Android 兼容性定義發行說明

2022 年 4 月 11 日

2.設備類型

• 2.2.1 硬件：

  對 WiFi 鄰居感知網絡 (NAN) 協議要求的更新：

  見修訂

  如果設備支持 WiFi 鄰居感知網絡 (NAN) 協議，則它們：

  • [ 7.4 .2.5/H-1-1]如通過WifiRttManager#startRanging Android API觀察到的那樣，95% 的測量值在 1m、3m 和 5m 距離處的測量值必須為 +/-1 m。
  • [ 7.4 .2.5/H-1-2] 必須應用修正，以便使用WifiRttManager#startRanging Android API在距離參考設備 10 厘米處測量的中值等於 10 厘米。
  • [ 7.4 .2.5/H-1-2] 必須使用WifiRttManager#startRanging Android API進行測量，以擬合趨勢線 [最小二乘回歸]，偏差為 0 +/- 0.25m，斜率為 1 +/- 0.05 1m、3m 和 5m 點。

  即將添加測試指南。

  對手持設備上邏輯攝像頭設備要求的更新：

  見修訂

  如果手持設備實現包括使用CameraMetadata.REQUEST_AVAILABLE_CAPABILITIES_LOGICAL_MULTI_CAMERA列出功能的邏輯相機設備，則它們：

  • [ 7.5 .4/H-1-1] 默認情況下必須具有正常視野 (FOV)，並且必須在 50 到95度之間。

• 2.2.7.1 媒體：更新媒體性能等級要求。

  見修訂

  如果手持設備實現為android.os.Build.VERSION_CODES.MEDIA_PERFORMANCE_CLASS返回android.os.Build.VERSION_CODES.T ，那麼它們：

  • [5.6/H-1-3] 必須支持 >=24 位音頻，以通過 3.5 毫米音頻插孔（如果存在）和 USB 音頻（如果通過整個數據路徑支持）進行立體聲輸出，以實現低延遲和流式​​傳輸配置。對於低延遲配置，應用程序應在低延遲回調模式下使用 AAudio。對於流式配置，應用程序應使用 Java AudioTrack。在低延遲和流配置中，HAL 輸出接收器應接受AUDIO_FORMAT_PCM_24_BIT 、 AUDIO_FORMAT_PCM_24_BIT_PACKED 、 AUDIO_FORMAT_PCM_32_BIT或AUDIO_FORMAT_PCM_FLOAT作為其目標輸出格式。
  • [5.6/H-1-4] 必須支持 >=4 通道 USB 音頻設備（DJ 控制器使用它來預覽歌曲。）
  • [5.6/H-1-5] 必須支持類兼容的 MIDI 設備並聲明 MIDI 功能標誌。
  • [5.7/H-1-1] 必須為設備上的每個硬件 HEVC、VP9 或 AV1 硬件解碼器支持安全解碼器。
  • [5.7/H-1-2] 必須支持具有以下內容解密功能的 MediaDrm.SECURITY_LEVEL_HW_SECURE_ALL。

  資源評級層	3 - 高
  最小樣本量	4 兆字節
  最小子樣本數 - H264 或 HEVC	32
  最小子樣本數 - VP9	9
  最小子樣本數 - AV1	288
  最小子樣本緩衝區大小	1 兆字節
  最小通用加密緩衝區大小	500 KB
  最小並發會話數	30
  每個會話的最小密鑰數	20
  最小密鑰總數（所有會話）	80
  DRM 密鑰的最小總數（所有會話）	6
  消息大小	16 千字節
  每秒解密幀數	60 幀/秒高清

• 2.2.7.2 相機：更新了與相機相關的媒體性能等級要求。

  見修訂

  如果手持設備實現為android.os.Build.VERSION_CODES.MEDIA_PERFORMANCE_CLASS返回android.os.Build.VERSION_CODES.T ，那麼它們：

  • [7.5/H-1-9] 必須支持主前置攝像頭和主後置攝像頭的散景、夜間模式擴展。
  • [7.5/H-1-10] 必須有一個支持 720p 或 1080p @ 240fps 的後置主攝像頭。
  • [7.5/H-1-11] 如果存在面向同一方向的超寬 RGB 攝像頭，主攝像頭的最小 ZOOM_RATIO 必須 < 1.0。
  • [7.5/H-1-12] 必須在主攝像頭上實現並發前後流。
  • [7.5/H-1-13] 必須支持主前置攝像頭和主後置攝像頭的CONTROL_VIDEO_STABILIZATION_MODE_PREVIEW_STABILIZATION 。
  • [7.5/H-1-14] 如果有超過 1 個 RGB 攝像頭面向同一方向，則必須支持主攝像頭的LOGICAL_MULTI_CAMERA功能。
  • [7.5/H-1-15] 必須支持主前置攝像頭和主後置攝像頭的STREAM_USE_CASE功能。

3. 軟件

• 3.5.1 應用限制：改變應用限制要求。

  見修訂

  如果設備實現實現了專有機制來限制應用程序（例如，更改或限制 SDK 中描述的 API 行為）並且該機制比受限應用程序備用存儲桶更具限制性，則它們：

  • [C-1-10] 對運行前台服務的應用施加任何限制時，必須獲得用戶的明確同意。相反，不得在未經用戶同意的情況下對運行前台服務的應用施加任何限制。

  • [C-1-11] 如果應用了背景限制，則必須獲得明確的用戶同意。必須在應用此類限制之前的 24 小時內獲得此類同意。

  • [C-1-12] 如果限制是強制停止應用，則必須向用戶顯示應用可能行為不端的警告並獲得明確的用戶同意。必須在應用此類限制之前的 24 小時內獲得此類同意。

    • [SR] 強烈建議不要通過強制停止應用來限制應用。預計此要求將在下一個 Android 版本中成為必須。

  • [C-1-13] 如果他們免除用戶可安裝應用的專有限制，他們必須提供公開且明確的文檔或網站，說明如何申請選擇加入此類豁免。此文檔或網站必須可從 Android SDK 文檔鏈接。

  如果某個應用程序已預裝在設備上並且用戶未明確使用超過 30 天，則 [C-1-3] [C-1-5][C-1-10][C-1 -11] [C-1-12] 被豁免。

• 3.8.3.1 通知的呈現：放寬一些以前要求的第三方通知參數（恢復為建議）。

  見修訂

  如果設備實現允許第三方應用程序通知用戶值得注意的事件，它們：

  • [C-1-8] 必須[C-SR]強烈建議為用戶提供一種方法來控制向已授予通知偵聽器權限的應用公開的通知。粒度必須使用戶可以為每個此類通知偵聽器控制哪些通知類型橋接到此偵聽器。類型必須包括“對話”、“警報”、“靜默”和“重要的持續”通知。
  • [C-1-9] 必須[C-SR]強烈建議為用戶提供指定應用程序以排除通知任何特定通知偵聽器的功能。

5. 多媒體兼容性

• 5.4.1 原始音頻捕獲和麥克風信息：對麥克風支持要求的更新。

  見修訂

  如果設備實現聲明android.hardware.microphone ，它們：

  • [C-1-1] 必須允許為任何成功打開的AudioRecord或AAudio INPUT 流捕獲原始音頻內容。至少，必須支持以下特性：

    • 格式：線性 PCM，16 位
    • 採樣率： 8000、11025、16000、44100、48000 Hz
    • 頻道：單聲道
    • 音頻源： DEFAULT 、 MIC 、 CAMCORDER 、 VOICE_RECOGNITION 、 VOICE_COMMUNICATION 、 UNPROCESSED或VOICE_PERFORMANCE 。這也適用於AAudio中的等效輸入預設，例如AAUDIO_INPUT_PRESET_CAMCORDER 。

  • [C-1-4 AudioManager.getMicrophones()對於使用MediaRecorder.AudioSources DEFAULT 、 MIC MicrophoneInfo CAMCORDER 、 VOICE_RECOGNITION 、 VOICE_COMMUNICATION 、 UNPROCESSED或VOICE_PERFORMANCE 。以及第三方應用程序可以通過AudioRecord.getActiveMicrophones()和MediaRecorder.getActiveMicrophones() API 訪問的當前活動麥克風。

• 5.4.2 語音識別捕獲：將要求從第 5.4.6節轉移到第 5.4.2 節。

• 5.5.4 音頻卸載：刪除最近添加的對無縫音頻內容的要求。

  見修訂

  • [C-1-1] 當AudioTrack 無縫 API和 MediaPlayer 的媒體容器指定時，必須修剪播放的 MP3 和 AAC 的無縫音頻內容。

• 5.12 HDR 視頻：添加了 HDR 視頻要求的新部分。

6. 開發者工具和選項兼容性

• 6.1 開發者工具：更新了對 GPU 工作信息的要求。

  見修訂

  GPU工作信息

  設備實現：

  • [C-6-1] 必須執行 shell 命令dumpsys gpu --gpuwork以顯示由power/gpu_work_period內核跟踪點返回的匯總 GPU 工作數據，如果不支持該跟踪點，則不顯示任何數據。 AOSP 實現是frameworks/native/services/gpuservice/gpuwork/ 。

7. 硬件兼容性

• 7.1.4.1 OpenGL ES ：為支持 OpenGL ES 的設備添加了建議。

  見修訂

  如果設備實現支持任何 OpenGL ES 版本，它們：

  • 應該支持EGL_IMG_context_priority和EGL_EXT_protected_content 。

• 7.2.3 導航鍵：對導航欄要求的說明。

  見修訂

  如果設備實現支持系統 API setNavBarMode以允許任何具有android.permission.STATUS_BAR權限的系統應用設置導航欄模式，那麼它們：

  • [C-9-1] 必須為AOSP 代碼中提供的兒童友好圖標或基於按鈕的導航提供支持。

• 7.4.2.5。 Wi-Fi 定位（Wi-Fi 往返時間 - RTT） ：更新了 Wi-Fi 定位精度要求。

  見修訂

  如果設備實現包括對 Wi-Fi 位置的支持並將功能公開給第三方應用程序，那麼它們：

  • [C-1-4]在 80 MHz 帶寬和第 68 個百分位（使用累積分佈函數計算）時，必須精確到 2 米以內。
  • [C-SR] 強烈建議在第 68 個百分位（使用累積分佈函數計算）以 80 MHz 帶寬將其準確報告到 1.5 米以內。

• 7.4.2.6。 Wi-Fi / Cellular NAT-T Keepalive Offload ：更新 Wi-Fi / Cellular keepalive 插槽要求。

  見修訂

  如果設備實現包括對 Wi-Fi keepalive offload 或 Cellular keepalive offload 的支持並將功能公開給第三方應用程序，則它們：

  • [C-1-3] 必須支持與蜂窩無線電 HAL 支持的一樣多的並發蜂窩 keepalive 時隙。
  • [C-SR] 強烈建議至少支持三個蜂窩 keepalive 插槽。

• 7.4.2.9 首次使用信任 (TOFU) ：更新了 TOFU 的企業 Wi-Fi 網絡要求。

  見修訂

  如果設備實現支持首次使用信任 (TOFU)，則它們：

  • [C-4-1] 如果未配置 Wi-Fi 服務器證書或未設置 Wi-Fi 服務器域名，則不得向用戶提供手動添加基於 TLS 的企業 Wi-Fi 網絡的選項。

  • [C-4-1] 必須為用戶提供選擇使用 TOFU 的選項。

• 7.4.3 藍牙：更新了使用藍牙 LE 確定與其他設備的接近度時的要求。

  見修訂

  如果設備實現支持藍牙 LE 並使用藍牙 LE 進行位置掃描以確定與其他設備的接近度，它們：

  • [C-10-1] 對於在視線環境中以ADVERTISE_TX_POWER_HIGH傳輸的參考設備 1m 距離處的 95% 的測量，RSSI 測量必須在 +/-6dBm 以內。
  • [C-10-2] 必須包含Rx/Tx校正以減少每個通道的偏差，以便在每個天線（如果使用多個天線）上的 3 個通道中的每個通道上的測量值都在一個的 +/-3dBm 範圍內另一個用於 95% 的測量。
  • [C-10-3] 必須測量和補償 Rx 偏移，以確保在距離以ADVERTISE_TX_POWER_HIGH傳輸的參考設備 1m 距離處，BLE RSSI 中值是 -60dBm +/-3 dBm，其中設備的方向是“平行”平面的屏幕朝向相同的方向。
  • [C-10-4] 必須測量和補償 Tx 偏移，以確保從位於 1m 距離處的參考設備進行掃描並以ADVERTISE_TX_POWER_HIGH傳輸時，BLE RSSI 中值是 -60dBm +/-3 dBm位於“平行平面”上，屏幕朝向同一方向。

