{
	"id": "7f7d510e-3e3d-43b4-95be-fa7bbf962f56",
	"created_at": "2026-04-06T00:15:00.927064Z",
	"updated_at": "2026-04-10T13:13:10.354178Z",
	"deleted_at": null,
	"sha1_hash": "9f50f7ab49c684cf13dc89aa3b5a592017121c00",
	"title": "Behavior changes: all apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 147338,
	"plain_text": "Behavior changes: all apps\r\nArchived: 2026-04-05 21:56:27 UTC\r\nAndroid 10 includes behavior changes that may affect your app. The changes listed on this page apply to your app\r\nwhen running on Android 10, regardless of the app's targetSdkVersion . You should test your app and modify it\r\nas needed to support these changes properly.\r\nIf your app's targetSdkVersion is 29 or higher, you'll also need to support additional changes. Make sure to read\r\nbehavior changes for apps targeting 29 for details.\r\nNote: In addition to the changes listed on this page, Android 10 introduces a large number of privacy-based\r\nchanges and restrictions, including the following:\r\nBackground access to device location\r\nBackground activity starts\r\nContacts affinity information\r\nMAC address randomization\r\nCamera metadata\r\nPermissions model\r\nThese changes affect all apps and enhance user privacy. To learn more about how to support these changes, see the\r\nPrivacy changes page.\r\nNon-SDK interface restrictions\r\nTo help ensure app stability and compatibility, the platform started restricting which non-SDK interfaces your app\r\ncan use in Android 9 (API level 28). Android 10 includes updated lists of restricted non-SDK interfaces based on\r\ncollaboration with Android developers and the latest internal testing. Our goal is to make sure that public\r\nalternatives are available before we restrict non-SDK interfaces.\r\nIf you will not be targeting Android 10 (API level 29), some of these changes might not immediately affect you.\r\nHowever, while you can currently use some non-SDK interfaces (depending on your app's target API level), using\r\nany non-SDK method or field always carries a high risk of breaking your app.\r\nIf you are unsure if your app uses non-SDK interfaces, you can test your app to find out. If your app relies on non-SDK interfaces, you should begin planning a migration to SDK alternatives. Nevertheless, we understand that\r\nsome apps have valid use cases for using non-SDK interfaces. If you cannot find an alternative to using a non-SDK interface for a feature in your app, you should request a new public API.\r\nTo learn more, see Updates to non-SDK interface restrictions in Android 10 and see Restrictions on non-SDK\r\ninterfaces.\r\nGesture Navigation\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 1 of 10\n\nBeginning with Android 10, users can enable gesture navigation across the device. If a user enables gesture\r\nnavigation, this affects all apps on the device, whether or not the app targets API level 29. For example, if the user\r\nswipes in from the edge of the screen, the system interprets that gesture as a Back navigation, unless an app\r\nspecifically overrides that gesture for portions of the screen.\r\nTo make your app compatible with gesture navigation, you'll want to extend the app content from edge to edge,\r\nand handle conflicting gestures appropriately. For information, see the Gesture navigation documentation.\r\nNDK\r\nAndroid 10 includes the following NDK changes.\r\nShared objects cannot contain text relocations\r\nAndroid 6.0 (API level 23) disallowed use of text relocations in shared objects. Code must be loaded as-is, and\r\nmust not be modified. This change improves app load times and security.\r\nSELinux enforces this restriction on apps that target Android 10 or higher. If these apps continue to use shared\r\nobjects that contain text relocations, they're at high risk of breaking.\r\nChanges to Bionic libraries and dynamic linker paths\r\nStarting in Android 10, several paths are symbolic links instead of regular files. Apps that have been relying on the\r\npaths being regular files might break:\r\n/system/lib/libc.so -\u003e /apex/com.android.runtime/lib/bionic/libc.so\r\n/system/lib/libm.so -\u003e /apex/com.android.runtime/lib/bionic/libm.so\r\n/system/lib/libdl.so -\u003e /apex/com.android.runtime/lib/bionic/libdl.so\r\n/system/bin/linker -\u003e /apex/com.android.runtime/bin/linker\r\nThese changes apply to the 64-bit variants of the file as well, with lib/ replaced with lib64/ .\r\nFor compatibility, the symlinks are provided at the old paths. For example, /system/lib/libc.so is a symlink to\r\n/apex/com.android.runtime/lib/bionic/libc.so . So dlopen(“/system/lib/libc.so”) continues to work, but\r\napps will find the difference when they actually try to examine the loaded libraries by reading /proc/self/maps\r\nor similar, which is not usual but we’ve found that some apps do that as part of their anti-hacking process. If so,\r\nthe /apex/… paths should be added as valid paths for the Bionic files.