One of the bigger developer-facing changes we’ve spotted in Android Q is a mild deprecation of the SYSTEM_ALERT_WINDOW permission which controls overlays. (Think Facebook’s chat heads or those Pokémon Go stats apps and you should get the idea.) Sideloaded apps on Android Q will see that permission revoked after 30 seconds, and the permission is being taken away entirely on the “Go” version of Android Q.
Technically, that’s “Android Q (Go edition)” — brackets and all, I’m not kidding — but it’s a ridiculous name and I won’t use it. Whatever you want to call it, though, it won’t support using the SYSTEM_ALERT_WINDOW permission. In addition to security concerns, which we’ll touch on later, overlays kill performance on low-end devices like those running Android Go.
On non-Go Android, this change in permissions and the 30-second revocation results in behavior that you might not expect. It isn’t an outright ban, but it makes overlays so inconvenient you probably won’t use them: Once an app using the overlay is running, it doesn’t seem to matter that the permission has been revoked, the overlay persists. But if the app is killed and relaunched, it will need to be granted the overlay permission again for it to draw overlays. In other words, you’ll still be able to use overlays on sideloaded apps if you really want to, but it’s going to be more tedious.
If an app requests overlay permissions, this is the screen you’ll see on Android Q (repeatedly, should you sideload).
Apps distributed through the Play Store will now need to grant the overlay permission manually as well, it isn’t automatically granted at install, but they won’t be affected by the 30-second permission reversal.
Google didn’t provide an explanation or publicly announce the non-Go changes to this overlay permission, but if you’ve been following along with security developments for the last couple of years, it’s immediately obvious. Apps can take advantage of overlays to capture input or “clickjack” and have you perform actions you aren’t aware of.
[embedded content]
Given the real-life security issues that stem from their use, overlays should never have been an option for Android developers to begin with. Half-measures like an ongoing notification and nerfing other types of overlays were the first attempts made to limit them, and even this 30-second restriction probably doesn’t go far enough. Eventually and appropriately, Google will just kill the permission entirely even outside Android Go — and that’s a good thing.
Be the first to comment