• 7.4.9 UWB ：對包含 UWB 硬件的設備的要求進行說明。

  見修訂

  如果設備實現包括 UWB 硬件，那麼它們：

  • [C-1-1] 必須確保95% 的距離測量值在 +/-10 厘米以內，並且到達角測量值（如果支持）在 +/-5 度以內（距中心的 +/-60 度方位角以內）視線環境中的測量。
  • [C-1-2] 必須應用修正，以使距離參考設備 10 厘米處的測量值的中位數等於 10 厘米 +/- 2 厘米，其中地面真實距離是天線到天線的測量值。

  • [C-1-3 ] 1m、3m 和 5m 點的測量值必須符合偏差為 0 且斜率為 1 的趨勢線。

• 7.5 相機：更新了 HDR 10 位輸出能力的要求和建議。

  見修訂

  如果設備實現支持 HDR 10 位輸出功能，則它們：

  • [C-2-2] 必須支持主後置攝像頭或主前置攝像頭的 10 位輸出。
  • [C-SR] 強烈建議為兩個主攝像頭支持 10 位輸出。

8. 性能和功率

• 8.3 省電模式：對被視為出於省電目的而受到限制的應用程序的說明。

  見修訂

  如果設備實現包括改進 AOSP 中包含的設備電源管理的功能（例如 App Standby Bucket、Doze）或擴展功能以應用比RESTRICTED App Standby Bucket 更強的限制，則：

  • [C-1-4] 必須按照電源管理中的說明實施App Standby Buckets和 Doze。

    開始對 T 的新要求（AOSP 實驗性）

    1) 僅當用戶超過 4 小時未使用該應用程序時，該應用程序才會被放入 RESTRICTED 存儲桶。

    2) 只有當應用程序被證明對系統健康有顯著影響時，應用程序才會被放入 RESTRICTED 存儲桶，例如應用程序消耗的電量超過充滿電的電池容量的 0.1%。

2022 年 3 月 14 日

3. 軟件

• 3.8.1 啟動器（主屏幕） ：澄清對支持monochrome/adaptive-icon圖標的設備的新要求。

  見修訂

  如果設備實現支持monochrome/adaptive-icon ，這些圖標：

  • [C-6-1] 必須僅在用戶明確啟用它們時使用（例如，通過設置或壁紙選擇器菜單）。
  • [C-6-2] 不得使用專有標誌方案覆蓋應用圖標標誌，除非與這些應用圖標相關的應用通過使用專有 API 表明支持專有標誌方案。

• 3.8.18 深色主題：澄清對支持深色主題的設備的新要求。

  見修訂

  3.8.18.深色主題

  如果設備實現支持系統 API 的UiModeManager.setNightModeCustomType(@NightModeCustomType int nightModeCustomType)和UiModeManager.setNightModeActivatedForCustomMode(@NightModeCustomType int nightModeCustomType, boolean active)來提供對深色主題的支持，那麼它們：

  • [C-1-1] 必須在系統設置中提供用戶提示，允許用戶將深色主題與自定義時間表聯繫起來。 AOSP 滿足此要求，並在系統設置應用程序中提供默認用戶功能，以在自定義時間打開深色主題，或從日落到日出將其打開或不遵循任何時間表。

• 3.9.1.1 設備所有者配置：更新了配置設備所有者的設備要求。

  見修訂

  如果設備實現聲明android.software.device_admin ，它們：

  • [C-1-1] 必須支持將 Device Policy Client (DPC) 註冊為Device Owner 應用，如下所述：
    • 當設備實現既沒有配置用戶也沒有配置用戶數據時，它：
      • [C-1-5] 如果設備通過該功能聲明支持近場通信 (NFC)，則必須將 DPC 應用註冊為設備所有者應用，或者允許 DPC 應用選擇成為設備所有者還是配置文件所有者標記android.hardware.nfc並接收包含 MIME 類型MIME_TYPE_PROVISIONING_NFC的記錄的 NFC 消息。
      • [C-1-8] 必須在觸發設備所有者配置後發送ACTION_GET_PROVISIONING_MODE Intent，以便 DPC 應用可以根據android.app.extra.PROVISIONING_ALLOWED_PROVISIONING_MODES的值選擇成為設備所有者還是配置文件所有者，除非從上下文可以確定只有一個有效選項。 （例如對於不支持配置文件所有者配置的基於 NFC 的配置）。
      • [C-1-9] 如果在配置期間建立了設備所有者，無論使用何種配置方法，都必須將ACTION_ADMIN_POLICY_COMPLIANCE Intent 發送到設備所有者應用。在設備所有者應用程序完成之前，用戶不能在設置嚮導中繼續。
    • 當設備實現有用戶或用戶數據時，它：
      • [C-1-7] 不得再將任何 DPC 應用註冊為設備所有者應用。
  • [C-1-2] 必須顯示適當的披露通知（例如AOSP 中引用的）並在將應用設置為設備所有者之前獲得最終用戶的肯定同意，除非在之前以編程方式將設備配置為零售演示模式屏幕上的最終用戶交互。需要在配置過程之前或期間採取一些肯定的行動，以同意將應用程序設置為設備所有者。同意可以通過用戶操作或某些編程方式，但必須在啟動設備所有者配置之前顯示適當的披露通知（如 AOSP 中所引用）。此外，（由企業）用於設備所有者配置的程序化設備所有者同意機制不得乾擾非企業使用的開箱即用體驗。
  • [C-1-3] 不得硬編碼同意或阻止使用其他設備所有者應用。

• 3.9.4 設備策略管理角色要求：對新添加的設備策略管理角色要求部分的修訂。

  見修訂

  3.9.4 設備策略管理角色要求

  • [C-1-1] 必須支持第 9.1 節中定義的設備政策管理角色。持有設備策略管理角色的應用程序可以通過將config_devicePolicyManagement設置為包名稱來定義。除非預加載了應用程序，否則包名必須後跟:和簽名證書。

  如果如上所述未為config_devicePolicyManagement定義包名稱：

  • [C-2-1] 設備實現必須支持在沒有設備策略管理角色持有者應用的情況下進行配置（ AOSP 提供了參考實現）。

  如果如上所述為config_devicePolicyManagement定義了包名稱：

  • [C-3-1] 應用程序必須安裝在用戶的所有配置文件中。
  • [C-3-2] 設備實現可以定義一個應用程序，通過設置config_devicePolicyManagementUpdater在配置之前更新設備策略管理角色持有者。

  如果如上所述為config_devicePolicyManagementUpdater定義了包名稱：

  • [C-4-1] 應用必須預先安裝在設備上。
  • [C-4-2] 應用必須實現一個意圖過濾器來解析android.app.action.UPDATE_DEVICE_POLICY_MANAGEMENT_ROLE_HOLDER 。

5. 多媒體兼容性

• 5.5.4 音頻卸載：澄清關於修剪無縫音頻內容的建議。

  見修訂

  如果設備實現支持音頻卸載播放，它們：

  • [C-SR] 當AudioTrack 無縫 API和 MediaPlayer 的媒體容器指定時，強烈建議修剪兩個具有相同格式的剪輯之間播放的無縫音頻內容。

7. 硬件兼容性

• 7.5 相機：對支持 HDR 10 位輸出功能的設備的要求進行了更新。

  見修訂

  如果設備實現支持 HDR 10 位輸出功能，則它們：

  • [C-2-1]每個支持 10 位輸出的相機設備都必須至少支持 HLG HDR 配置文件。
  • [C-2-2] 必須支持主後置攝像頭和主前置攝像頭的 10 位輸出。
  • [C-2-3] 必須為邏輯相機的所有支持 BACKWARD_COMPATIBLE 的物理子相機以及邏輯相機本身支持相同的 HDR 配置文件。
  • [C-2-3] 必須支持基於應用請求的捕獲設置和應用指定的輸出用例的整體圖像質量，而不是該輸出的目標。

2022 年 2 月 28 日

5. 多媒體兼容性

• 5.10 專業音頻：修正延遲閾值。

  見修訂

  如果設備實現通過android.content.pm.PackageManager類報告對功能android.hardware.audio.pro的支持，則它們：

  • [C-1-2] 必須具有連續的往返音頻延遲，如第5.6 節中定義的音頻延遲25 250在至少一個支持的路徑上毫秒或更短時間。

7. 硬件兼容性

• 7.4.1 電話：關於在活動運營商應用程序中明確用戶確認特定行為的附加要求。

  見修訂

  如果設備實現包括 GSM 或 CDMA 電話，則：

  • [C-6-10] 不得自動或未經用戶明確確認將以下任何行為應用於活動運營商應用（由TelephonyManager#getCarrierServicePackageName指定）：
    • 撤銷或限製網絡訪問
    • 撤銷權限
    • 在 AOSP 中包含的現有電源管理功能之外限制後台或前台應用程序執行
    • 禁用或卸載應用程序

• 7.4.3 藍牙：對藍牙要求的更新如下。

  • 明確對 HAP 單播客戶端的要求和建議。

    見修訂

    如果設備實現為BluetoothAdapter.isLeAudioSupported() API 返回true ，則它們：

    • [C-7-5] 必須啟用 BAP /HAP單播客戶端、CSIP 集合協調器、MCP 服務器、
    • [C-SR] 強烈建議啟用 HAP 單播客戶端。

  • 更新 BLE RSSI 閾值中值。

    見修訂

    如果設備實現支持藍牙 LE 並使用藍牙 LE 進行位置掃描以確定與其他設備的接近度，它們：

    • [C-10-3] 必須包含Rx校準，以確保 BLE RSSI 中位數為-60dB -69分貝距離以ADVERTISE_TX_POWER_HIGH傳輸的參考設備 1m 距離。
    • [C-10-4] 必須包含Tx校準，以確保 BLE RSSI 中位數為-60dB -69分貝從位於 1m 距離處的參考設備掃描並以ADVERTISE_TX_POWER_HIGH傳輸時。

9. 安全模型兼容性

• 9.11.2 保險箱：將要求 C-1-12 恢復為強烈推薦。

  見修訂

  • [C-1-12] 必須[C-SR] 強烈建議提供內部攻擊防護 (IAR)，這意味著有權訪問固件簽名密鑰的內部人員無法生成導致 StrongBox 洩露機密、繞過功能安全要求或以其他方式訪問敏感信息的固件用戶數據。實施 IAR 的推薦方法是僅在通過 IAuthSecret HAL 提供主要用戶密碼時才允許固件更新。 IAR 將成為 Android U 中的必備要求（AOSP 實驗性）。

2022 年 2 月 14 日

2.設備類型

• 2.2.1 硬件：對硬件要求的更改如下。

  • 音頻延遲：

    見修訂

    • [ 5.6 /H-1-1] 必須具有500的平均連續往返延遲800 5 次測量中毫秒或更短，平均絕對偏差小於50 100 ms，通過以下數據路徑：“揚聲器到麥克風”、3.5 毫米環回適配器（如果支持）、USB 環回（如果支持）。至少一個支持的路徑。

    • [ 5.6 /H-1-1] 在揚聲器到麥克風數據路徑上的至少 5 次測量中，必須具有 500 毫秒或更短的平均點擊到音延遲。

  • 輸入設備：

    見修訂

    手持設備實現：

    • [ 7.2 .3/H-0-5] 當後退手勢開始或後退按鈕 (KEYCODE_BACK) 按下時，必須在當前聚焦窗口上調用OnBackInvokedCallback.onBackStarted() 。
    • [ 7.2 .3/H-0-6] 當返回手勢被提交或返回按鈕被釋放 (UP) 時，必須調用OnBackInvokedCallback.onBackInvoked() )。
    • [ 7.2 .3/H-0-7] 必須在未提交後退手勢或取消 KEYCODE_BACK 事件時調用OnBackInvokedCallback.onBackCancelled() 。

    如果設備實現斷言WifiRttManager.isAvailable() ，那麼它們：

    • [ 7.4 .2.5/H-1-1] 如通過WifiRttManager#startRanging Android API觀察到的那樣，在 10 厘米、1 米、3 米和 5 米的距離處，95% 置信水平下的測量方差必須為 +/- 50 厘米。