\r\nSystem binaries/libraries mapped to execute-only memory\r\nStarting in Android 10, executable segments of system binaries and libraries are mapped into memory execute-only (non-readable) as a hardening technique against code-reuse attacks. If your app performs read operations into\r\nmemory segments marked as execute-only – whether from bug, vulnerability, or intentional memory inspection –\r\nthe system sends a SIGSEGV signal to your app.\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 2 of 10\n\nYou can identify whether this behavior caused a crash by examining the related tombstone file in\r\n/data/tombstones/ . An execute-only related crash contains the following abort message:\r\nCause: execute-only (no-read) memory access error; likely due to data in .text.\r\nTo work around this issue to perform operations like memory inspection, it's possible to mark execute-only\r\nsegments as read+execute by calling mprotect() . However, we strongly recommend setting it back to execute-only afterwards, as this access permission setting provides better protection for your app and users.\r\nSecurity\r\nAndroid 10 includes the following security changes.\r\nTLS 1.3 enabled by default\r\nIn Android 10 and higher, TLS 1.3 is enabled by default for all TLS connections. Here are a few important details\r\nabout our TLS 1.3 implementation:\r\nThe TLS 1.3 cipher suites cannot be customized. The supported TLS 1.3 cipher suites are always enabled\r\nwhen TLS 1.3 is enabled. Any attempt to disable them by calling setEnabledCipherSuites() is ignored.\r\nWhen TLS 1.3 is negotiated, HandshakeCompletedListener objects are called before sessions are added to\r\nthe session cache. (In TLS 1.2 and other previous versions, these objects are called after sessions are added\r\nto the session cache.)\r\nIn some situations where SSLEngine instances throw an SSLHandshakeException on previous versions of\r\nAndroid, these instances throw an SSLProtocolException instead on Android 10 and higher.\r\n0-RTT mode isn't supported.\r\nIf desired, you can obtain an SSLContext that has TLS 1.3 disabled by calling\r\nSSLContext.getInstance(\"TLSv1.2\") . You can also enable or disable protocol versions on a per-connection basis\r\nby calling setEnabledProtocols() on an appropriate object.\r\nCertificates signed with SHA-1 aren't trusted in TLS\r\nIn Android 10, certificates that use the SHA-1 hash algorithm aren't trusted in TLS connections. Root CAs haven't\r\nissued such certificate since 2016, and they are no longer trusted in Chrome or other major browsers.\r\nAny attempt to connect fails if the connection is to a site that presents a certificate using SHA-1.\r\nKeyChain behavior changes and improvements\r\nSome browsers, such as Google Chrome, allow users to choose a certificate when a TLS server sends a certificate\r\nrequest message as part of a TLS handshake. As of Android 10, KeyChain objects honor the issuers and key\r\nspecification parameters when calling KeyChain.choosePrivateKeyAlias() to show users a certificate selection\r\nprompt. In particular, this prompt doesn't contain choices that don't adhere to server specifications.\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 3 of 10\n\nIf there are no user-selectable certificates available, as is the case when no certificates match the server\r\nspecification or a device doesn't have any certificates installed, the certificate selection prompt doesn't appear at\r\nall.\r\nIn addition, it isn't necessary on Android 10 or higher to have a device screen lock to import keys or CA\r\ncertificates into a KeyChain object.\r\nOther TLS and cryptography changes\r\nThere have been several minor changes in the TLS and cryptography libraries that take effect on Android 10:\r\nThe AES/GCM/NoPadding and ChaCha20/Poly1305/NoPadding ciphers return more accurate buffer sizes\r\nfrom getOutputSize() .\r\nThe TLS_FALLBACK_SCSV cipher suite is omitted from connection attempts with a max protocol of TLS 1.2\r\nor above. Because of improvements in TLS server implementations, we don't recommend attempting TLS-external fallback. Instead, we recommend relying on TLS version negotiation.\r\nChaCha20-Poly1305 is an alias for ChaCha20/Poly1305/NoPadding.\r\nHostnames with trailing dots aren't considered valid SNI hostnames.\r\nThe supported_signature_algorithms extension in CertificateRequest is respected when choosing a\r\nsigning key for certificate responses.\r\nOpaque signing keys, such as those from Android Keystore, can be used with RSA-PSS signatures in TLS.