Yesterday, when I was at the bakery buying some snacks, I overheard a conversation between one attendant with another regarding her Android phone not downloading and installing the ChatGPT Android app. Curious about the subject, I decided to ask her more regarding her issue, and to talk about it. She explained her smartphone was an older model, using Android 8.0, aka Oreo, and that's probably why the chatgpt android app wasn't downloading and installing on it.
We talked a while, and I pondered that while there are a lot of reasons for an app not to work on an older Android OS version, the most relevant of them are the security reasons. So I decided to list eight changes from Android 8.0 (Oreo) to Android 15 (Vanilla Ice Cream), the most impactful and relevant of each major version:
1 - Project Treble on Android 8.0
Project Treble was, undoubtedly, the biggest change to architecture and security starting with Android 8.0, from the previous Nougat (Android 7.0). Not only did it compartmentalize the Android system image into a vendor partition and a system partition, it also increased the security and allowed for faster updates to be released and possibly longer device lifespan.
To understand the advance of the Project Treble, first you need to understand the basics of Android product development. In a very abridged form, the Android operating system is maintained and developed by the Open Handset Alliance, a consortium of different companies, but most of the code for next version of the AOSP (Android Open Source Project) is maintained and developed by a team at Google. This version of the OS usually does not contain a kernel and system drivers, something which is added later by the device manufacturers like Samsung, Motorola. The vendors usually retrieve and adapt the latest version of the Linux kernel, and the system drivers from the chipset manufacturer, like Qualcomm or MediaTek when not produced in-house. Only then, after it's developed and tested, the product goes to the resellers, who are too many to cite here. Think of it as an assembly line, where each step is done by a different company.
Project Treble changed some of that by separating the Android Framework software layer usually maintained by the AOSP team, which was named system partition, from the low level software layer maintained by the device manufacturer, which was named vendor partition. So now the assembly line has two distinct steps in regards to software instead of just one. To be honest, there are more than two partitions in an Android Device, but that's the general idea behind it. Not only did it allow for the AOSP to update an older device Android operating system as long as the interface remains the same, it made access to system sensitive resources like the camera and microphone (something we don't want malicious apps to have access to) much harder to happen. This allows security patches to be deployed much faster than before when bugs are found.
There were other improvements made to Android 8.0, like the Webview component running on an isolated process, making the device more secure against attacks via web, a serial hardware number access requiring a specific permission to be granted, and better boot security, but the biggest and most important change remains the Treble.
If you would like to know more about the Project Treble, check out this article: What's new in Android 8.0 Oreo Security
2 - Biometric API on Android 9
Android 9 Pie really started to tighten the screws on app permissions and how apps talk to the internet. For instance, it made secure connections (HTTPS) the default for apps, which is like ensuring all your mail is sent in a sealed, tamper-proof envelope instead of an open postcard. It also put stricter limits on what apps could do in the background, especially with things like your microphone and camera, stopping them from snooping when you're not looking.
But for me, the most important change in Android 9 was the Biometric API. Before this, every app had to build its own way to use your fingerprint, which wasn't always secure or consistent. With this API, Android provided a standard, super-secure way for apps to ask for your fingerprint or face scan. It's like having one master locksmith design a universal, highly secure keyhole that all trusted apps can use, instead of relying on a bunch of different, potentially flimsy locks. Relying on the Android OS also made biometric data interception by other apps less likely.
If you would like to know more about the Biometric Prompt, check out Android 9 release notes: Android 9 release notes
3 - Scoped Storage on Android 10
Starting with Android 10, privacy and security were taken to a whole new level, almost like building higher walls around your digital castle. It gave us much finer control over location access, letting you decide if an app gets your location only when you're using it. It also clamped down on apps launching activities from the background, which helped stop those annoying pop-up ads or worse. On the technical side, it boosted security with things like TLS 1.3 support and randomizing MAC addresses to prevent tracking.
However, in my opinion, the standout security feature in Android 10 was Scoped Storage. Think of your phone's storage as a big house. Before Scoped Storage, when giving another app permission to access your app files, the permissions were given to pretty much all files, for all the time, until rescinded. This was like giving them free access to your entire house when you only wanted to show them the kitchen. Scoped Storage gave each app its own private, locked room for its files by default. If an app wants to access a file, it has to ask for specific permission, and the permission is given for a specific action, for a specific file, for a specified timespan, making it much harder for a previously trusted app to go rogue and steal your data, something that was far too common at the time.
4 - Permission auto reset on Android 11
With Android 11, the focus was on giving users even more direct control and making permissions smarter. It introduced one-time permissions, which is like giving an app a key that only works once – super handy for apps you don't fully trust but need to use briefly. It also gained a better security for SIM Identifiers, and encryption for user-stored credentials. Also, Scoped Storage previously introduced on Android 10 is now enforced on all apps.
But the real game-changer for me here was the auto-reset permissions feature. If you install an app, grant it a bunch of permissions, and then forget about it for a few months, Android 11 steps in, like a helpful assistant, to automatically revoke those permissions from the dormant app. It’s like that assistant noticing you haven't had a particular guest (app) over in a while, so they proactively take back the spare key you gave them, just in case. This is a brilliant way to reduce the attack surface from old, forgotten apps, which again could sometimes hold malicious code to be executed only after days, weeks or months after being installed into a device and given permission for a legitimate use.
