Android 15 could introduce a new ‘Enhanced Confirmation Mode’ to protect your Pixel from malicious apps

Android offers users the freedom to sideload apps, which means installing them from sources outside the preloaded app store like Google Play. While this expands user choice, it also introduces potential security risks. Fortunately, Mishaal Rahman says that Android 15 is expected to include an Enhanced Confirmation Mode (ECM), which would improve security for Pixel and other Android users.

Sideloading allows users to install apps beyond the official app store’s offerings. This flexibility is a cornerstone of Android’s open platform, contrasting with the more restrictive approach of iOS. However, it’s crucial to remember that sideloaded apps lack the same level of scrutiny as those found in Google Play. Malicious developers can exploit this freedom to distribute apps harboring security threats.

Android’s built-in security features attempt to mitigate these risks. One such feature, Restricted Settings, restricts access to sensitive permissions like Accessibility or Notification Listener services for sideloaded apps. However, this system relies on a method that differentiates between app installation methods – session-based versus non-session-based installation APIs. This distinction has a critical loophole. Malicious apps can exploit this vulnerability by employing session-based APIs to bypass Restricted Settings.

Google is addressing this loophole with ‘Enhanced Confirmation Mode’ in Android 15. ECM essentially acts as a more robust version of Restricted Settings. While not yet active in the current Android 15 Beta version, analysis of the code reveals its functionality.

The wording of the ECM dialog is similar to the existing Restricted Settings dialog. It warns users that enabling Accessibility or Notification Listener services for an app is restricted due to security risks. However, ECM offers a more detailed explanation, highlighting the potential privacy risks associated with the permission.

A key distinction between ECM and Restricted Settings lies in their enforcement mechanisms. Restricted Settings relies on installation methods, while ECM leverages a pre-loaded allowlist within the device’s factory image. This allowlist, stored as an XML file, specifies trusted packages and installers exempt from ECM restrictions.

Packages and installers explicitly listed in the allowlist are considered trustworthy. Consequently, apps installed by these trusted installers are exempt from ECM restrictions, provided they originate from a verified source (not downloaded directly from a file).

With ECM in effect, users attempting to enable Accessibility or Notification Listener services for a sideloaded app will encounter the ECM dialog if the app originates from an untrusted source or installer. This effectively closes the loophole exploited by malicious apps in Android 13’s Restricted Settings.

There are still some unknowns regarding ECM. It’s unclear whether legitimate sideloaded apps with ECM restrictions can have their Accessibility or Notification Listener services enabled, similar to how Restricted Settings can be disabled. Additionally, the current Android 15 Beta lacks any allow listed packages or installers.

This lack of allow listed entities raises questions about Google’s implementation strategy. Will Google mandate the Play Store as a trusted installer on all devices? Which, if any, third-party app stores will be included in the allowlist by Google and device manufacturers?