permissions used by the application. If an application needs to make use of a device resource for
which there is a corresponding Android permission (such as Camera, GPS, etc.), the alternate runtime
MUST inform the user that the application will be able to access that resource. If the runtime
environment does not record application capabilities in this manner, the runtime environment MUST
list all permissions held by the runtime itself when installing any application using that runtime.
9.5. Multi-User Support
This feature is optional for all device types.
Android includes support for multiple users and provides support for full user isolation [Resources,
]. Device implementations MAY enable multiple users, but when enabled MUST meet the following
requirements related to multi-user support [Resources, 128
Device implementations that do not declare the android.hardware.telephony feature flag
MUST support restricted profiles, a feature that allows device owners to manage additional
users and their capabilities on the device. With restricted profiles, device owners can
quickly set up separate environments for additional users to work in, with the ability to
manage finer-grained restrictions in the apps that are available in those environments.
Conversely device implementations that declare the android.hardware.telephony feature
flag MUST NOT support restricted profiles but MUST align with the AOSP implementation
of controls to enable /disable other users from accessing the voice calls and SMS.
Device implementations MUST, for each user, implement a security model consistent with
the Android platform security model as defined in Security and Permissions reference
document in the APIs [Resources, 126
Each user instance on an Android device MUST have separate and isolated external
storage directories. Device implementations MAY store multiple users' data on the same
volume or filesystem. However, the device implementation MUST ensure that applications
owned by and running on behalf a given user cannot list, read, or write to data owned by
any other user. Note that removable media, such as SD card slots, can allow one user to
access another’s data by means of a host PC. For this reason, device implementations
that use removable media for the external storage APIs MUST encrypt the contents of the
SD card if multiuser is enabled using a key stored only on non-removable media
accessible only to the system. As this will make the media unreadable by a host PC,
device implementations will be required to switch to MTP or a similar system to provide
host PCs with access to the current user’s data. Accordingly, device implementations MAY
but SHOULD NOT enable multi-user if they use removable media [Resources, 129
primary external storage.
9.6. Premium SMS Warning
Android includes support for warning users of any outgoing premium SMS message [Resources, 130
Premium SMS messages are text messages sent to a service registered with a carrier that may incur
a charge to the user. Device implementations that declare support for android.hardware.telephony
MUST warn users before sending a SMS message to numbers identified by regular expressions
defined in /data/misc/sms/codes.xml file in the device. The upstream Android Open Source Project
provides an implementation that satisfies this requirement.
9.7. Kernel Security Features
The Android Sandbox includes features that use the Security-Enhanced Linux (SELinux) mandatory
access control (MAC) system and other security features in the Linux kernel. SELinux or any other
security features implemented below the Android framework:
Page 63 of 74
MUST maintain compatibility with existing applications.
MUST NOT have a visible user interface when a security violation is detected and
successfully blocked, but MAY have a visible user interface when an unblocked security
violation occurs resulting in a successful exploit.
SHOULD NOT be user or developer configurable.
If any API for configuration of policy is exposed to an application that can affect another application
(such as a Device Administration API), the API MUST NOT allow configurations that break
Devices MUST implement SELinux or, if using a kernel other than Linux, an equivalent mandatory
access control system. Devices MUST also meet the following requirements, which are satisfied by the
reference implementation in the upstream Android Open Source Project.
MUST set SELinux to global enforcing mode.
MUST configure all domains in enforcing mode. No permissive mode domains are allowed,
including domains specific to a device/vendor.
MUST NOT modify, omit, or replace the neverallow rules present within the
external/sepolicy folder provided in the upstream Android Open Source Project (AOSP)
and the policy MUST compile with all neverallow rules present, for both AOSP SELinux
domains as well as device/vendor specific domains.
Device implementations SHOULD retain the default SELinux policy provided in the external/sepolicy
folder of the upstream Android Open Source Project and only further add to this policy for their own
device-specific configuration. Device implementations MUST be compatible with the upstream Android
Open Source Project.
If the device implements functionality in the system that captures the contents displayed on the screen
and/or records the audio stream played on the device, it MUST continuously notify the user whenever
this functionality is enabled and actively capturing/recording.
If a device implementation has a mechanism that routes network data traffic through a proxy server or
VPN gateway by default (for example, preloading a VPN service with
android.permission.CONTROL_VPN granted), the device implementation MUST ask for the user's
consent before enabling that mechanism.
If a device implementation has a USB port with USB peripheral mode support, it MUST present a user
interface asking for the user's consent before allowing access to the contents of the shared storage
over the USB port.
9.9. Full-Disk Encryption
Optional for Android device implementations without a lock screen.