    • [ 7.4 .2.5/H-1-2] 必須應用修正，以便使用WifiRttManager#startRanging Android API在距離參考設備 10 厘米處測量的中值等於 10 厘米。

    • [ 7.4 .2.5/H-1-3] 必須使用WifiRttManager#startRanging Android API進行測量，以擬合 1m、3m 和 5m 點的偏差為 0 且斜率為 1 的趨勢線。

    即將添加測試指南。

  • 觸覺輸入：

    見修訂

    如果手持設備實現包括至少一個觸覺致動器，它們：

    • [ 7.10 /H]* 應該在android.os.VibrationEffect中實現所有用於清晰觸覺的公共常量，即（EFFECT_TICK、EFFECT_CLICK、EFFECT_HEAVY_CLICK 和 EFFECT_DOUBLE_CLICK）以及在android.os.VibrationEffect.Composition中實現豐富觸覺的所有可行的公共PRIMITIVE_*常量，即（PRIMITIVE_CLICK 和 PRIMITIVE_TICK） （點擊、滴答聲、LOW_TICK、QUICK_FALL、QUICK_RISE、SLOW_RISE、SPIN、THUD）。其中一些原語，例如 LOW_TICK 和 SPIN 可能只有在振動器可以支持相對較低的頻率時才可行。

    • [7.10/H]* 應遵循將android.view.HapticFeedbackConstants中的公共常量映射到推薦的android.os.VibrationEffect常量的指南，並具有相應的幅度關係。

    • [ 7.10 /H]* 應該使用這些鏈接的觸覺常數映射。

    • [ 7.10 /H]* 應驗證公共android.os.Vibrator.hasAmplitudeControl() API 的結果是否正確反映了其振動器的功能。

    • [ 7.10 /H]* 應該通過運行android.os.Vibrator.hasAmplitudeControl()來驗證幅度可擴展性的能力。

    如果手持設備實現包括至少一個線性諧振致動器，它們：

    • [ 7.10 /H]* 應在縱向的 X 軸（左右）上移動觸覺致動器。

    • [ 7.10 /H]* 應根據需要驗證和更新不受支持的原語的後備配置，如常量實現指南中所述。

    • [7.10/H]* 應提供後備支持以降低此處所述的失敗風險。

• 2.2.3 軟件：

  • 媒體風格通知：

    見修訂

    如果手持設備實現支持MediaStyle 通知，它們：

    • 必須在系統 UI 中提供用戶功能（“輸出切換器”），允許用戶在應用發布帶有MediaSession 令牌的 MediaStyle 通知時在媒體輸出之間切換。
    • 必須使用MediaRouter2Manager和藍牙 API來顯示（並允許在它們之間切換）可用的媒體路由，包括 Cast 和藍牙路由。

  • Auth Trivial 設備控制：

    見修訂

    • [ 3.8 .16/H-1-5] 必須為用戶提供選擇退出應用程序指定的 auth-trivial 設備控件的選項，這些控件來自第三方應用程序通過ControlsProviderService和Control.isAuthRequired API 註冊的Control 。

• 2.2.5 安全模型：更新麥克風訪問路徑。

  見修訂

  如果手持設備實現聲明android.hardware.microphone ，它們：

  • [ 9.8.2 /H-4-1] 必須在應用程序從麥克風訪問音頻數據時顯示麥克風指示器，但在僅由HotwordDetectionService訪問麥克風時不顯示， SOURCE_HOTWORD , ContentCaptureService或持有第 9.1 節中使用 CDD 標識符 [C-4-X] 調用的角色的應用程序。

• 2.2.7.1 媒體：對手持設備要求媒體部分的更新如下：

  • 媒體表演課程更新：

    見修訂

    如果手持設備實現為android.os.Build.VERSION_CODES.MEDIA_PERFORMANCE_CLASS返回android.os.Build.VERSION_CODES.T ，那麼它們：

    • [5.1/H-1-1] 必須通過CodecCapabilities.getMaxSupportedInstances()和VideoCapabilities.getSupportedPerformancePoints()方法公佈可以在任何編解碼器組合中同時運行的硬件視頻解碼器會話的最大數量。
    • [5.1/H-1-2] 必須支持 6 個硬件視頻解碼器會話實例（AVC、HEVC、VP9、AV1 或更高版本）在任何編解碼器組合中以 1080p 分辨率@30 fps 同時運行。
    • [5.1/H-1-3] 必須通過CodecCapabilities.getMaxSupportedInstances()和VideoCapabilities.getSupportedPerformancePoints()方法公佈可以在任何編解碼器組合中同時運行的硬件視頻編碼器會話的最大數量。
    • [5.1/H-1-4] 必須支持 6 個硬件視頻編碼器會話實例（AVC、HEVC、VP9、AV1 或更高版本）在任何編解碼器組合中以 1080p 分辨率@30fps 同時運行。
    • [5.1/H-1-5] 必須通過CodecCapabilities.getMaxSupportedInstances()和VideoCapabilities.getSupportedPerformancePoints()方法公佈可以在任何編解碼器組合中同時運行的硬件視頻編碼器和解碼器會話的最大數量。
    • [5.1/H-1-6] 必須支持以 1080p@30fps 分辨率同時運行的任意編解碼器組合中的 6 個硬件視頻解碼器和硬件視頻編碼器會話（AVC、HEVC、VP9、AV1 或更高版本）實例。
    • [5.1/H-1-7] 對於所有硬件視頻編碼器在負載下的 1080p 或更小視頻編碼會話，編解碼器初始化延遲必須不超過 40 毫秒。此處的加載定義為使用硬件視頻編解碼器和 1080p 音頻-視頻錄製初始化的並發 1080p 到 720p 純視頻轉碼會話。
    • [5.1/H-1-8] 對於所有音頻編碼器在負載下的 128 kbps 或更低比特率的音頻編碼會話，編解碼器初始化延遲必須不超過 30 毫秒。此處的加載定義為使用硬件視頻編解碼器和 1080p 音頻-視頻錄製初始化的並發 1080p 到 720p 純視頻轉碼會話。
    • [5.1/H-1-9] 必須支持 2 個安全硬件視頻解碼器會話實例（AVC、HEVC、VP9、AV1 或更高版本）在任何編解碼器組合中以 1080p 分辨率@30 fps 同時運行。
    • [5.1/H-1-10] 必須在任何編解碼器中支持 3 個非安全硬件視頻解碼器會話實例以及 1 個安全硬件視頻解碼器會話實例（總共 4 個實例）（AVC、HEVC、VP9、AV1 或更高版本）組合同時以 1080p 分辨率@30fps 運行。
    • [5.1/ H-1-11] 必須為每個受支持的非安全視頻解碼器（AVC、HEVC、VP9、AV1 或更高版本）支持一個安全解碼器。
    • [5.1/H-1-12] 視頻解碼器初始化延遲必須為 40 毫秒或更短。
    • [5.1/H-1-13] 必須具有 30 毫秒或更短的音頻解碼器初始化延遲。
    • [5.1/H-1-14] 必須支持 AV1 硬件解碼器 Main 10，Level 4.1，Film Grain。
    • [5.1/H-1-15] 必須至少有 1 個支持 4K60 的硬件視頻解碼器。
    • [5.1/H-1-16] 必須至少有 1 個支持 4K60 的硬件視頻編碼器。
    • [5.3/H-1-1] 對於負載下的 1080p 60 fps 視頻會話，在 10 秒內丟幀不得超過 1 幀（即丟幀少於 0.167%）。負載定義為使用硬件視頻編解碼器的並發 1080p 到 720p 純視頻轉碼會話，以及 128 kbps AAC 音頻播放。
    • [5.3/H-1-2] 在負載下的 60 fps 視頻會話中，視頻分辨率變化期間，10 秒內的丟幀不得超過 1 幀。 Load is defined as a concurrent 1080p to 720p video-only transcoding session using hardware video codecs, as well as a 128 kbps AAC audio playback.
    • [5.6/H-1-1] MUST have a tap-to-tone latency of 80 milliseconds or less using the OboeTester tap-to-tone test or CTS Verifier tap-to-tone test.
    • [5.6/H-1-2] MUST have a round-trip audio latency of 80 milliseconds or less over at least one supported data path.
    • [5.6/H-1-3] MUST support >=24-bit audio output over 3.5 mm audio jacks if present and over USB audio if supported through the entire data path for low latency and streaming configurations. For the low latency configuration, AAudio should be used in low-latency callback mode with AAUDIO_FORMAT_PCM_FLOAT . For the streaming configuration, a Java AudioTrack should be used with one of the high resolution formats, ie AUDIO_FORMAT_PCM_24_BIT , AUDIO_FORMAT_PCM_24_BIT_PACKED , AUDIO_FORMAT_PCM_32_BIT or AUDIO_FORMAT_PCM_FLOAT . In both the low latency and streaming configurations, the HAL output sink should accept one of those high-resolution formats for its target output format.
    • [5.6/H-1-4] MUST support >=4 channel USB audio devices (This is used by DJ controllers for previewing songs.)
    • [5.6/H-1-5] MUST support class compliant MIDI devices and declare the MIDI feature flag.
    • [5.7/ H-1-1] MUST support Widevine L1 OEMCrypto Tier 3.
    • [5.7/H-1-2] MUST support Widevine CDM version 17.x
    • [5.7/H-1-3] MUST support OEMCrypto version 17.x

    • [5.7/H-1-4] MUST support a secure decoder for every hardware HEVC, VP9 or AV1 hardware decoder on the device.

• 2.2.7.2 Camera : Updates to the Media Performance Class Camera requirements.

  See revision

  If Handheld device implementations return android.os.Build.VERSION_CODES.T for android.os.Build.VERSION_CODES.MEDIA_PERFORMANCE_CLASS , then they:

  • [7.5/H-1-1] MUST have a primary rear facing camera with a resolution of at least 12 megapixels supporting video capture at 4k@30fps. The primary rear-facing camera is the rear-facing camera with the lowest camera ID.
  • [7.5/H-1-2] MUST have a primary front facing camera with a resolution of at least 5 megapixels and support video capture at 1080p@30fps. The primary front-facing camera is the front-facing camera with the lowest camera ID.
  • [7.5/H-1-3] MUST support android.info.supportedHardwareLevel property as FULL or better for both primary cameras.
  • [7.5/H-1-4] MUST support CameraMetadata.SENSOR_INFO_TIMESTAMP_SOURCE_REALTIME for both primary cameras.
  • [7.5/H-1-5] MUST have camera2 JPEG capture latency < 1000 ms for 1080p resolution as measured by the CTS camera PerformanceTest under ITS lighting conditions (3000K) for both primary cameras.
  • [7.5/H-1-6] MUST have camera2 startup latency (open camera to first preview frame) < 500 ms as measured by the CTS camera PerformanceTest under ITS lighting conditions (3000K) for both primary cameras.
  • [7.5/H-1-8] MUST support CameraMetadata.REQUEST_AVAILABLE_CAPABILITIES_RAW and android.graphics.ImageFormat.RAW_SENSOR for the primary back camera.
  • [7.5/H-1-9] MUST support Bokeh, NightMode Extensions.
  • [7.5/H-1-10] MUST have a rear facing camera supporting 720p or 1080p @ 240fps.
  • [7.5/H-1-11] MUST have min ZOOM_RATIO < 1.0 if there is an ultrawide camera.
  • [7.5/H-1-12] Must implement concurrent front-back streaming.
  • [7.5/H-1-13] MUST support CONTROL_VIDEO_STABILIZATION_MODE_ON_PREVIEW if CONTROL_VIDEO_STABILIZATION_MODE_ON is supported.
  • [7.5/H-1-14] MUST support LOGICAL_MULTI_CAMERA if there are greater than 1 RGB cameras per facing.
  • [7.5/H-1-15] MUST support 10 Bit HDR video recording.
  • [7.5/H-1-16] MUST support STREAM_USE_CASE capability.

• 2.2.7.3 Hardware : Updates to the Media Performance Class requirements for Hardware.

  See revision

  If Handheld device implementations return android.os.Build.VERSION_CODES.T for android.os.Build.VERSION_CODES.MEDIA_PERFORMANCE_CLASS , then they:

  • [7.1.1.1/H-2-1] MUST have screen resolution of at least 1080p.
  • [7.1.1.3/H-2-1] MUST have screen density of at least 400 dpi.
  • [7.6.1/H-2-1] MUST have at least 8 GB of physical memory.