\r\nWi-Fi Direct broadcasts\r\nOn Android 10, the following broadcasts related to Wi-Fi Direct aren't sticky:\r\nWIFI_P2P_CONNECTION_CHANGED_ACTION\r\nWIFI_P2P_THIS_DEVICE_CHANGED_ACTION\r\nIf your app has relied on receiving these broadcasts at registration because they had been sticky, use the\r\nappropriate get() method at initialization to obtain the information instead.\r\nWi-Fi Aware capabilities\r\nAndroid 10 adds support to ease TCP/UDP Socket creation using Wi-Fi Aware datapaths. To create a TCP/UDP\r\nsocket connecting to a ServerSocket , the client device needs to know the IPv6 address and port of the server.\r\nThis previously needed to be communicated out-of-band, such as by using BT or Wi-Fi Aware layer 2 messaging,\r\nor discovered in-band using other protocols, such as mDNS. With Android 10, the information can be\r\ncommunicated as part of the network setup.\r\nThe server can do either of the following:\r\nInitialize a ServerSocket and either set or obtain the port to be used.\r\nSpecify the port information as part of the Wi-Fi Aware network request.\r\nThe following code sample shows how to specify port information as part of the network request:\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 4 of 10\n\nval ss = ServerSocket()\r\nval ns = WifiAwareNetworkSpecifier.Builder(discoverySession, peerHandle)\r\n .setPskPassphrase(\"some-password\")\r\n .setPort(ss.localPort)\r\n .build()\r\nval myNetworkRequest = NetworkRequest.Builder()\r\n .addTransportType(NetworkCapabilities.TRANSPORT_WIFI_AWARE)\r\n .setNetworkSpecifier(ns)\r\n .build()\r\nServerSocket ss = new ServerSocket();\r\nWifiAwareNetworkSpecifier ns = new WifiAwareNetworkSpecifier\r\n .Builder(discoverySession, peerHandle)\r\n .setPskPassphrase(“some-password”)\r\n .setPort(ss.getLocalPort())\r\n .build();\r\nNetworkRequest myNetworkRequest = new NetworkRequest.Builder()\r\n .addTransportType(NetworkCapabilities.TRANSPORT_WIFI_AWARE)\r\n .setNetworkSpecifier(ns)\r\n .build();\r\nThe client then performs a Wi-Fi Aware network request to obtain the IPv6 and the port supplied by the server:\r\nval callback = object : ConnectivityManager.NetworkCallback() {\r\n override fun onAvailable(network: Network) {\r\n ...\r\n }\r\n \r\n override fun onLinkPropertiesChanged(network: Network,\r\n linkProperties: LinkProperties) {\r\n ...\r\n }\r\n override fun onCapabilitiesChanged(network: Network,\r\n networkCapabilities: NetworkCapabilities) {\r\n ...\r\n val ti = networkCapabilities.transportInfo\r\n if (ti is WifiAwareNetworkInfo) {\r\n val peerAddress = ti.peerIpv6Addr\r\n val peerPort = ti.port\r\n }\r\n }\r\n override fun onLost(network: Network) {\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 5 of 10\n\n...\r\n }\r\n};\r\nconnMgr.requestNetwork(networkRequest, callback)\r\ncallback = new ConnectivityManager.NetworkCallback() {\r\n @Override\r\n public void onAvailable(Network network) {\r\n ...\r\n }\r\n @Override\r\n public void onLinkPropertiesChanged(Network network,\r\n LinkProperties linkProperties) {\r\n ...\r\n }\r\n @Override\r\n public void onCapabilitiesChanged(Network network,\r\n NetworkCapabilities networkCapabilities) {\r\n ...\r\n TransportInfo ti = networkCapabilities.getTransportInfo();\r\n if (ti instanceof WifiAwareNetworkInfo) {\r\n WifiAwareNetworkInfo info = (WifiAwareNetworkInfo) ti;\r\n Inet6Address peerAddress = info.getPeerIpv6Addr();\r\n int peerPort = info.getPort();\r\n }\r\n }\r\n @Override\r\n public void onLost(Network network) {\r\n ...\r\n }\r\n};\r\nconnMgr.requestNetwork(networkRequest, callback);\r\nSYSTEM_ALERT_WINDOW on Go devices\r\nApps running on Android 10 (Go edition) devices cannot receive the SYSTEM_ALERT_WINDOW permission. This is\r\nbecause drawing overlay windows uses excessive memory, which is particularly harmful to the performance of\r\nlow-memory Android devices.\r\nIf an app running on a Go edition device running Android 9 or lower receives the SYSTEM_ALERT_WINDOW\r\npermission, the app retains the permission even if the device is upgraded to Android 10. However, apps which do\r\nnot already have that permission cannot be granted it after the device is upgraded.\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 6 of 10\n\nIf an app on a Go device sends an intent with the action ACTION_MANAGE_OVERLAY_PERMISSION , the system\r\nautomatically denies the request, and takes the user to a Settings screen which says that the permission isn't\r\nallowed because it slows the device. If an app on a Go device calls Settings.canDrawOverlays() , the method\r\nalways returns false. Again, these restrictions do not apply to apps which received the SYSTEM_ALERT_WINDOW\r\npermission before the device was upgraded to Android 10.