If the device implementation supports a secure lock screen reporting "true" for
KeyguardManager.isDeviceSecure() [Resources, 131
], and is not a device with restricted memory as
reported through the ActivityManager.isLowRamDevice() method, then the device MUST support full-
disk encryption [Resources, 132
] of the application private data (/data partition), as well as the
application shared storage partition (/sdcard partition) if it is a permanent, non-removable part of the
For device implementations supporting full-disk encryption and with Advanced Encryption Standard
(AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at
the time the user has completed the out-of-box setup experience. If a device implementation is
Page 64 of 74
already launched on an earlier Android version with full-disk encryption disabled by default, such a
device cannot meet the requirement through a system software update and thus MAY be exempted.
Encryption MUST use AES with a key of 128-bits (or greater) and a mode designed for storage (for
example, AES-XTS, AES-CBC-ESSIV). The encryption key MUST NOT be written to storage at any
time without being encrypted. Other than when in active use, the encryption key SHOULD be AES
encrypted with the lockscreen passcode stretched using a slow stretching algorithm (e.g. PBKDF2 or
scrypt). If the user has not specified a lockscreen passcode or has disabled use of the passcode for
encryption, the system SHOULD use a default passcode to wrap the encryption key. If the device
provides a hardware-backed keystore, the password stretching algorithm MUST be cryptographically
bound to that keystore. The encryption key MUST NOT be sent off the device (even when wrapped
with the user passcode and/or hardware bound key). The upstream Android Open Source project
provides a preferred implementation of this feature based on the Linux kernel feature dm-crypt.
9.10. Verified Boot
Verified boot is a feature that guarantees the integrity of the device software. If a device
implementation supports the feature, it MUST:
Declare the platform feature flag android.software.verified_boot
Perform verification on every boot sequence
Start verification from an immutable hardware key that is the root of trust, and go all the
way up to the system partition
Implement each stage of verification to check the integrity and authenticity of all the bytes
in the next stage before executing the code in the next stage
Use verification algorithms as strong as current recommendations from NIST for hashing
algorithms (SHA-256) and public key sizes (RSA-2048)
The upstream Android Open Source Project provides a preferred implementation of this feature based
on the Linux kernel feature dm-verity.
Starting from Android 6.0, device implementations with Advanced Encryption Standard (AES) crypto
perfomance above 50MiB/seconds MUST support verified boot for device integrity. If a device
implementation is already launched without supporting verified boot on an earlier version of Android,
such a device can not add support for this feature with a system software update and thus are
exempted from the requirement.
9.11. Keys and Credentials
The Android Keystore System [Resources, 133
] allows app developers to store cryptographic keys in
a container and use them in cryptographic operations through the KeyChain API [Resources, 134
the Keystore API [Resources, 135
All Android device implementations MUST meet the following requirements:
SHOULD not limit the number of keys that can be generated, and MUST at least allow
more than 8,192 keys to be imported.
The lock screen authentication MUST rate limit attempts and SHOULD have an
exponential backoff algorithm as implemented in the Android Open Source Project.
When the device implementation supports a secure lock screen and has a secure
hardware such as a Secure Element (SE) where a Trusted Execution Environment (TEE)
can be implemented, then it:
Is STRONGLY RECOMMENDED to back up the keystore implementation with
the secure hardware. The upstream Android Open Source Project provides the
Keymaster Hardware Abstraction Layer (HAL) implementation that can be used
to satisfy this requirement.
Page 65 of 74
MUST perform the lock screen authentication in the secure hardware if the
device has a hardware-backed keystore implementation and only when
successful allow the authentication-bound keys to be used. The upstream
Android Open Source Project provides the Gatekeeper Hardware Abstraction
Layer (HAL) that can be used to satisfy this requirement [Resources, 136
Note that while the above TEE-related requirements are stated as STRONGLY RECOMMENDED, the
Compatibility Definition for the next API version is planned to changed these to REQIUIRED. If a
device implementation is already launched on an earlier Android version and has not implemented a
trusted operating system on the secure hardware, such a device might not be able to meet the
requirements through a system software update and thus is STRONGLY RECOMMENDED to
implement a TEE.
9.12. Data Deletion
Devices MUST provide users with a mechanism to perform a "Factory Data Reset" that allows logical
and physical deletion of all data. This MUST satisfy relevant industry standards for data deletion such
as NIST SP800-88. This MUST be used for the implementation of the wipeData() API (part of the
Android Device Administration API) described in section 3.9 Device Administration
Devices MAY provide a fast data wipe that conducts a logical data erase.
10. Software Compatibility Testing
Device implementations MUST pass all tests described in this section.
However, note that no software test package is fully comprehensive. For this reason, device
implementers are STRONGLY RECOMMENDED to make the minimum number of changes as
possible to the reference and preferred implementation of Android available from the Android Open
Source Project. This will minimize the risk of introducing bugs that create incompatibilities requiring
rework and potential device updates.
10.1. Compatibility Test Suite
Device implementations MUST pass the Android Compatibility Test Suite (CTS) [Resources, 137
available from the Android Open Source Project, using the final shipping software on the device.
