Android 17 Reaches Final Release

After several beta releases, Google has officially released the final version of Android 17. Besides improvements in performance, engineers paid special attention to issues of user privacy and data security. Among such innovations, Google highlights the following features.

🚫 Prohibition of Unencrypted Traffic Previously, to allow HTTP connections, it was sufficient to use the usesCleartextTraffic="true" attribute, but in Android 17 this flag has been deprecated. Apps built for Android 17 allow only HTTPS by default, while HTTP traffic is blocked. To allow the use of an insecure connection, you must configure а Network Security Config file by listing the permitted addresses.

🔍 Certificate Transparency Verification Starting with Android 16, the OS implements a Certificate Transparency (CT) mechanism for verifying signed certificate timestamps (SCTs) issued by trusted CT logs and confirming that a certificate has been publicly recorded in a log of issued certificates. Certificates without valid timestamps are rejected, and the connection is terminated. In the new version of Android, CT verification is enabled by default, whereas in Android 16 this feature had to be activated manually.

🌐 Local Network Access Restrictions Apps built for Android 17 can access the device's local network only after being granted the ACCESS_LOCAL_NETWORK permission. This prevents apps from exploiting unrestricted local network access to covertly track users.

🔐 Protection of One-Time Passwords (SMS OTPs) Google has strengthened the protection of SMS messages containing one-time passwords. App access to such messages is delayed by three hours after they are received. The only exceptions are apps with system roles (default SMS app, default assistant app, connected device assistant apps), as well as receiver apps that use SMS targeting mechanisms (WebOTP and SMS Retriever). This measure reduces the risk of verification codes being covertly intercepted by malware.

⚠️ Dynamic Code Loading Protection In Android 17, the protection mechanism against substitution of executable code loaded while an application is running has been expanded. Now, all native libraries (.so) loaded via System.load() in apps built for Android 17 must be marked as read-only before being loaded — otherwise the system rejects the load with an UnsatisfiedLinkError. The Safer Dynamic Code Loading protection was introduced in Android 14 for DEX and JAR files, but with this update it has been extended to native libraries as well.

🔑 Post-Quantum Cryptography (PQC) Mechanism In the new OS, the key storage system (the Keystore) has gained support for the new ML-DSA (Module-Lattice-Based Digital Signature Algorithm) digital signature algorithm. Compatible devices can generate and use ML-DSA keys to create signatures resistant to attacks using quantum computers.

Android 17 is already available for Google Pixel devices, while other manufacturers will release updates according to their own schedules. Google reminds developers of software, games, and Android libraries to take the new changes into account during development in order to avoid crashes and compatibility issues with the new version of the OS.