Android 17 Beta Introduces Secure-By-Default Architecture
Android 17 Beta Introduces Secure-By-Default Architecture
https://www.infosecurity-magazine.com/news/android-17-beta-secure-default/
Publish Date: 2026-02-17 11:00:00
Source Domain: www.infosecurity-magazine.com
A new beta version of Android 17 has been released, bringing a range of privacy, security and performance changes aimed at strengthening app protections and improving developer workflows.
The update marks the first public beta of the mobile operating system and introduces structural changes that will affect how developers build and test apps ahead of its final release.
The release signals a shift toward tighter default security settings, alongside a move away from the traditional Developer Preview model. Android is replacing this with a continuous Canary channel designed to provide earlier access to features and streamline testing.
Privacy and Security Enhancements
Android 17 introduces two major security updates. The android:usesCleartextTraffic attribute has been deprecated, and apps targeting API level 37 that enable cleartext traffic without a corresponding network security configuration will have such traffic blocked by default.
Developers are being urged to migrate to network security configuration files for more granular control.
Support for HPKE hybrid cryptography has also been added via a new public Service Provider Interface (SPI), enabling secure communication that combines public-key and symmetric encryption.
Additionally, certificate transparency is now enabled by default, and new install-time permissions aim to improve protections around localhost interactions.
Read more on Android security updates: Google Releases Patches for Android Zero-Day Flaws Exploited in the Wild
Performance and Large-Screen Changes
Beyond security and privacy improvements, apps targeting Android 17 will now need to adapt to new requirements on large-screen devices. Orientation and resizability restrictions are being phased out for screens with a smallest width of 600dp or more, meaning certain manifest attributes and APIs will be ignored.
The update also introduces a lock-free MessageQueue implementation and generational garbage collection in ART, both intended…
