However, changing APIs means that apps that were built for older versions may break. So, they’re often “grandfathered in”: there are rules like “we changed this in SDK Y, so if your app was built against X or below you can keep the old behavior”. This keeps them working as-is.

Of course, this means bad actors can just always target X or below and keep doing the malicious thing. For this reason, the Play Store has long had a policy where you need to build with a more recent SDK for app updates at some point. This is also a reasonable policy!

Now, what happens to apps that never update? They can keep being installed, and since they were build with SDK X, can keep accessing the old, problematic APIs.

This is the motivation that was used to propose this feature.

This is something that should get solved! Or…wait, should it? This definitely solves the problem, but you’ll notice that I never mentioned any harms. Has anyone actually installed an old app and been harmed because it did something that was let through because of the old SDK?

The truth is that I don’t know if this has harmed anyone. At least I didn’t spot any examples when I skimmed the proposal. But, it sounds plausible, so let’s assume it has happened and motivated this change. This does mean we’ll have to look elsewhere when evaluating it, however.

Most apps on the Play Store are not malware (seriously!) This has held true over time. Most of the old apps that haven’t been updated are games, or old utilities, or defunct social networks. Some have backends that don’t work anymore. But they’re not trying to be malicious!