• 2.2.7.4 Performance : Updates to the Media Performance Class for Performance.

  See revision

  If Handheld device implementations return android.os.Build.VERSION_CODES.T for android.os.Build.VERSION_CODES.MEDIA_PERFORMANCE_CLASS , then they:

  • [8.2/H-1-1] MUST ensure a sequential write performance of at least 125 MB/s.
  • [8.2/H-1-2] MUST ensure a random write performance of at least 10 MB/s.
  • [8.2/H-1-3] MUST ensure a sequential read performance of at least 250 MB/s.
  • [8.2/H-1-4] MUST ensure a random read performance of at least 40 MB/s.

• 2.5.1 Hardware : Updates to the 3-axis accelerometer and 3-axis gyroscope requirements, as well as the exterior-view camera requirements.

  See revision

  Automotive device implementations:

  • [ 7.3 .1/A-0-4] MUST comply with the Android car sensor coordinate system .
  • [ 7.3 /A-SR] Are STRONGLY_RECOMMENDED to include a 3-axis accelerometer and 3-axis gyroscope.
  • [ 7.3 /A-SR] Are STRONGLY_RECOMMENDED to implement and report TYPE_HEADING sensor.

  If Automotive device implementations include an accelerometer, they:

  • [ 7.3 .1/A-1-1] MUST be able to report events up to a frequency of at least 100 Hz.

  If device implementations include a 3-axis accelerometer, they:

  • [ 7.3 .1/A-SR] Are STRONGLY RECOMMENDED to implement the composite sensor for limited axes accelerometer.

  If Automotive device implementations include an accelerometer with less than 3 axes, they:

  • [ 7.3 .1/A-1-3] MUST implement and report TYPE_ACCELEROMETER_LIMITED_AXES sensor.
  • [ 7.3 .1/A-1-4] MUST implement and report TYPE_ACCELEROMETER_LIMITED_AXES_UNCALIBRATED sensor.

  If Automotive device implementations include a gyroscope, they:

  • [ 7.3 .4/A-2-1] MUST be able to report events up to a frequency of at least 100 Hz.
  • [ 7.3 .4/A-2-3] MUST be capable of measuring orientation changes up to 250 degrees per second.
  • [ 7.3 .4/A-SR] Are STRONGLY RECOMMENDED to configure the gyroscope's measurement range to +/-250dps in order to maximize the resolution possible.

  If Automotive device implementations include a 3-axis gyroscope, they:

  • [ 7.3 .4/A-SR] Are STRONGLY RECOMMENDED to implement the composite sensor for limited axes gyroscope.

  If Automotive device implementations include a gyroscope with less than 3-axes, they:

  • [ 7.3 .4/A-4-1] MUST implement and report TYPE_GYROSCOPE_LIMITED_AXES sensor.
  • [ 7.3 .4/A-4-2] MUST implement and report TYPE_GYROSCOPE_LIMITED_AXES_UNCALIBRATED sensor.

  If automotive device implementations include a TYPE_HEADING sensor, they:

  • [ 7.3 .4/A-4-3] MUST be able to report events up to a frequency of at least 1 Hz.
  • [ 7.3 .4/A-SR] STRONGLY_RECOMMENDED to report events up to a frequency of at least 10 Hz.
  • SHOULD be in reference to true north.
  • SHOULD be available even when the vehicle is still.
  • SHOULD have a resolution of at least 1 degree.

  An exterior view camera is a camera that images scenes outside of the device implementation, like the rearview camera a dashcam .

  If Automotive device implementations include an exterior view camera, for such a camera, they:

  • [ 7.5 .5/A-SR] Are STRONGLY RECOMMENDED to be oriented so that the long dimension of the camera aligns with the horizon.

  • SHOULD support Android Synchronization Framework .

  If automotive device implementations include one or more exterior view cameras, and load Exterior View System (EVS) service, then for such a camera, they:

  • [ 7.5 /A-2-1] MUST NOT rotate or horizontally mirror the camera preview.

• 2.6.1 Tablet Requirements — Hardware : Update to tablet screen size requirements.

  See revision

  • Has a screen display size greater than 7” and less than 18", measured diagonally.

    Screen Size

  • [ 7.1 .1.1/Tab-0-1] MUST have a screen in the range of 7 to 18 inches.

3. Software

• 3.2.2 Build Parameters : Updated ASCII characters in getSerial() .

  See revision

  • [C-0-1] To provide consistent, meaningful values across device implementations, the table below includes additional restrictions on the formats of these values to which device implementations MUST conform.

  Parameter	Details
  getSerial()	MUST (be or return) a hardware serial number, which MUST be available and unique across devices with the same MODEL and MANUFACTURER. The value of this field MUST be encodable as 7-bit ASCII and match the regular expression “^[a-zA-Z0-9]+$” .

• 3.2.3.5 Conditional Application Intents : Update to requirements for conditional application intents.

  See revision

  If device implementations include a large display (generally having display width and height of 600dp+) and supports split functionality , then they:

  • [C-17-1] MUST have an activity that handles the Settings#ACTION_SETTINGS_EMBED_DEEP_LINK_ACTIVITY intent when split functionality is on. The Activity MUST be protected by android.permission.LAUNCH_MULTI_PANE_SETTINGS_DEEP_LINK and it MUST start the activity of the Intent parsed from Settings#EXTRA_SETTINGS_EMBEDDED_DEEP_LINK_INTENT_URI .

• 3.5.1 Application Restriction : Updates to application restrictions.

  See revision

  If device implementations implement a proprietary mechanism to restrict apps (eg changing or restricting API behaviors that are described in the SDK) and that mechanism is more restrictive than the Restricted App Standby Bucket , they:

  • [C-1-2] MUST provide user affordance to turn on / off all of these restrictions on each app.

  Poor system health behavior is generally defined as:

  • For devices with isLowRamDevice = False :

    1. Drawing over 2% battery over last 24 hours when it's in background state
    2. Holding wakelocks over 1 hour over last 24 hours when it's in background state
    3. Total outgoing broadcasts/binding requests are more than 10,000 over last 24 hours when it's in background state

  • For devices with isLowRamDevice = True :

    1. Drawing over 4% battery over last 24 hours when it's in background state
    2. Holding wakelocks over 2 hour over last 24 hours when it's in background state
    3. Total outgoing broadcasts/binding requests are more than 5,000 over last 24 hours when it's in background state
    4. The aforementioned "background state" should conform to the definition of background work in Guide to background processing .

  MAY exempt user-installable apps from these restrictions. * [C-1-12] If they exempt user-installable apps from these restrictions, they MUST provide a public and clear document or website that describes how to request to be opted-in for such an exemption.This document or website MUST be linkable from the Android SDK documents.

  • [C-1-10] MUST NOT allow an app to be automatically placed in the RESTRICTED bucket within 4 hours of the most recent usage by a user, unless it's proven related to the app's significant impact on the system health .

  • [C-1-11] MUST obtain a user consent upon any restrictions being imposed for an app that is running foreground services. Conversely, MUST NOT impose any restrictions for an app that is running foreground services without a user consent.

• 3.8.1 Launcher (Home Screen) : Updates to support for monochrome/adaptive-icon .

  See revision

  If device implementations support monochrome/adaptive-icon :

  • [C-6-1] these icons MUST be used only when a user explicitly enables them (eg via Settings or wallpaper picker menu).

• 3.8.2 Widgets : Update to third-party app widget presence in the Launcher.

  See revision

  If device implementations support third-party app widgets, they:

  • [C-1-2] MUST include built-in support for AppWidgets and expose user interface affordances to add, configure, view, and remove AppWidgets directly within the Launcher.

• 3.8.3.1 Presentation of Notifications : Changing strongly recommended requirements to necessary requirements and clarifying the definition of heads-up notifications.

  See revision

  • [C-SR] are STRONGLY RECOMMENDED
    [C-1-8] MUST provide an affordance for the user to control the notifications that are exposed to apps that have been granted the Notification Listener permission. The granularity MUST be so that the user can control for each such notification listener what notification types are bridged to this listener. The types MUST include "conversations", "alerting", "silent", and "important ongoing" notifications.
  • [C-SR] are STRONGLY RECOMMENDED
    [C-1-9] MUST provide an affordance for users to specify apps to exclude from notifying any specific notification listener.

  Heads up notifications are notifications that are presented to the user as they come in independently of the surface the user is on.

• 3.8.3.3 DND (Do not Disturb) / Priority Mode : Update to include Priority Mode in DND (Do Not Disturb) requirements.

  See revision

  3.8.3.3. DND (Do not Disturb) / Priority Mode

  If device implementations support the DND feature (also called Priority Mode), they:

• 3.8.6 Themes : New requirements for dynamic color tonal palettes.

  See revision

  If device implementations include a screen or video output, they:

  • [C-1-4] MUST generate dynamic color tonal palettes as specified in the AOSP documentation of Settings.THEME_CUSTOMIZATION_OVERLAY_PACKAGES (see android.theme.customization.system_palette and android.theme.customization.theme_style ).

  • [C-1-5] MUST generate dynamic color tonal palettes using color theme styles enumerated in the Settings.THEME_CUSTOMIZATION_OVERLAY_PACKAGES documentation (see android.theme.customization.theme_styles ), namely TONAL_SPOT , VIBRANT , EXPRESSIVE , SPRITZ , RAINBOW , FRUIT_SALAD .

    "Source color" used to generate dynamic color tonal palettes when sent with android.theme.customization.system_palette (as documented in Settings.THEME_CUSTOMIZATION_OVERLAY_PACKAGES ).

  • [C-1-6] MUST have a CAM16 chroma value of 5 or larger.

    • SHOULD be derived from the wallpaper via com.android.systemui.monet.ColorScheme#getSeedColors , which provides multiple valid source colors to pick one from.

    • SHOULD use the value 0xFF1B6EF3 , if none of the provided colors meet the above source color requirement.

• 3.8.7.1 Wallpaper Dimming : New requirements for wallpaper dimming.

  See revision

  3.8.7.1. Wallpaper Dimming

  If device implementations support the system API's WallpaperManager.setWallpaperDimAmount() and WallpaperManager.getWallpaperDimAmount() for wallpaper dimming, then they:

  • [C-1-1] MUST recompute and change the lock screen and the home screen text color to ensure that the text color and wallpaper has a minimum contrast ratio of 4.5:1 .
  • [C-1-2] MUST persist the settings for dimming after a new wallpaper is set and after restarting the device.

• 3.8.17 Clipboard : Added new requirements section for content on the clipboard.

  See revision

  3.8.17. Clipboard

  If device implementations are not running in lock task mode , when content is copied to the clipboard they:

  • [C-1-1] MUST display a UI overlay that shows a user-visible confirmation of clipping (eg, a thumbnail) of the clipboard content and a button (or other affordance) that provides an action for the user to edit textual clipboard content (saving it back to the clipboard).
  • [C-SR] Are STRONGLY RECOMMENDED to provide a button on the displayed UI overlay that provides an affordance for the user to edit image-based clipboard content(saving it back to the clipboard).
  • [C-SR] Are STRONGLY RECOMMENDED to redact the user visible preview (if generated) for sensitive content like passwords.

  Device implementations:

  • [C-0-1] MUST NOT send clipboard data to any component, activity, service, or across any network connection, without explicit user action (eg, pressing a button on the overlay), except for services mentioned in 9.8.6 Content Capture and App Search .

  The AOSP reference implementation satisfies these clipboard requirements.

• 3.8.18 Dark Theme : Added new requirements section for devices with dark theme support.

  See revision

  3.8.18.Dark Theme

  If device implementations support the System API's UiModeManager.setNightModeCustomType(@NightModeCustomType int nightModeCustomType) and UiModeManager.setNightModeActivatedForCustomMode(@NightModeCustomType int nightModeCustomType, boolean active) to provide support for dark theme, then they:

  • [C-1-1] MUST provide user affordance in the system settings allowing the user to tie the dark theme to a custom schedule.

• 3.9.1.1 Device Owner Provisioning : Updates to device owner provisioning requirements.

