Android Pi migration(28 API support)

I am here to give some inputs on android PI migration. . 

Apps must target at least API level 28 to ensure it is built on the latest APIs optimized for security and performance.

From August 2019, new apps must target at least Android 9.0 (API level 28).

The objective here is to make sure that your existing app works as-is on Android 9. Because some platform changes might affect the way your app behaves, some adjustments might be necessary, but you do not need to use new APIs or change your targetSdkVersion.

Android Service Problem

On Oreo, startService() will throw IllegalStateException. This can be fixed by changing it to startForegroundService(). but it also stops the service immediately if you don’t bind to the Notification withService.startForeground() within 5 seconds. For other background service we decided to use the WorkManager.

Implementation:

Since we have minSdkVersion 19, We migrated to workmanger for scheduled tasks and we still use JobIntentService from background service calls which is fine with our requirements.

Implementation:
I would like to explain how we solved the background service problem after android N in separate section.

Key features:

Backwards compatible up to API 14
Uses JobScheduler on devices with API 23+
Uses a combination of BroadcastReceiver + AlarmManager on devices with API 14-22
Add work constraints like network availability or charging status
Schedule asynchronous one-off or periodic tasks
Monitor and manage scheduled tasks
Chain tasks together
Ensures task execution, even if the app or device restarts
Adheres to power-saving features like Doze mode.

On Pie it is required to use HTTPS for network communication refer to Pie Behaviour Changes, so any URL that still use HTTP need to be changed to use HTTPS, 

If you still want to allow HTTP traffic follow below steps:
In your android manifest file. Application tag use below statement.
android:networkSecurityConfig="@xml/network_security_config"

Under XML folder create network_security_config

<?xml version="1.0" encoding="utf-8"?>

<network-security-config>

<!--Set application-wide security config using base-config tag.-->

<base-config cleartextTrafficPermitted="true"/>

</network-security-config>

This allows to use cleartext HTTP traffic in application.

Apps needing the Build.serial identifier must now request the READ_PHONE_STATE permission and then use the new Build.getSerial() method added in Android 9.

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
        Log.d(TAG, "h/w serial: " + android.os.Build.getSerial());
} else if ((Build.VERSION.SDK_INT >= Build.VERSION_CODES.GINGERBREAD) &&(Build.VERSION.SDK_INT < Build.VERSION_CODES.P)) {
       Log.d(TAG, "h/w serial: " + android.os.Build.SERIAL);
}

Please add runtime permission READ_PHONE_STATE.

Access to app’s data directory blocked by SELinux

The system enforces per-app SELinux sandboxes with per-app SELinux restrictions on each app's private data directory. Directly accessing another app’s data directory by path is now disallowed. Apps may continue to share data using IPC mechanisms, including by passing FDs.

Deprecation of Bouncy Castle ciphers

Android 9 deprecates several ciphers from the Bouncy Castle provider in favor of those provided by the Conscrypt provider. Calls to getInstance() that request the Bouncy Castle provider generate NoSuchAlgorithmExceptionerrors. To resolve the errors, do not specify a provider in getInstance() (that is, request the default implementation).

Disallowed sharing of WebView data directory

Apps can no longer share a single WebView data directory across processes. If your app has more than one process using WebView, CookieManager, or any other API in the android.webkit package, your app will crash when the second process calls a WebView method.

Foreground service permission

Apps wanting to use foreground services must now request the FOREGROUND_SERVICE permission first. This is a normal permission, so the system automatically grants it to the requesting app. Starting a foreground service without the permission throws a SecurityException.

Restrictions on non-SDK interfaces

Access to specific non-SDK interfaces is now blocked, whether the access is direct, via JNI, or via reflection. Attempts to access restricted interfaces generates errors such as NoSuchFieldException and NoSuchMethodException. See Restrictions on Non-SDK Interfaces for details.

Removal of Crypto provider

Starting in Android 9, Crypto JCA provider has been removed. Calls to SecureRandom.getInstance("SHA1PRNG", "Crypto") will throw NoSuchProviderException.

Stricter UTF-8 decoder

In Android 9, the UTF-8 decoder for Java language is stricter and follows the Unicode standard.

Access to camera, microphone, and sensors blocked for idle apps

While apps are idle, they can no longer access camera, microphone, or SensorManager sensors.

To test your app uses restricted API’s use the link below:

Download the veridex tool from the Android runtime prebuilts repository.
Extract the contents of the appcompat.tar.gz file.
In the extracted folder, locate the veridex-linux.zip file and unzip it.
Navigate to the unzipped folder and then run the following command, where your-app.apk is the APK that you want to test:
Use below command to get the reports

./appcompat.sh --dex-file=your-app.apk

You will get below report.
100 hidden API(s) used: 50 linked against, 36 through reflection
76 in greylist
4 in blacklist
0 in greylist-max-o
20 in greylist-max-p

Reference:

https://developer.android.com/about/versions/pie/android-9.0-migrationhttps://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces