You may not rely on it often, but downgrading to an older version of an Android app pre-installed on your phone is a vital capability. It can help you get an app up and running again when it breaks due to corrupted data, and provide a clean slate for you to upgrade back to the latest available version on the Play Store. With Android’s latest security patch for May 2023, a small change now makes that process more secure. It is no longer possible to downgrade to an app version older than the one your device originally shipped with.

As spotted by Android expert Mishaal Rahman, writing for Esper, the May 2023 security patch notes reveal that the vulnerability CVE-2023-21116 is now closed. This means that on a production device, it is no longer possible to downgrade to an app version older than the one that came pre-installed with the device. Rahman notes that it’s still possible to downgrade when you use a debuggable build for testing purposes, though.

The security issue was marked as moderate as it would require physical access to the device in question in order to exploit it. ADB access is a necessary prerequisite to make this downgrade process work, and that's usually only achieved when an attacker gains access to the physical device. This makes it unlikely that the exploit was ever used in the wild, at least not on regular people who don’t represent a highly valuable target for hackers.

The reason why downgrading to older versions of apps is dangerous is because they may exhibit security issues that are patched in newer versions. That’s a problem for any app, but it’s particularly problematic for system apps as many of them have elevated privileges compared to anything you install from the Play Store. Mishaal Rahman points to the Samsung Text-to-speech app as one possible culprit, as it was patched for a security problem all the way back in 2019. The vulnerability made it possible to use the Samsung system app to give other apps higher privileges. Once Samsung phones are updated to the May 2023 security patch, it will no longer be possible for hackers to downgrade to this older version of the Samsung Text-to-speech app and exploit that vulnerability.