\r\nWarnings for apps targeting older Android versions\r\nDevices running Android 10 or higher warn users the first time they run any app that targets Android 5.1 (API\r\nlevel 22) or lower. If the app requires the user to grant permissions, the user is also given an opportunity to adjust\r\nthe app's permissions before the app is allowed to run for the first time.\r\nDue to Google Play's target API requirements, a user sees these warnings only when they run an app that hasn't\r\nbeen updated recently. For apps that are distributed through other stores, similar target API requirements are\r\ntaking effect during 2019. For more information about these requirements, see Expanding target API level\r\nrequirements in 2019.\r\nSHA-2 CBC cipher suites removed\r\nThe following SHA-2 CBC cipher suites have been removed from the platform:\r\nTLS_RSA_WITH_AES_128_CBC_SHA256\r\nTLS_RSA_WITH_AES_256_CBC_SHA256\r\nTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\r\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384\r\nTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\r\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\r\nThese cipher suites are less secure than the similar cipher suites that use GCM, and most servers either support\r\nboth the GCM and CBC variants of these cipher suites or support neither of them.\r\nApp usage\r\nAndroid 10 introduces the following behavior changes related to app usage:\r\nUsageStats app usage improvements - Android 10 accurately tracks app usage with UsageStats when\r\napps are used in split-screen or picture-in-picture mode. Additionally, Android 10 correctly tracks instant\r\napp usage.\r\nPer-app grayscale - Android 10 can set a grayscale display mode on a per-app basis.\r\nPer-app distraction state - Android 10 can selectively set apps to a \"distraction state\" where their\r\nnotifications are suppressed and they do not appear as suggested apps.\r\nSuspension and playback - In Android 10, suspended apps are not able to play audio.\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 7 of 10\n\nHTTPS connection changes\r\nIf an app running Android 10 passes null into setSSLSocketFactory() , an IllegalArgumentException\r\noccurs. In previous versions, passing null into setSSLSocketFactory() had the same effect as passing in the\r\ncurrent default factory.\r\nandroid.preference library is deprecated\r\nThe android.preference library is deprecated as of Android 10. Developers should instead use the AndroidX\r\npreference library, part of Android Jetpack. For additional resources to aid in migration and development, check\r\nout the updated Settings Guide along with our public sample app and reference documentation.\r\nZIP file utility library changes\r\nAndroid 10 introduces the following changes to classes in the java.util.zip package, which handles ZIP files.\r\nThese changes make the library's behavior more consistent between Android and other platforms that use\r\njava.util.zip .\r\nInflater\r\nIn previous versions, some methods in the Inflater class threw an IllegalStateException if they were\r\ninvoked after a call to end() . In Android 10, these methods throw a NullPointerException instead.\r\nZipFile\r\nIn Android 10 and higher, the constructor for ZipFile that takes arguments of type File , int , and Charset\r\ndoesn't throw a ZipException if the supplied ZIP file doesn't contain any files.\r\nZipOutputStream\r\nIn Android 10 and higher, the finish() method in ZipOutputStream doesn't throw a ZipException if it tries\r\nto write an output stream for a ZIP file that doesn't contain any files.\r\nCamera changes\r\nMany camera-using apps assume that if the device is in a portrait configuration, then the physical device is also in\r\nthe portrait orientation, as described in Camera orientation. This was a safe assumption in the past, but that has\r\nchanged with the expansion of available form factors, such as foldables. That assumption on these devices can\r\nlead to either incorrectly rotated or scaled (or both) display of the camera viewfinder.\r\nApplications that target API level 24 or above should explicitly set android:resizeableActivity and provide\r\nnecessary functionality to handle multi-window operation.\r\nBattery usage tracking\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 8 of 10\n\nBeginning with Android 10, SystemHealthManager resets its battery usage statistics whenever the device is\r\nunplugged after a major charging event. Broadly speaking, a major charging event is either: The device has been\r\nfully charged, or the device has gone from mostly depleted to mostly charged.\r\nBefore Android 10, the battery usage statistics reset whenever the device was unplugged, no matter how little\r\nchange there had been to the battery level.