Additionally, device implementers SHOULD use the reference implementation in the Android Open
Source tree as much as possible, and MUST ensure compatibility in cases of ambiguity in CTS and
for any reimplementations of parts of the reference source code.
The CTS is designed to be run on an actual device. Like any software, the CTS may itself contain
bugs. The CTS will be versioned independently of this Compatibility Definition, and multiple revisions
of the CTS may be released for Android 6.0. Device implementations MUST pass the latest CTS
version available at the time the device software is completed.
10.2. CTS Verifier
Device implementations MUST correctly execute all applicable cases in the CTS Verifier. The CTS
Verifier is included with the Compatibility Test Suite, and is intended to be run by a human operator to
test functionality that cannot be tested by an automated system, such as correct functioning of a
camera and sensors.
The CTS Verifier has tests for many kinds of hardware, including some hardware that is optional.
Device implementations MUST pass all tests for hardware that they possess; for instance, if a device
possesses an accelerometer, it MUST correctly execute the Accelerometer test case in the CTS
Verifier. Test cases for features noted as optional by this Compatibility Definition Document MAY be
Page 66 of 74
skipped or omitted.
Every device and every build MUST correctly run the CTS Verifier, as noted above. However, since
many builds are very similar, device implementers are not expected to explicitly run the CTS Verifier
on builds that differ only in trivial ways. Specifically, device implementations that differ from an
implementation that has passed the CTS Verifier only by the set of included locales, branding, etc.
MAY omit the CTS Verifier test.
11. Updatable Software
Device implementations MUST include a mechanism to replace the entirety of the system software.
The mechanism need not perform “live” upgrades—that is, a device restart MAY be required.
Any method can be used, provided that it can replace the entirety of the software preinstalled on the
device. For instance, any of the following approaches will satisfy this requirement:
“Over-the-air (OTA)” downloads with offline update via reboot
“Tethered” updates over USB from a host PC
“Offline” updates via a reboot and update from a file on removable storage
However, if the device implementation includes support for an unmetered data connection such as
802.11 or Bluetooth PAN (Personal Area Network) profile:
Android Automotive implementations SHOULD support OTA downloads with offline update
All other device implementations MUST support OTA downloads with offline update via
The update mechanism used MUST support updates without wiping user data. That is, the update
mechanism MUST preserve application private data and application shared data. Note that the
upstream Android software includes an update mechanism that satisfies this requirement.
For device implementations that are launching with Android 6.0 and later, the update mechanism
SHOULD support verifying that the system image is binary identical to expected result following an
OTA. The block-based OTA implementation in the upstream Android Open Source Project, added
since Android 5.1, satisfies this requirement.
If an error is found in a device implementation after it has been released but within its reasonable
product lifetime that is determined in consultation with the Android Compatibility Team to affect the
compatibility of third-party applications, the device implementer MUST correct the error via a software
update available that can be applied per the mechanism just described.
Android includes features that allow the Device Owner app (if present) to control the installation of
system updates. To facilitate this, the system update subsystem for devices that report
android.software.device_admin MUST implement the behavior described in the SystemUpdatePolicy
class [ Resources, 138
12. Document Changelog
The following table contains a summary of the changes to the Compatibility Definition in this release.
Summary of changes
Replaced instances of the "encouraged" term with "RECOMMENDED"
2. Device Types
Update for Android Automotive implementations
3.2.2. Build Parameters
Additions for the hardware serial number and for the security patch level of
Page 67 of 74
Section renamed from "Intent Overrides" to "Intent Resolution," with new
requirements related to authoritative default app linking
3.3.1. Application Binary
Additions for Android ABI support; change related to Vulkan library name
Change for the user agent string reported by the WebView
Updates to memory allocation table
Updates regarding Assistant requirements
Added requirement to support black system icons when requested by the
Contains new sections for device owner provisioning and managed profile
3.9.2. Managed Profile
New section with requirements for device support of managed profile
3.12.1. TV App
Added section to clarify TV App requirements for Android Television
Added section to clarify EPG requirements for Android Television devices
Added section to clarify TV App navigation requirements for Android
220.127.116.11. TV input app
Added section to clarify TV input app linking support requirements for
Android Television devices
5.1. Media Codecs
Updates regarding support for core media formats and decoding.