  See revision

  If device implementations declare android.software.device_admin , they:

  • [C-1-1] MUST support enrolling a Device Policy Client (DPC) as a Device Owner app as described below:

    • When the device implementation has no users or user data configured yet, it:

      • [C-1-5] If the device declares Near-Field Communications (NFC) support via the feature flag android.hardware.nfc and receives an NFC message containing a record with MIME type MIME_TYPE_PROVISIONING_NFC , MUST conform to [C-1-8] and [C-1-9].
      • [C-1-5] MUST enroll the DPC application as the Device Owner app if the device declares Near-Field Communications (NFC) support via the feature flag android.hardware.nfc and receives an NFC message containing a record with MIME type MIME_TYPE_PROVISIONING_NFC .
      • [C-1-8] MUST send the ACTION_GET_PROVISIONING_MODE intent after device owner provisioning is triggered so that the DPC app can choose whether to become a Device Owner or a Profile Owner, depending on the values of android.app.extra.PROVISIONING_ALLOWED_PROVISIONING_MODES , unless it can be determined from context that there is only one valid option. (such as for NFC based provisioning where Profile Owner provisioning is not supported).

    • When the device implementation has users or user data, it:

      • [C-1-7] MUST not enroll any DPC application as the Device Owner App any more.

  • [C-1-2] MUST show appropriate disclosure notice (as referenced in AOSP) and require some affirmative action before provisioning or during the provisioning process to confirm consent to an app being set as Device Owner. Consent can be via user action or by some programmatic means but appropriate disclosure notice (as referenced in AOSP) MUST be shown before device owner provisioning is initiated. Also, the programmatic device owner consent mechanism used (by enterprises) for device owner provisioning MUST NOT interfere with the Out-Of-Box Experience for non-enterprise use.

  • [C-1-3] MUST NOT hard code the consent or prevent the use of other device owner apps.

  If device implementations declare android.software.device_admin , but also include a proprietary Device Owner device management solution and provide a mechanism to promote an application configured in their solution as a "Device Owner equivalent" to the standard "Device Owner" as recognized by the standard Android DevicePolicyManager APIs, they:

  • [C-2-3] MUST NOT hard code the consent or prevent the use of other device owner apps.
  • MAY have user data on the device prior to enrolling the DPC application as "Device Owner".

• 3.9.4 Device Management Role Requirements : Added a section for Device Management Role Requirements.

  See revision

  3.9.4 Device Management Role Requirements

  If device implementations report android.software.device_admin or android.software.managed_users , then they:

  • [C-1-1] MUST support a device management role. The application that holds the device management role MAY be defined by setting config_deviceManager to the package name, followed by : and the signing certificate.

  If a device management role holder application is defined, an application that updates the device management role holder, then, it:

  • [C-2-1] MUST be preinstalled on the device.
  • MAY be defined with config_deviceManagerRoleHolderUpdaterPackageName .
  • [C-2-2] MUST define intent filters for the intent actions android.app.action.ROLE_HOLDER_PROVISION_MANAGED_DEVICE_FROM_TRUSTED_SOURCE , android.app.action.ROLE_HOLDER_PROVISION_MANAGED_PROFILE and android.app.action.ROLE_HOLDER_PROVISION_FINALIZATION . They MUST be protected by the android.permission.LAUNCH_DEVICE_MANAGER_SETUP permission, which MUST be held by the application that launches them.

  If a package name is not defined for the device management role, device implementations:

  • [C-3-1] MUST support provisioning without the device management role holder.

  If a device management role holder updater application is defined on the device then it:,

  • [C-4-1] MUST attempt to establish an internet connection during setup prior to provisioning. If internet connection could not be established, provisioning MUST fail unless android.app.extra.PROVISIONING_ALLOW_OFFLINE_PROVISIONING is explicitly set to true , in which case provisioning MUST continue without using the device management role holder.
  • [C-4-2] MUST have an intent filter which resolves android.app.action.UPDATE_DEVICE_MANAGEMENT_ROLE_HOLDER . That intent filter MUST be protected by the android.permission.LAUNCH_DEVICE_MANAGER_SETUP permission, which MUST be held by the application that launches it. The handler of that intent filter MUST handle the device management role holder application update and return an intent with a result set to either:
    • Activity#RESULT_OK if the update was successful.
    • DevicePolicyManager#RESULT_UPDATE_DEVICE_MANAGEMENT_ROLE_HOLDER_RECOVERABLE_ERROR if it encounters a problem that may be solved by relaunching it again (such as a temporary network issue).
    • DevicePolicyManager#RESULT_UPDATE_DEVICE_MANAGEMENT_ROLE_HOLDER_UNRECOVERABLE_ERROR if it encounters a problem that cannot be resolved by relaunching it.

  If a device management role holder application and a device management role holder updater application are defined, and an internet connection has been established, then device implementations:

  • [C-5-1] MUST update the device management role holder application prior to provisioning by launching the device management role holder updater application using the android.app.action.UPDATE_DEVICE_MANAGEMENT_ROLE_HOLDER intent.

  If devices report android.software.device_admin or android.software.managed_users and a device management role holder application is defined, and provisioning is initiated with one of the following intent actions, then the role holder must be invoked as follows:

  If provisioning is initiated with android.app.action.PROVISION_MANAGED_DEVICE_FROM_TRUSTED_SOURCE , it:

  • [C-6-1] MUST start the device management role holder with an intent with action android.app.action.ROLE_HOLDER_PROVISION_MANAGED_DEVICE_FROM_TRUSTED_SOURCE and with the same intent extras that were passed to the provisioning intent.

  If provisioning is initiated with android.app.action.PROVISION_MANAGED_PROFILE , it:

  • [C-7-1] MUST start the device management role holder with an intent with action android.app.action.ROLE_HOLDER_PROVISION_MANAGED_PROFILE and with the same intent extras that were passed to the provisioning intent.

  If provisioning is initiated with android.app.action.PROVISION_FINALIZATION , it:

  • [C-8-1] MUST start the device management role holder with an intent with action android.app.action.ROLE_HOLDER_PROVISION_FINALIZATION .

  If provisioning is initiated with an intent action not defined above, then:

  • [C-9-1] provisioning MUST continue without using the device management role holder.

  When the device management role holder is installed on a given user, it:

  • [C-10-1] must be installed on all profiles for that user.

• 3.18 Contacts : Adding information for new contacts.

  See revision

  Default account for new contacts: Contacts Provider provides APIs to manage the setting of the default account when creating a new contact.

  Device implementations:

  • [C-2-1] Preloaded Contacts app MUST handle the intent ContactsContract.Settings.ACTION_SET_DEFAULT_ACCOUNT to launch a UI for account selection and save the setting to Contacts Provider when an account is selected.

  • [C-2-2] MUST honor the default account setting in the application that handles Intent.ACTION_INSERT and Intent.ACTION_INSERT_OR_EDIT for the ContactsContracts.Contacts.CONTENT_TYPE and ContactsContract.RawContacts.CONTENT_TYPE by initially selecting the account.

4. Application Packaging Compatibility

• 4. Application Packaging Compatibility : Updates to APK Signature Scheme version.

  See revision

  Device implementations:

  • [C-0-2] MUST support verifying “.apk” files using the APK Signature Scheme v3.1 , APK Signature Scheme v3 , APK Signature Scheme v2 and JAR signing .

  • [C-0-9] MUST support verifying .apk files using the APK Signature Scheme v4 and APK Signature Scheme v4.1 .

5. Multimedia Compatibility

• 5.1.2 Audio Decoding : Added new requirements for decoders capable of outputting mutli-channel audio.

  See revision

  If device implementations include support for decoders capable of outputting multi-channel audio (ie more than 2 channels) when fed compressed multi-channel content, then the following MUST be supported:

  • [C-7-1] MUST be able to be configured by the application using the decoding with the key KEY_MAX_OUTPUT_CHANNEL_COUNT to control whether the content is downmixed to stereo (when using a value of 2) or is output using the native number of channels (when using a value equal or greater to that number). For instance a value of 6 or greater would configure a decoder to output 6 channels when fed 5.1 content.
  • [C-7-2] When decoding, the decoder MUST advertise the channel mask being used on the output format with the KEY_CHANNEL_MASK key, using the android.media.AudioFormat constants (example: CHANNEL_OUT_5POINT1 ).

• 5.4.1 Raw Audio Capture and Microphone Information : Updates to supported audio sources for audio input streams.

  See revision

  If device implementations declare android.hardware.microphone , they:

  • [C-1-1] MUST allow capture of raw audio content with the following characteristics for any AudioRecord or AAudio INPUT stream that is opened successfully :

    • Format: Linear PCM, 16-bit
    • Sampling rates: 8000, 11025, 16000, 44100, 48000 Hz
    • Channels: Mono
    • Audio Sources: DEFAULT , MIC , CAMCORDER , VOICE_RECOGNITION , VOICE_COMMUNICATION , UNPROCESSED , or VOICE_PERFORMANCE . This also applies to the equivalent Input Presets in AAudio , for example, AAUDIO_INPUT_PRESET_CAMCORDER .

• 5.4.2 Capture for Voice Recognition : Updated requirements for voice recognition audio stream.

  See revision

  If device implementations declare android.hardware.microphone , they:

  • SHOULD record the voice recognition audio stream with approximately flat amplitude versus frequency characteristics: specifically, ±3 dB, from 100 Hz to 4000 Hz.
  • SHOULD record the voice recognition audio stream with input sensitivity set such that a 90 dB sound power level (SPL) source at 1000 Hz yields RMS of 2500 for 16-bit samples.

  • SHOULD exhibit approximately flat amplitude-versus-frequency characteristics in the mid-frequency range: specifically ±3dB from 100 Hz to 4000 Hz for each and every microphone used to record the voice recognition audio source.
  • [C-SR] are STRONGLY RECOMMENDED to exhibit amplitude levels in the low frequency range: specifically from ±20 dB from 30 Hz to 100 Hz compared to the mid-frequency range for each and every microphone used to record the voice recognition audio source.
  • [C-SR] are STRONGLY RECOMMENDED to exhibit amplitude levels in the high frequency range: specifically from ±30 dB from 4000 Hz to 22 KHz compared to the mid-frequency range for each and every microphone used to record the voice recognition audio source.
  • SHOULD set audio input sensitivity such that a 1000 Hz sinusoidal tone source played at 90 dB Sound Pressure Level (SPL) (measured next to the microphone) yields an ideal response of RMS 2500 within a range of 1770 and 3530 for 16 bit-samples (or -22.35 db ±3dB Full Scale for floating point/double precision samples) for each and every microphone used to record the voice recognition audio source.

• 5.4.6 Microphone Gain Levels : Removed requirements for Microphone Gain Levels.

  See revision

  5.4.6. Microphone Gain Levels

  If device implementations declare android.hardware.microphone , they:

  • SHOULD exhibit approximately flat amplitude-versus-frequency characteristics in the mid-frequency range: specifically ±3dB from 100 Hz to 4000 Hz for each and every microphone used to record the voice recognition audio source.
  • SHOULD set audio input sensitivity such that a 1000 Hz sinusoidal tone source played at 90 dB Sound Pressure Level (SPL) yields a response with RMS of 2500 for 16 bit-samples (or -22.35 dB Full Scale for floating point/double precision samples) for each and every microphone used to record the voice recognition audio source.
  • [C-SR] are STRONGLY RECOMMENDED to exhibit amplitude levels in the low frequency range: specifically from ±20 dB from 5 Hz to 100 Hz compared to the mid-frequency range for each and every microphone used to record the voice recognition audio source.
  • [C-SR] are STRONGLY RECOMMENDED to exhibit amplitude levels in the high frequency range: specifically from ±30 dB from 4000 Hz to 22 KHz compared to the mid-frequency range for each and every microphone used to record the voice recognition audio source.

• 5.5.4 Audio Offload : Updates to the audio offload playback requirements.

  See revision

  If device implementations support audio offload playback , they:

  • [C-1-1] MUST trim the played gapless audio content for MP3 and AAC when specified by the AudioTrack gapless API and the media container for MediaPlayer.
  • [C-SR] Are STRONGLY RECOMMENDED to trim the played gapless audio content for all supported compressed audio formats when specified by the AudioTrack gapless API and the media container for MediaPlayer.

• 5.6 Audio Latency : Updates to the audio latency requirements.

  See revision

  For the purposes of this section, use the following definitions:

  • cold output jitter . The variability among separate measurements of cold output latency values.
  • cold input jitter . The variability among separate measurements of cold input latency values.

