update Bulletin - September 2023
CVE-2023-4211 is a high severity vulnerability that impacts the Mali GPU driver and "may be under limited, targeted exploitation"
Build ID: TQ3A.230901.001
Announcement on the Pixel community forum | Pixel Update Bulletin - September 2023
CVE-2023-4211 is a high severity vulnerability that impacts the Mali GPU driver and "may be under limited, targeted exploitation"
๐38๐ฅฑ15๐ค6๐พ6๐ข4๐คก1
Xiaomi's upcoming Watch 2 Pro will be their first smartwatch with Wear OS to have access to Google Play! It's launching next week, Sept. 26, in Berlin alongside the Xiaomi 13T series.
Rumors suggest it'll have the Snapdragon W5+ Gen 1 SoC. The OS will have MIUI branding, but I'm not sure if it'll launch with Android 11-based Wear OS 3 or Android 13-based Wear OS 4.
The Xiaomi Mi Watch was technically Xiaomi's first smartwatch to run Wear OS, but it was only available in China and also didn't have access to Google Play.
Thanks to dvrkplayer for pointing this out!
Rumors suggest it'll have the Snapdragon W5+ Gen 1 SoC. The OS will have MIUI branding, but I'm not sure if it'll launch with Android 11-based Wear OS 3 or Android 13-based Wear OS 4.
The Xiaomi Mi Watch was technically Xiaomi's first smartwatch to run Wear OS, but it was only available in China and also didn't have access to Google Play.
Thanks to dvrkplayer for pointing this out!
๐34๐คฎ11๐5โค4๐ฑ2๐คก2๐1