Google Releases Android 17 Beta 4 with Post‑Quantum Cryptography, Dynamic Code Loading Restrictions, and Per‑App Memory Limits
What Happened – Google shipped Android 17 Beta 4, the final pre‑release build, introducing post‑quantum cryptography support, stricter dynamic code‑loading rules, default Certificate Transparency, blocked local‑network access, and per‑app memory caps.
Why It Matters for TPRM –
- New platform hardening may break legacy third‑party apps, exposing vendors to compliance gaps.
- Post‑quantum crypto adoption changes data‑in‑transit protection requirements for SaaS integrations.
- Memory‑limit enforcement can cause service degradation for poorly engineered partner applications.
Who Is Affected – Mobile app developers, SDK/library maintainers, cloud‑based backend services, and enterprises that rely on Android‑based client apps across all industries.
Recommended Actions –
- Validate that all third‑party Android apps used by your organization are tested against Beta 4 behavior changes.
- Review contracts with mobile‑app vendors for compliance with new security controls (dynamic code loading, CT, network permissions).
- Update internal development pipelines to use Android Studio Panda and the 64‑bit system images for testing.
Technical Notes –
- Dynamic code loading: native libraries loaded via
System.load()must be read‑only or anUnsatisfiedLinkErroris thrown. - Certificate Transparency: enabled by default, removing the opt‑in requirement from Android 16.
- Local network access: blocked unless the new
ACCESS_LOCAL_NETWORKpermission is declared. - Memory limits: per‑app caps based on device RAM to mitigate extreme leaks.
- Post‑quantum crypto: early support for algorithms resistant to quantum attacks, affecting TLS handshakes.
Source: Help Net Security