  If device implementations declare android.hardware.audio.output they MUST meet or exceed the following requirements:

  • [C-1-2] Mean cold output latency of 500 milliseconds or less over 5 measurements, with a Mean Absolute Deviation less than 100 msec.

  • [C-1-3] Opening an output stream using AAudioStreamBuilder_openStream() MUST take less than 1000 milliseconds.

  If device implementations declare android.hardware.audio.output they are STRONGLY RECOMMENDED to meet or exceed the following requirements:

  • [C-SR] Cold output latency of 100 milliseconds or less over the speaker data path. Existing and new devices that run this version of Android are VERY STRONGLY RECOMMENDED to meet these requirements now. In a future platform release, we will require Cold output latency of 200 ms or less as a MUST.

  • [C-SR] Minimize the cold output jitter.

  If device implementations include android.hardware.microphone , they MUST meet these input audio requirements:

  • [C-3-2] Mean cold input latency of 500 milliseconds or less over 5 measurements, with a Mean Absolute Deviation less than 100 msec.

  • [C-3-3] Opening an input stream using AAudioStreamBuilder_openStream() MUST take less than 1000 milliseconds.

  If device implementations include android.hardware.microphone , they are STRONGLY RECOMMENDED to meet these input audio requirements:

  • [C-SR] Cold input latency of 100 milliseconds or less over the microphone data path. Existing and new devices that run this version of Android are VERY STRONGLY RECOMMENDED to meet these requirements now. In a future platform release we will require Cold input latency of 200 ms or less as a MUST.

  • [C-SR] Continuous input latency of 30 milliseconds or less.
  • [C-SR] Minimize the cold input jitter.

• 5.10 Professional Audio : Updates to audio latency requirements for professional audio support.

  See revision

  If device implementations report support for feature android.hardware.audio.pro via the android.content.pm.PackageManager class, they:

  • [C-1-2] MUST have the continuous round-trip audio latency, as defined in section 5.6 Audio Latency of 250 milliseconds or less and SHOULD be 10 milliseconds or less over at least one supported path.
  • [C-1-5] MUST meet latencies and USB audio requirements using the AAudio native audio API and AAUDIO_PERFORMANCE_MODE_LOW_LATENCY .
  • [C-1-8] MUST have an average Tap-to-tone latency of 80 milliseconds or less over at least 5 measurements over the speaker to microphone data path.
  • [C-SR] Are STRONGLY RECOMMENDED to provide a consistent level of CPU performance while audio is active and CPU load is varying. This should be tested using the Android app SynthMark . SynthMark uses a software synthesizer running on a simulated audio framework that measures system performance. See the SynthMark documentation for an explanation of the benchmarks. The SynthMark app needs to be run using the “Automated Test” option and achieve the following results: * voicemark.90 >= 32 voices * latencymark.fixed.little <= 15 msec * latencymark.dynamic.little <= 50 msec
  • SHOULD have a latency from touch input to audio output of less than or equal to 40 ms.

  If device implementations include a 4 conductor 3.5mm audio jack, they:

  • [C-2-1] MUST have a mean Continuous Round-trip Audio Latency, as defined in section 5.6 Audio Latency , of 20 milliseconds or less, over 5 measurements with a Mean Absolute Deviation less than 5 milliseconds over the audio jack path using an Audio Loopback Dongle .

6. Developer Tools and Options Compatibility

• 6.1 Developer Tools : Updates to connectivity and GPU Kernel requirements.

  See revision

  If device implementations support adb connections to a host machine via Wi-Fi or Ethernet , they:

  • [C-4-1] MUST have the AdbManager#isAdbWifiSupported() method return true .

  If device implementations support adb connections to a host machine via Wi-Fi or Ethernet , and includes at least one camera, they:

  • [C-5-1] MUST have the AdbManager#isAdbWifiQrSupported() method return true .

  • GPU Kernel Tracepoint If device implementations support the power/gpu_work_period kernel tracepoint API, they:
    • [C-6-1] MUST implement the shell command gpu -gpuwork and display the GpuPerUidFrequencyTime information returned by the tracepoint.

7. Hardware Compatibility

• 7.1.4.1 OpenGL ES : Update to recommended extensions.

  See revision

  If device implementations support any of the OpenGL ES versions, they:

  • SHOULD support the EGL_IMG_context_priority and EGL_EXT_protected_content extensions.

• 7.1.4.2 Vulkan : Updates to version supported for Vulkan.

  See revision

  If device implementations support OpenGL ES 3.1, they:

  • [SR] Are STRONGLY RECOMMENDED to include support for Vulkan 1.3 . Vulkan 1.1
  • MUST NOT support a Vulkan Variant version (ie the variant part of the Vulkan core version MUST be zero).

  If device implementations include a screen or video output, they:

  • [SR] Are STRONGLY RECOMMENDED to include support for Vulkan 1.3 . Vulkan 1.1

  If device implementations include support for Vulkan 1.0 or higher, they:

  • SHOULD support VkPhysicalDeviceProtectedMemoryFeatures and VK_EXT_global_priority .
  • [C-1-12] MUST NOT enumerate support for the VK_KHR_performance_query extension.
  • [C-SR] Are STRONGLY RECOMMENDED to satisfy the requirements specified by the Android Baseline 2021 profile.

• 7.2.3 Navigation Keys :

  See revision

  Device implementations:

  • [C-SR] Are STRONGLY RECOMMENDED to provide all navigation functions as cancellable. 'Cancellable' is defined as the user's ability to prevent the navigation function from executing (eg going home, going back, etc.) if the swipe is not released past a certain threshold.

  If the back navigation function is provided and the user cancels the Back gesture, then:

  • [C-8-1] OnBackInvokedCallback.onBackCancelled() MUST be called.
  • [C-8-2] OnBackInvokedCallback.onBackInvoked() MUST NOT be called.
  • [C-8-3] KEYCODE_BACK event MUST NOT be dispatched.

  If the back navigation function is provided but the foreground application does NOT have an OnBackInvokedCallback registered, then:

  • The system SHOULD provide an animation for the foreground application that suggests that the user is going back, as provided in AOSP.

  If device implementations provide support for the system API calls setNavBarModeOverride to override the navigation bar, then they:

  • [C-9-1] MUST provide support for kid friendly icons or button-based navigation.

• 7.3.1 Accelerometer : Updates to sensor requirements for accelerometers.

  See revision

  If device implementations include a 3-axis accelerometer, they:

  • [C-2-1] MUST implement and report TYPE_ACCELEROMETER sensor.
  • [C-SR] Are STRONGLY RECOMMENDED to implement the TYPE_SIGNIFICANT_MOTION composite sensor.
  • [C-SR] Are STRONGLY RECOMMENDED to implement and report TYPE_ACCELEROMETER_UNCALIBRATED sensor. Android devices are STRONGLY RECOMMENDED to meet this requirement so they will be able to upgrade to the future platform release where this might become REQUIRED.
  • SHOULD implement the TYPE_SIGNIFICANT_MOTION , TYPE_TILT_DETECTOR , TYPE_STEP_DETECTOR , TYPE_STEP_COUNTER composite sensors as described in the Android SDK document.

  If device implementations include an accelerometer with less than 3 axes, they:

  • [C-3-1] MUST implement and report TYPE_ACCELEROMETER_LIMITED_AXES sensor.
  • [C-SR] Are STRONGLY_RECOMMENDED to implement and report TYPE_ACCELEROMETER_LIMITED_AXES_UNCALIBRATED sensor.

  If device implementations include a 3-axis accelerometer and any of the TYPE_SIGNIFICANT_MOTION , TYPE_TILT_DETECTOR , TYPE_STEP_DETECTOR , TYPE_STEP_COUNTER composite sensors are implemented:

  • [C-4-1] The sum of their power consumption MUST always be less than 4 mW.

  If device implementations include a 3-axis accelerometer and a 3-axis gyroscope sensor, they:

  • [C-5-1] MUST implement the TYPE_GRAVITY and TYPE_LINEAR_ACCELERATION composite sensors.

  If device implementations include a 3-axis accelerometer, a 3-axis gyroscope sensor, and a magnetometer sensor, they:

  • [C-6-1] MUST implement a TYPE_ROTATION_VECTOR composite sensor.

• 7.3.4 Gyroscopes : Updates to sensor requirements for gyroscopes.

  See revision

  If device implementations include a gyroscope, they:

  • [C-1-1] MUST be able to report events up to a frequency of at least 50 Hz.
  • [C-1-4] MUST have a resolution of 12-bits or more.
  • [C-1-5] MUST be temperature compensated.
  • [C-1-6] MUST be calibrated and compensated while in use, and preserve the compensation parameters between device reboots.
  • [C-1-7] MUST have a variance no greater than 1e-7 rad^2 / s^2 per Hz (variance per Hz, or rad^2 / s). The variance is allowed to vary with the sampling rate, but MUST be constrained by this value. In other words, if you measure the variance of the gyro at 1 Hz sampling rate it SHOULD be no greater than 1e-7 rad^2/s^2.
  • [C-SR] Calibration error is STRONGLY RECOMMENDED to be less than 0.01 rad/s when device is stationary at room temperature.
  • [C-SR] Are STRONGLY RECOMMENDED to have a resolution of 16-bits or more.
  • SHOULD report events up to at least 200 Hz.

  If device implementations include a 3-axis gyroscope, they:

  • [C-2-1] MUST implement the TYPE_GYROSCOPE sensor.

  If device implementations include a gyroscope with less than 3 axes, they:

  • [C-3-1] MUST implement and report TYPE_GYROSCOPE_LIMITED_AXES sensor.
  • [C-SR] Are STRONGLY_RECOMMENDED to implement and report TYPE_GYROSCOPE_LIMITED_AXES_UNCALIBRATED sensor.

  If device implementations include a 3-axis gyroscope, an accelerometer sensor and a magnetometer sensor, they:

  • [C-4-1] MUST implement a TYPE_ROTATION_VECTOR composite sensor.

  If device implementations include a 3-axis accelerometer and a 3-axis gyroscope sensor, they:

  • [C-5-1] MUST implement the TYPE_GRAVITY and TYPE_LINEAR_ACCELERATION composite sensors.

• 7.3.10 Biometric Sensors : Updates to sensor requirements for biometric sensors.

  See revision

  Biometric sensors can be classified as Class 3 (formerly Strong ), Class 2 (formerly Weak ), or Class 1 (formerly Convenience ) based on their spoof and imposter acceptance rates, and on the security of the biometric pipeline. This classification determines the capabilities the biometric sensor has to interface with the platform and with third-party applications. Sensors need to meet additional requirements as detailed below if they wish to be classified as either Class 1 , Class 2 or Class 3 . Sensors are classified as Class 1 by default, and need to meet additional requirements as detailed below if they wish to be classified as either Class 2 or Class 3 . Both Class 2 and Class 3 biometrics get additional capabilities as detailed below.

  If device implementations wish to treat a biometric sensor as Class 1 (formerly Convenience ), they:

  • [C-1-11] MUST have a spoof and imposter acceptance rate not higher than 30%, with (1) a spoof and imposter acceptance rate for Level A presentation attack instrument (PAI) species not higher than 30%, and (2) a spoof and imposter acceptance rate of Level B PAI species not higher than 40%, as measured by the Android Biometrics Test Protocols.

  If device implementations wish to treat a biometric sensor as Class 2 (formerly Weak ), they:

  • [C-2-2] MUST have a spoof and imposter acceptance rate not higher than 20%, with (1) a spoof and imposter acceptance rate for Level A presentation attack instrument (PAI) species not higher than 20%, and (2) a spoof and imposter acceptance rate of Level B PAI species not higher than 30%, as measured by the Android Biometrics Test Protocols .

  If device implementations wish to treat a biometric sensor as Class 3 (formerly Strong ), they:

  • [C-3-3] MUST have a spoof and imposter acceptance rate not higher than 7%, with (1) a spoof and imposter acceptance rate for Level A presentation attack instrument (PAI) species not higher than 7%, and (2) a spoof and imposter acceptance rate of Level B PAI species not higher than 20%, as measured by the Android Biometrics Test Protocols .

• 7.3.13 IEEE 802.1.15.4 (UWB) : Added a new requirements section for UWB.