5 - Phantom touch blocking on Android 12
Android 12 brought a big visual overhaul, but it also packed some serious security punches. The Privacy Dashboard was a great addition, giving you a clear timeline of which apps accessed sensitive stuff like your camera, mic, or location. Those little green indicators for camera/mic use? Genius. Like a little light that tells you someone's listening or watching. It also allows you to give apps seeking your location only your approximate location, which is perfect for things like weather apps that don't need to know your exact address.
But for me, the most crucial security update in Android 12 was blocking untrusted touch events. Imagine a malicious app creating an invisible button over a real button in another app, trying to trick you into tapping something dangerous. Android 12 got much better at detecting and blocking these "tapjacking" attempts. It’s like having a filter for your screen that blocks shady attempts at tricking you into opening an app, or allowing a permission.
If you want to know more about the untrusted touch events block, check out the release notes for Android 12: Android 12 release notes
6 - Photo Picker addition on Android 13
Android 13 continued to refine these privacy and security controls. A new kind of permission was added to Android 13 - The app notification permission. Apps now do have to explicitly ask for this permission to send any notifications, if not granted, the app will not be able to send notifications! This was meant to curb the excessive spam via notification some apps were doing. It also introduced more granular permissions for media files, so an app wanting your photos doesn't also get access to your videos and audio files unless specified. The new unified Security & Privacy settings page also made it easier to see what's going on.
But, if I had to pick one, the most significant security improvement for me in Android 13 was the Photo Picker. Previously, if an app wanted a photo, you often had to grant it access to your entire photo library. This could include sensitive, private and personal photos, and the user wouldn't know if those photos were accessed or not. Now, any app has to use the Photo Picker, which is like a secure messenger; you tell it which specific photos or videos you want to share with an app, and only those items are made available, for that one time. The app never gets to rummage through your whole album, keeping other photos and videos private. It’s a much safer way to share your memories and keep your privacy.
7 - Memory Tagging Extension on Android 14
Android 14 built on this solid foundation, making several under-the-hood and user-facing security enhancements. It started nudging users towards 6-digit PINs for better lock screen security and gave IT admins more power, like disabling 2G connections which can be a security risk. Disabling 2G connections on your phone was possible since Android 12, but now, even remote administrators could do it. It also made it harder to install very old apps that might be riddled with known, unpatched vulnerabilities.
However, from my perspective, the most important step forward in Android 14 was the improved real-time malware protection, especially enhancements related to Memory Tagging Extension (MTE) where the hardware supports it. Think of MTE as an incredibly sophisticated alarm system for your phone's memory. It "tags" different parts of memory, and if an app tries to access a part it shouldn't, or messes with memory in a way that's common for malware, the alarm goes off instantly, often stopping an attack before it can do any damage. This helps catch and neutralize a whole class of tricky memory-related bugs and exploits in real-time, from stack injection to memory dumping.
8 - Anti-theft protection on Android 15
Looking at Android 15, it's clear they're doubling down on protecting you from more modern threats, especially physical theft. It's also bringing features like a "private space" to hide sensitive apps and data, and further hardening the system by using more memory-safe languages like Rust. There are also improvements to how it handles one-time passwords to prevent malicious apps from peeking at them.
But undoubtedly, for anyone who ever had their phone stolen, the most significant security feature in Android 15 is the advanced theft protection. This isn't just about remotely wiping your phone anymore, which was an important feature, but could be bypassed if the phone was stolen while unlocked. It's about considering the scenarios where there is suspicious behavior (like if a thief snatches your phone and tries to run) and minimizing the damage. If the anti-theft system thinks the phone is stolen, it can automatically lock it down, make it harder to factory reset without your credentials, and even lock the screen if someone repeatedly fails to unlock it or tries to disable "Find My Device." It's like an intelligent alarm for your phone, where it activates a killswitch of sorts, making the device much harder to compromise, requiring more time, technical expertise, and making it less appealing and valuable to thieves.
If you want to know more about the anti-theft, I recommend this article: Android Security 2025: The Most Important Security Features for Businesses
Final Thoughts
While talking with both attendants, I tried to explain why, sometimes, an Android app will not run on an older device. I didn't get too technical, but I made my point - Newer devices aren't simply a programmed obsolescence ploy to sell you something you already have again. Newer technologies like 5G and 6G aren't simply faster, they are also much more secure than 2G and 3G.
If I had to put it in simpler terms, I'd say we, users, are in the middle of an arms race between tech companies, and criminal entrepreneurs, who are always innovating in new ways to commit crime, either by tricking you into installing a malicious app, or physically stealing your phone. Either way, we should take measures to avoid unnecessary risks, and buying a new phone from time to time can be considered one of them. Of course, you don't need to buy the latest phone model every single year, but waiting too much to buy a new one could compromise your digital security, as the more time passes, the more vulnerabilities will be known by everyone, including attackers.
In my discussion with them, I tried to state that point. Also, just buying a new phone is not enough if the user is not going to make use of proper security practices. Make sure you enable your anti-theft system on your phone, avoid downloading strange unknown apps if possible, and pay attention to any strange behavior on your device, for example, if it feels too hot to the touch, it may be running a malicious code in background without your knowledge. Keep an eye out for risks, and you may avoid the worst of them.
Top comments (0)