5.1.3. Video Codecs
Changes and additions related to Android Televisions
5.2. Video Encoding
Changes for encoders
5.3. Video Decoding
Changes for decoders, including regarding support for dynamic video
resolution, frame rate switching, and more
5.4. Audio Recording
Additions related to audio capture
5.6. Audio Latency
Update regarding reporting of support for low-latency audio
5.10. Professional Audio
General updates for professional audio support; updates for mobile device
(jack) specifications, USB audio host mode, and other updates
5.9. Musical Instrument
Digital Interface (MIDI)
Added new section on optional Musical Instrument Digital Interface (MIDI)
6.1. Developer Tools
Update for drivers supporting Windows 10
18.104.22.168. Screen Density Updates for screen density, for example related to an Android watch
7.2.3. Navigation Keys
Updated requirements for device implementations that include the Assist
7.3. Sensors (and
New requirements for some sensor types
7.3.9. High Fidelity
New section with requirements for devices supporting high fidelity sensors
New section on requirements related to fingerprint sensors
Page 68 of 74
7.4.2. IEEE 802.11 (Wi-
Updates regarding support for multicast DNS (mDNS)
Addition related to Resolvable Private Address (RPA) for Bluetooth Low
Additions to requirements for Near-Field Communications (NFC)
7.4.5. Minimum Network
Added requirements for IPv6 support
New section for implementation of adoptable storage
Requirement related to implementing the AOA specification
Additions related to near-ultrasound recording, playback, and audio
New section with requirements regarding the App Standby and Doze
8.4. Power Consumption
New section with requirements for tracking hardware component power
usage and attributing that power usage to specific applications
Addition to Permissions requirements
9.7. Kernel Security
SE Linux updates
Addition regarding user's consent for access to shared storage over a
9.9. Full-Disk Encryption Requirements related to full disk encryption
9.10. Verified Boot
Additional requirement for verified boot
9.11. Keys and
New section of requirements related to keys and credentials
9.12. Data Deletion
New section for "Factory Data Reset"
11. Updatable Software Requirement related to the system update policy set by the device owner
13. Contact Us
You can join the android-compatibility forum [Resources, 139
] and ask for clarifications or bring up any
issues that you think the document does not cover.
1. IETF RFC2119 Requirement Levels: http://www.ietf.org/rfc/rfc2119.txt
2. Android Open Source Project: http://source.android.com/
3. Android Television features:
4. Android Watch feature:
5. Android UI_MODE_TYPE_CAR API:
6. API definitions and documentation: http://developer.android.com/reference/packages.html
Page 69 of 74
7. Android Permissions reference:
8. android.os.Build reference: http://developer.android.com/reference/android/os/Build.html
9. Android 6.0 allowed version strings: http://source.android.com/compatibility/6.0/versions.html
10. Android Developer Settings: http://developer.android.com/reference/android/provider/Settings.html
11. Telephony Provider: http://developer.android.com/reference/android/provider/Telephony.html
12. Android NDK ABI Management: https://developer.android.com/ndk/guides/abis.html
13. Advanced SIMD architecture: http://infocenter.arm.com/help/index.jsp?
14. Android Extension Pack: http://developer.android.com/guide/topics/graphics/opengl.html#aep
15. android.webkit.WebView class:
16. WebView compatibility: http://www.chromium.org/
17. HTML5: http://html.spec.whatwg.org/multipage/
18. HTML5 offline capabilities: http://dev.w3.org/html5/spec/Overview.html#offline
19. HTML5 video tag: http://dev.w3.org/html5/spec/Overview.html#video
20. HTML5/W3C geolocation API: http://www.w3.org/TR/geolocation-API/
21. HTML5/W3C webstorage API: http://www.w3.org/TR/webstorage/
22. HTML5/W3C IndexedDB API: http://www.w3.org/TR/IndexedDB/
23. Dalvik Executable Format and bytecode specification: available in the Android source code, at
24. AppWidgets: http://developer.android.com/guide/practices/ui_guidelines/widget_design.html
25. Notifications: http://developer.android.com/guide/topics/ui/notifiers/notifications.html
26. Application Resources: https://developer.android.com/guide/topics/resources/available-
27. Status Bar icon style guide: http://developer.android.com/design/style/iconography.html
28. Notifications Resources: https://developer.android.com/design/patterns/notifications.html
29. Search Manager: http://developer.android.com/reference/android/app/SearchManager.html
30. Action Assist:
31. Android Assist APIs: https://developer.android.com/reference/android/app/assist/package-
32. Toasts: http://developer.android.com/reference/android/widget/Toast.html
33. Themes: http://developer.android.com/guide/topics/ui/themes.html
34. R.style class: http://developer.android.com/reference/android/R.style.html
35. Material design: http://developer.android.com/reference/android/R.style.html#Theme_Material
36. Live Wallpapers:
37. Overview screen resources: http://developer.android.com/guide/components/recents.html
38. Screen pinning: https://developer.android.com/about/versions/android-5.0.html#ScreenPinning
39. Input methods: http://developer.android.com/guide/topics/text/creating-input-method.html
40. Media Notification:
41. Dreams: http://developer.android.com/reference/android/service/dreams/DreamService.html
42. Settings.Secure LOCATION_MODE:
Page 70 of 74
Documents you may be interested
Documents you may be interested