  See revision

  7.3.13. IEEE 802.1.15.4 (UWB)

  If device implementations include support for 802.1.15.4 and expose the functionality to a third-party application, they:

  • [C-1-1] MUST implement the corresponding Android API in android.uwb.
  • [C-1-2] MUST report the hardware feature flag android.hardware.uwb.
  • [C-1-3] MUST support all the relevant UWB profiles defined in Android implementation.
  • [C-1-4] MUST provide a user affordance to allow the user to toggle the UWB radio on/off state.
  • [C-1-5] MUST enforce that apps using UWB radio hold UWB_RANGING permission (under NEARBY_DEVICES permission group).
  • [C-1-6] Are STRONGLY RECOMMENDED to pass the relevant conformance and certification tests defined by standard organizations, including FIRA , CCC and CSA .

• 7.4.1 Telephony : Updates to telephony requirements for GSM and CDMA telephony, and cellular usage settings.

  See revision

  If device implementations support eUICCs or eSIMs/embedded SIMs and include a proprietary mechanism to make eSIM functionality available for third-party developers, they:

  • [C-3-1] MUST declare the android.hardware.telephony.euicc feature flag. provide a complete implementation of the EuiccManager API .

  If device implementations include GSM or CDMA telephony, then:

  • [C-6-1] The SmsManager#sendTextMessage and SmsManager#sendMultipartTextMessage MUST result in corresponding calls to CarrierMessagingService for providing text messaging functionality. SmsManager#sendMultimediaMessage and SmsManager#downloadMultimediaMessage MUST result in corresponding calls to CarrierMessagingService for providing multimedia messaging functionality.
  • [C-6-2] The application designated by android.provider.Telephony.Sms#getDefaultSmsPackage MUST use SmsManager APIs when sending and receiving SMS and MMS messages. The AOSP reference implementation in packages/apps/Messaging meets this requirement.
  • [C-6-3] The application which responds to Intent#ACTION_DIAL MUST support entry of arbitrary dialer codes formatted as ##CODE## and trigger a corresponding TelephonyManager#ACTION_SECRET_CODE broadcast.
  • [C-6-4] The application which responds to [Intent#ACTION_DIAL ](https://developer.android.com/reference/android/content/Intent#ACTION_DIAL) MUST use VoicemailContract.Voicemails#TRANSCRIPTION to display visual voicemail transcription to users if it supports visual voicemail transcriptions.
  • [C-6-5] MUST represent all SubscriptionInfo with equivalent group UUIDs as a single subscription in all user-visible affordances that display and control SIM card information. Examples of such affordances include settings interfaces that match Settings#ACTION_MANAGE_ALL_SIM_PROFILES_SETTINGS or EuiccManager#ACTION_MANAGE_EMBEDDED_SUBSCRIPTIONS .
  • [C-6-6] MUST NOT display or allow control of any SubscriptionInfo with a non-null group UUID and opportunistic bit in any user-visible affordances that allow configuration or control of SIM card settings.
  • [C-6-7] MUST select a representative active subscription for a given group UUID to display to the user in any affordances that provide SIM status information. Examples of such affordances include the status bar cellular signal icon or quick settings tile.

  If the device device implementations include GSM or CDMA telephony and provides a system status bar, then they:

  • [C-SR] it is STRONGLY RECOMMENDED that the representative subscription is chosen to be the active data subscription unless the device is in a voice call, during which it is STRONGLY RECOMMENDED that the representative subscription is the active voice subscription.

  If device implementations include GSM or CDMA telephony, then:

  • [C-6-8] MUST be capable of opening and concurrently utilizing the maximum number of logical channels (20 in total) for each UICC per ETSI TS 102 221.
  • [C-6-9] MUST declare the android.hardware.telephony feature flag and other sub-feature flags according to the technology and features to be supported. The sub-feature flags include android.hardware.telephony.radio.access, android.hardware.telephony.subscription, android.hardware.telephony.cdma, android.hardware.telephony.gsm, android.hardware.telephony.calling, android.hardware.telephony.data, android.hardware.telephony.messaging. The standard set of telephony features for GSM phone, CDMA phone, data-only devices, etc. can be found from the config files under platform/frameworks/native/data/etc/.

  If the device device implementations include GSM or CDMA telephony and all active, non-opportunistic subscriptions that share a group UUID are disabled, physically removed from the device, or marked opportunistic, then the device:

  • [C-7-1] MUST automatically disable all remaining active opportunistic subscriptions in the same group.

  If device implementations include GSM telephony but not CDMA telephony, they:

  • [C-8-1] MUST NOT declare PackageManager#FEATURE_TELEPHONY_CDMA .
  • [C-8-2] MUST throw an IllegalArgumentException upon attempts to set any 3GPP2 network types in preferred or allowed network type bitmasks.
  • [C-8-3] MUST return an empty string from TelephonyManager#getMeid .

  If device implementations report FEATURE_TELEPHONY_IMS and supports cellular usage setting configuration, then they:

  • [C-9-1] MUST set CarrierConfigManager#KEY_CELLULAR_USAGE_SETTING_INT to value SubscriptionManager#USAGE_SETTING_VOICE_CENTRIC .

  If device implementations report FEATURE_TELEPHONY_DATA and supports cellular usage setting configuration, then they:

  • [C-10-1] MUST set CarrierConfigManager#KEY_CELLULAR_USAGE_SETTING_INT to value SubscriptionManager#USAGE_SETTING_DATA_CENTRIC .

  If the device implementations support eUICCs with multiple ports and profiles, they:

  • [C-11-1] MUST declare the android.hardware.telephony.euicc feature flag.

• 7.4.1.1 Number Blocking Compatibility : Updates to the number blocking requirements.

  See revision

  If device implementations report the android.hardware.telephony feature , they:

  • [C-1-4] MUST NOT write to the platform call log provider for a blocked call.

  • [C-1-4] MUST write to the platform call log provider for a blocked call and MUST filter calls with BLOCKED_TYPE out of the default call log view in the pre-installed dialer app.
  • SHOULD provide a user affordance to show blocked calls in the pre-installed dialer app.

• 7.4.2.5 Wi-Fi Location (Wi-Fi Round Trip Time - RTT) : Updates to Wi-Fi location accuracy.

  See revision

  If device implementations include support for Wi-Fi Location and expose the functionality to third-party apps, then they:

  • [C-1-4] MUST be accurate to within 2 meters [C-SR] Are STRONGLY RECOMMENDED to report it accurately to within 1.5 meters at 80 MHz bandwidth at the 68th percentile (as calculated with the Cumulative Distribution Function).

• 7.4.2.6 Wi-Fi / Cellular NAT-T Keepalive Offload : Updated to add cellular keepalive offload requirements.

  See revision

  Device implementations:

  • SHOULD include support for Wi-Fi keepalive offload and Cellular keepalive offload.

  If device implementations include support for Wi-Fi keepalive offload or Cellular keepalive offload and expose the functionality to third-party apps,they:

  • [C-1-1] MUST support the SocketKeepAlive API.
  • [C-1-2] MUST support at least three concurrent keepalive slots over Wi-Fi and at least one keepalive slot over cellular.

  If device implementations do not include support for Wi-Fi keepalive offload or cellular keepalive offload , they:

  • [C-2-1] MUST return ERROR_UNSUPPORTED .

• 7.4.2.9 Trust On First Use (TOFU) : Added Trust on First Use requirements section.

  See revision

  7.4.2.9 Trust On First Use (TOFU)

  If device implementations support Trust on first usage (TOFU), then they:

  • [C-4-1] MUST NOT provide the user an option to manually add a TLS-based Enterprise Wi-Fi network if the Wi-Fi server certificate is not configured or the Wi-Fi server domain name is not set.
  • [C-4-2] MUST provide the user an option to select to use TOFU.

• 7.4.3 Bluetooth : Update to Bluetooth requirements.

  See revision

  If device implementations support Bluetooth Audio profile, they:

  • SHOULD support Advanced Audio Codecs and Bluetooth Audio Codecs (eg LDAC) with A2DP.

  If device implementations return true for the BluetoothAdapter.isLeAudioSupported() API, then they:

  • [C-7-1] MUST support unicast client.
  • [C-7-2] MUST support 2M PHY.
  • [C-7-3] MUST support LE Extended advertising.
  • [C-7-4] MUST support at least 2 CIS connections in a CIG.
  • [C-7-5] MUST enable BAP/HAP unicast client, CSIP set coordinator, MCP server, VCP controller, CCP server simultaneously.

  If device implementations return true for the BluetoothAdapter.isLeAudioBroadcastSourceSupported() API, then they:

  • [C-8-1] MUST support at least 2 BIS links in a BIG.
  • [C-8-2] MUST enable BAP broadcast source, BAP broadcast assistant simultaneously.
  • [C-8-3] MUST support LE Periodic advertising.

  If device implementations return true for the BluetoothAdapter.isLeAudioBroadcastAssistantSupported() API, then they:

  • [C-9-1] MUST support PAST (Periodic Advertising Sync Transfer).
  • [C-9-2] MUST support LE Periodic advertising.

  If device implementations support Bluetooth LE and use Bluetooth LE for location scanning to determine nearness to other devices, they:

  • [C-10-1] MUST have variance of RSSI measurements be within +/-6dB at 95% confidence level at 1m distance from a reference device transmitting at ADVERTISE_TX_POWER_HIGH .
  • [C-10-2] MUST include Rx calibration to reduce per-channel deviations so that the measurements on each of the 3 channels, on each of the antennas (if multiple are used), are within +-2db of one another.
  • [C-10-3] MUST include Rx calibration to ensure the median BLE RSSI is -69dB at 1m distance from a reference device transmitting at ADVERTISE_TX_POWER_HIGH .
  • [C-10-4] MUST include Tx calibration to ensure the median BLE RSSI is -69dB when scanning from a reference device positioned at 1m distance and transmitting at ADVERTISE_TX_POWER_HIGH .

• 7.4.9 UWB : Added a requirements section for UWB hardware.

  See revision

  7.4.9. UWB

  If device implementations include UWB hardware, then they:

  • [C-1-1] MUST ensure the variance of distance measurements is under +/-10cm, and the variance of angle of arrival measurements is under +/-5 degrees.
  • [C-1-2] MUST apply corrections so that the median of the measurements at 10cm from the reference device is equal to 10cm.
  • [C-1-3 ]MUST have measurements fit a trend line with bias of 0 and slope of 1 for the 1m, 3m, and 5m points.

• 7.5 Cameras : Updates to the requirements for HDR 10-bit output capability.

  See revision

  If device implementations support HDR 10-bit output capability, then they:

  • [C-2-1] MUST support the same set of HDR profiles for the primary rear-facing and primary front-facing cameras.
  • [C-2-2] MUST support the same HDR profiles for all BACKWARD_COMPATIBLE-capable physical sub-cameras of a logical camera, and the logical camera itself.
  • [C-2-3] MUST support the overall image quality based on the application-requested capture settings and the application-specified usecase of the output and NOT on the destination of that output.

  For Logical camera devices which support 10-bit HDR that implement the android.hardware.camera2.CaptureRequest#CONTROL_ZOOM_RATIO API, they:

  • [C-3-1] MUST support switching between all the backwards-compatible physical cameras via the CONTROL_ZOOM_RATIO control on the logical camera.

• 7.7.2 USB Host Mode : Revisions for dual role ports.

  See revision

  If device implementations include a USB port supporting host mode and USB Type-C, they:

  • [C-4-1] MUST implement Dual Role Port functionality as defined by the USB Type-C specification (section 4.5.1.3.3). For Dual Role Ports, On devices that include a 3.5mm audio jack, the USB sink detection (host mode) MAY be off by default but it MUST be possible for the user to enable it.

• 7.11 Media Performance Class : Updated to include Android T.

  See revision

  If device implementations return non-zero value for android.os.Build.VERSION_CODES.MEDIA_PERFORMANCE_CLASS , they:

  • [C-1-3] MUST meet all requirements for "Media Performance Class" described in section 2.2.7 .

  In other words, media performance class in Android T is only defined for handheld devices at version T, S or R.

  See section 2.2.7 for device-specific requirements.

8. Performance and Power

• 8.5 Consistent Performance : Update to user-facing requirements for foreground service management.

  See revision

  Device implementations:

  • [C-0-2] MUST provide a user affordance in the Settings menu with the ability to stop an active foreground service as described in a forthcoming document and display all apps that have active foreground services along with the number of services per app and the duration of each of these services since it started.
    • Foreground services from apps that fulfill predefined roles that are listed in a forthcoming document MAY not be displayed in this area.

