Androids May 2023 Security Patch Prevents Downgrades To Infinitely Old System App Versions
You can no longer downgrade system apps to the pre-installed version.
You can rarely count on it, but it is very important to downgrade the Android app that came pre-installed on your phone. This can help you get your app working again when it crashes due to corrupt data and enables you to update to the latest version available on the Play Store. With the Android security update at the end of May 2023, a small change makes this process more secure. It is no longer possible to downgrade your device to a software version earlier than originally shipped.
As noted by Android expert Mishaal Rahman writing for Esper, the May 2023 security patch notes indicate that CVE-2023-21116 has been patched. This means that it is no longer possible to update a working device to a version of the application that was previously installed on the device. Rahman notes that you can still bring down the debugger when using it for testing purposes.
The security issue is rated as moderate because it requires physical access to the vulnerable device to use it. Access to the ADB is a prerequisite for this downgrade process to run and is usually only achieved after an attacker gains access to the physical device. This makes it unlikely that the exploit has ever been used in the wild, at least not against ordinary people, who are not important targets for hackers.
The reason updating older versions of apps is dangerous is because there may be security issues that have been fixed in newer versions. This is a problem for any app, but it's especially problematic for system apps because many of them have higher privileges than anything you install from the Play Store. Mishal Rahman points to the Samsung Text-to-Speech app, which was patched in 2019 for a security issue, as a possible culprit. The vulnerability allowed a Samsung system app to be used to grant elevated privileges to other apps. When Samsung phones are updated with the security patch in May 2023, hackers will no longer be able to downgrade the Samsung Text-to-Speech app and exploit this vulnerability.