\r\nAndroid Beam deprecation\r\nIn Android 10 we're officially deprecating Android Beam, an older feature for initiating data sharing across\r\ndevices through Near Field Communication (NFC). We're also deprecating several of the related NFC APIs.\r\nAndroid Beam remains optionally available to device-maker partners who want to use it, but it's no longer in\r\nactive development. Android will continue to support other NFC capabilities and APIs, however, and use-cases\r\nlike reading from tags and payments will continue to work as expected.\r\njava.math.BigDecimal.stripTrailingZeros() behavior change\r\nBigDecimal.stripTrailingZeros() no longer preserves trailing zeroes as a special case if the input value is zero.\r\njava.util.regex.Matcher and Pattern behavior changes\r\nThe result of split() was changed to no longer start with an empty String (\"\") when there is a zero-width\r\nmatch at the start of the input. This also affects String.split() . For example, \"x\".split(\"\") now returns\r\n{\"x\"} whereas it used to return {\"\", \"x\"} on older versions of Android. \"aardvark\".split(\"(?=a)\" now\r\nreturns {\"a\", \"ardv\", \"ark\"} rather than {\"\", \"a\", \"ardv\", \"ark\"} .\r\nException behavior for invalid arguments has also been improved:\r\nappendReplacement(StringBuffer, String) now throws an IllegalArgumentException instead of\r\nIndexOutOfBoundsException if the replacement String ends with a lone backslash, which is illegal. The\r\nsame exception is now thrown if the replacement String ends with a $ . Previously, no exception was\r\nthrown in this scenario.\r\nreplaceFirst(null) no longer calls reset() on the Matcher if it throws a NullPointerException .\r\nNullPointerException is now also thrown when there is no match. Previously, it was thrown only when\r\nthere was a match.\r\nstart(int group) , end(int group) and group(int group) now throw a more general\r\nIndexOutOfBoundsException if the group index is out of bounds. Previously, these methods threw\r\nArrayIndexOutOfBoundsException .\r\nDefault angle for GradientDrawable is now TOP_BOTTOM\r\nIn Android 10, if you define a GradientDrawable in XML and do not provide an angle measurement, the gradient\r\norientation defaults to TOP_BOTTOM . This is a change from previous versions of Android, where the default was\r\nLEFT_RIGHT .\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 9 of 10\n\nAs a workaround, if you update to the most recent version of AAPT2, the tool sets an angle measurement of 0 for\r\nlegacy apps if no angle measurement is specified.\r\nLogging for serialized objects using default SUID\r\nBeginning with Android 7.0 (API level 24), the platform made a fix to the default serialVersionUID for\r\nserializable objects. This fix did not affect apps that targeted API level 23 or lower.\r\nBeginning with Android 10, if an app targets API level 23 or lower and relies on the old, incorrect, default\r\nserialVersionUID , the system logs a warning and suggests a code fix.\r\nSpecifically, the system logs a warning if all of the following are true:\r\nThe app targets API level 23 or lower.\r\nA class is serialized.\r\nThe serialized class uses the default serialVersionUID , instead of explicitly setting a\r\nserialVersionUID .\r\nThe default serialVersionUID is different than the serialVersionUID would be if the app targeted API\r\nlevel 24 or higher.\r\nThis warning is logged once for each affected class. The warning message includes a suggested fix, which is to\r\nexplicitly set the serialVersionUID to the default value that would be calculated if the app targeted API level 24\r\nor higher. By using that fix, you can ensure that if an object from that class is serialized on an app that targets API\r\nlevel 23 or lower, the object will be correctly read by apps that target 24 or higher, and vice versa.\r\njava.io.FileChannel.map() changes\r\nStarting in Android 10, FileChannel.map() isn't supported for non-standard files, like /dev/zero , whose size\r\ncannot be changed using truncate() . Previous versions of Android swallowed the errno returned by\r\ntruncate() , but Android 10 throws an IOException. If you need the old behavior, you must use native code.\r\nSource: https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nhttps://developer.android.com/about/versions/10/behavior-changes-all#execute-permission\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission"
	],
	"report_names": [
		"behavior-changes-all#execute-permission"
	],
	"threat_actors": [],
	"ts_created_at": 1775434500,
	"ts_updated_at": 1775826790,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f50f7ab49c684cf13dc89aa3b5a592017121c00.pdf",
		"text": "https://archive.orkl.eu/9f50f7ab49c684cf13dc89aa3b5a592017121c00.txt",
		"img": "https://archive.orkl.eu/9f50f7ab49c684cf13dc89aa3b5a592017121c00.jpg"
	}
}