9. Security Model Compatibility

• 9.1 Permissions : Extend accepted paths for permissions allowlists for preinstalled apps to APEX files.

  See revision

  • [C-0-2] Permissions with a protectionLevel of PROTECTION_FLAG_PRIVILEGED MUST only be granted to apps preinstalled in the privileged path(s) of the system image (as well as APEX files ) and be within the subset of the explicitly allowlisted permissions for each app. The AOSP implementation meets this requirement by reading and honoring the allowlisted permissions for each app from the files in the etc/permissions/ path and using the system/priv-app path as the privileged path.

• 9.7 Security Features : Updates to initialization requirements to maintain kernel integrity.

  See revision

  Kernel integrity and self-protection features are integral to Android security. Device implementations:

  • [C-0-14] MUST enable stack initialization in the kernel to prevent uses of uninitialized local variables ( CONFIG_INIT_STACK_ALL or CONFIG_INIT_STACK_ALL_ZERO ). Also, device implementations MUST NOT assume the value used by the compiler to initialize the locals.

• 9.8.7 Privacy — Clipboard Access : Automatically clear clipboard data after 60 minutes following a cut/copy/paste activity to protect user privacy.

  See revision

  • [C-0-2] MUST clear clipboard data at most 60 minutes after it has last been placed in a clipboard or read from a clipboard.

• 9.11 Keys and Credentials : Updates to the secure lock screen requirements, including the addition of ECDH and 3DES to crypto algorithms and attestation key provisioning.

  See revision

  When the device implementation supports a secure lock screen, it:

  • [C-1-2] MUST have implementations of RSA, AES, ECDSA, ECDH, 3DES, and HMAC cryptographic algorithms and MD5, SHA1, and SHA-2 family hash functions to properly support the Android Keystore system's supported algorithms in an area that is securely isolated from the code running on the kernel and above. Secure isolation MUST block all potential mechanisms by which kernel or userspace code might access the internal state of the isolated environment, including DMA. The upstream Android Open Source Project (AOSP) meets this requirement by using the Trusty implementation, but another ARM TrustZone-based solution or a third-party reviewed secure implementation of a proper hypervisor-based isolation are alternative options.
  • [C-1-4] MUST support key attestation where the attestation signing key is protected by secure hardware and signing is performed in secure hardware. The attestation keys MUST be generated on device, in the isolated environment, and attestation key certificates MUST be remotely provisioned to the device after the device authenticates with a device-unique authentication key. The attestation signing keys MUST be shared across large enough number of devices to prevent the keys from being used as device identifiers. One way of meeting this requirement is to share the same attestation key unless at least 100,000 units of a given SKU are produced. If more than 100,000 units of an SKU are produced, a different key MAY be used for each 100,000 units.

  • [C-SR] is STRONGLY RECOMMENDED that the device have an attestation key provisioned by the vendor factory for use in the event there is a problem with remotely-provisioned keys. The factory-provisioned attestation signing keys MUST be shared across large enough number of devices to prevent the keys from being used as device identifiers. One way of meeting this requirement is to share the same attestation key unless at least 100,000 units of a given SKU are produced. If more than 100,000 units of an SKU are produced, a different key MAY be used for each 100,000 units.

  Note that if a device implementation is already launched on an earlier Android version, such a device is exempted from the requirement to have a keystore backed by an isolated execution environment and support the key attestation, unless it declares the android.hardware.fingerprint feature which requires a keystore backed by an isolated execution environment. If a device implementation is already launched on an earlier Android version, such a device is also exempted from the requirement to remotely provision attestation keys.

• 9.11.1 Secure Lock Screen, Authentication, and Virtual Devices : Added requirements section for virtual devices and authentication transfers.

  See revision

  If device implementations add or modify the authentication methods to unlock the lock screen and a new authentication method is based on a physical token or the location:

  • [C-6-3] The user MUST be challenged for one of the recommended primary authentication methods (egPIN, pattern, password) at least once every 4 hours or less. When a physical token meets the requirements for TrustAgent implementations in CX, timeout restrictions defined in C-9-5 apply instead.

  If device implementations allow applications to create secondary virtual displays and do not support associated input events, such as via VirtualDeviceManager , they:

  • [C-9-1] MUST lock these secondary virtual display(s) when the device's default display is locked, and unlock these secondary virtual display(s) when the device's default display is unlocked.

  If device implementations allow applications to create secondary virtual displays and support associated input events, such as via VirtualDeviceManager [will be linked to API at developer.android.com API], they:

  • [C-10-1] MUST support separate lock states per virtual device
  • [C-10-2] MUST disconnect all virtual devices upon idle timeout
  • [C-10-3] MUST have an idle timeout
  • [C-10-4] MUST lock all displays when the user initiates a lockdown , including via the lockdown user affordance required for handheld devices (see Section 2.2.5[9.11/H-1-2] )
  • [C-10-5] MUST have separate virtual device instances per user
  • [C-10-6] MUST disable the creation of associated input events via VirtualDeviceManager when indicated by DevicePolicyManager.setNearbyAppStreamingPolicy
  • [C-10-7] MUST use a separate clipboard solely for each virtual device (or disable the clipboard for virtual devices)
  • [C-10-8] MUST block activities with the attribute android:canDisplayOnRemoteDevices or the meta-data android.activity.can_display_on_remote_devices set to true from being started on the virtual device.
  • [C-10-9] MUST block activities which do not explicitly enable streaming and which indicate they show sensitive content, including via SurfaceView#setSecure , FLAG_SECURE , or SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS , from being started on the virtual device.
  • [C-10-10] MUST disable installation of apps initiated from virtual devices
  • [C-10-11] MUST disable authentication UI on virtual devices, including knowledge factor entry and biometric prompt
  • [C-10-12] MUST restrict intents initiated from a virtual device to display only on the same virtual device
  • [C-10-13] MUST not use a virtual device lock state as user authentication authorization with the Android Keystore System. See KeyGenParameterSpec.Builder.setUserAuthentication* .

  When device implementations allow the user to transfer the primary authentication knowledge-factor from a source device to a target device, such as for initial setup of the target device, they:

  • [C-11-1] MUST encrypt the knowledge-factor with protection guarantees similar to those described in this security whitepaper when transferring the knowledge-factor from the source device to the target device such that the knowledge-factor cannot be remotely decrypted or used to remotely unlock either device.
  • [C-11-2] MUST, on the source device , ask the user to confirm the knowledge-factor of the source device before transferring the knowledge-factor to the target device.
  • [C-11-3] MUST, on a target device lacking any set primary authentication knowledge-factor, ask the user to confirm a transferred knowledge-factor on the target device before setting that knowledge-factor as the primary authentication knowledge-factor for the target device and before making available any data transferred from a source device.

  If device implementations have a secure lock screen and include one or more trust agents, which call the TrustAgentService.grantTrust() System API with the FLAG_GRANT_TRUST_TEMPORARY_AND_RENEWABLE flag they:

  • [C-12-1] MUST only call grantTrust() with the flag when connected to a proximate physical device with a lockscreen of its own, and when the user has authenticated their identity against that lockscreen. Proximate devices can use on-wrist or on-body detection mechanisms after a one-time user unlock to satisfy the user authentication requirement.
  • [C-12-2] MUST put the device implementation into the TrustState.TRUSTABLE state when the screen is turned off (such as via a button press or display time out) and the TrustAgent has not revoked trust. The AOSP satisfies this requirement.
  • [C-12-3] MUST only move the device from TrustState.TRUSTABLE to the TrustState.TRUSTED state if the TrustAgent is still granting trust based on the requirements in C-12-1.
  • [C-12-4] MUST call TrustManagerService.revokeTrust() after a maximum of 24 hours from granting trust, an 8 hour idle window, or when the underlying connection to the proximate physical device is lost.

• 9.11.2 Strongbox : Making insider attack resistance (IAR) a necessary requirement.

  See revision

  • [C-SR] are STRONGLY RECOMMENDED [C-1-12] MUST provide insider attack resistance (IAR), which means that an insider with access to firmware signing keys cannot produce firmware that causes the StrongBox to leak secrets, to bypass functional security requirements or otherwise enable access to sensitive user data. The recommended way to implement IAR is to allow firmware updates only when the primary user password is provided via the IAuthSecret HAL. IAR will likely become a requirement in a future release.

• 9.11.3 Identity Credential : Added information about the Identity Credential system reference implementation.

  See revision

  The Identity Credential System is defined and achieved by implementing all APIs in the android.security.identity.* package. These APIs allows app developers to store and retrieve user identity documents. Device implementations:

  • [C-0-5] The upstream Android Open Source Project provides a reference implementation of a trusted application ( libeic ) that can be used to implement the Identity Credential system.

• 9.11.4 ID Attestation : Added a section for ID attestation requirement.

  See revision

  9.11.4. ID Attestation

  Device implementations MUST support ID attestation .

• 9.17 Android Virtualization Framework : Added a requirements section for Android Virtualization Framework.

  See revision

  9.17. Android Virtualization Framework

  If the device implements support for the Android Virtualization Framework APIs ( android.system.virtualmachine.* ), the Android host:

  • [C-1-1] MUST support all the APIs defined by the android.system.virtualmachine.* package.
  • [C-1-2] MUST NOT modify the Android SELinux and permission model for the management of Protected Virtual Machines.
  • [C-1-3] MUST NOT modify, omit, or replace the neverallow rules present within the system/sepolicy provided in the upstream Android Open Source Project (AOSP) and the policy MUST compile with all neverallow rules present.
  • [C-1-4] MUST NOT allow untrusted code (eg 3p apps) to create and run a Protected Virtual Machine. Note: This might change in future Android releases.
  • [C-1-5] MUST NOT allow a Protected Virtual Machine to execute code that is not part of the factory image or their updates. Anything that is not covered by Android Verified Boot (eg files downloaded from the Internet or sideloaded) MUST NOT be allowed to be run in a Protected Virtual Machine.

  If the device implements support for the Android Virtualization Framework APIs ( android.system.virtualmachine.* ), then any Protected Virtual Machine instance:

  • [C-2-1] MUST be able to run all operating systems available in the virtualization APEX in a Protected Virtual Machine.
  • [C-2-2] MUST NOT allow a Protected Virtual Machine to run an operating system that is not signed by the device implementor or OS vendor.
  • [C-2-3] MUST NOT allow a Protected Virtual Machine to execute data as code (eg SELinux neverallow execmem).
  • [C-2-4] MUST NOT modify, omit, or replace the neverallow rules present within the system/sepolicy/microdroid provided in the upstream Android Open Source Project (AOSP).
  • [C-2-5] MUST implement Protected Virtual Machine defense-in-depth mechanisms (eg SELinux for pVMs) even for non-Microdroid operating systems.
  • [C-2-6] MUST ensure that the pVM firmware refuses to boot if it cannot verify the initial image.
  • [C-2-7] MUST ensure that the pVM firmware refuses to boot if the integrity of the instance.img is compromised.

  If the device implements support for the Android Virtualization Framework APIs ( android.system.virtualmachine.* ), then the hypervisor:

  • [C-3-1] MUST NOT allow any pVM to have access to a page belonging to another entity (ie other pVM or hypervisor), unless explicitly shared by the page owner. This includes the host VM. This applies to both CPU and DMA accesses.
  • [C-3-2] MUST wipe a page after it is used by a VM and before it is returned to the host (eg the pVM is destroyed).
  • [C-3-3] MUST ensure that the pVM firmware is loaded and executed prior to any code in a pVM.
  • [C-3-4] MUST ensure that BCC and CDIs provided to a pVM instance can only be derived by that particular instance.

  If the device implements support for the Android Virtualization Framework APIs, then across all areas:

  • [C-4-1] MUST NOT provide functionality to a pVM that allows bypassing the Android Security Model.

  If the device implements support for the Android Virtualization Framework APIs, then:

  • [C-5-1] MUST support Isolated Compilation of an ART runtime update.

  If the device implements support for the Android Virtualization Framework APIs, then for Key Management:

  • [C-6-1] MUST root DICE chain at a point that the user cannot modify, even on unlocked devices. (To ensure it cannot be spoofed).
  • [C-6-2] MUST do DICE properly ie provide the correct values. But it might not have to go to that level of detail.

Back to top