Google has launched the first beta version of Android 17, introducing significant privacy and security enhancements aimed at app developers. These updates include the deprecation of cleartext traffic and the introduction of a public Service Provider Interface (SPI) for HPKE hybrid cryptography.
Security and Privacy Enhancements
In Android 17, cleartext traffic will be blocked by default for apps that have the usesCleartextTraffic attribute set to 'true' without a corresponding network security configuration. Developers are encouraged to migrate to network security configuration files to gain more granular control over app security settings. Additionally, support for HPKE via a new SPI allows developers to implement secure hybrid encryption, combining public-key and symmetric (AEAD) mechanisms for stronger encrypted communication.
Platform Stability and Developer Impact
Android 17 continues to push for a 'secure-by-default' architecture to mitigate high-severity exploits such as phishing and interaction hijacking. Developers must explicitly opt in to new security standards to ensure app compatibility. The beta release notes also highlight that certificate transparency is now enabled by default, a shift from Android 16 where apps had to opt in. Other improvements include a new install-time permission and localhost protections to enhance platform security. Google aims to achieve platform stability by March, with several months of testing planned before the final release.
