Here’s how Advanced Protection Mode in Android 16 will protect your data

If you believe you’re at high risk of being targeted by hackers or you desire an additional layer of security, you can enroll in Google’s Advanced Protection Program. The program improves security by requiring you to use a security key or passkey to sign in to your Google account, blocking you from downloading harmful files, and more. Enrolled users also benefit from beefed up security on their Android devices, with Android 16 introducing further security enhancements.

Google introduced the Advanced Protection Program in 2017 to provide extra security for IT admins, journalists, activists, and others at high risk of being hacked. When you enroll in the program, Android will prevent you from installing apps from outside the Google Play Store (i.e., sideloading). While this stops one common way for hackers to compromise Android devices, the Advanced Protection Program could do even more to protect Android users. This is what the new Advanced Protection Mode in Android 16 aims to address.

We first covered Advanced Protection Mode last October, but details were scarce at the time. We learned that it’s a “security conscious protection mode” that you can enroll in via the Android Settings app and that apps can check enrollment status via an API. However, we never found out what exactly it affected, but we now know thanks to the first Android 16 beta.

While examining Android 16 Beta 1, I discovered how to manually enable the new Advanced Protection Mode feature. After enabling the feature, I noticed the “allow from this source” toggle (located in Settings > Apps > Special app access > Install unknown apps) was now grayed out. A “disabled by Advanced Protection” message appeared below the toggle. Tapping the toggle displayed a dialog stating, “This action is not allowed because Advanced Protection is on for your device.”

By being unable to grant apps the “install unknown apps” permission, Android 16 prevents you from sideloading apps. This restriction isn’t entirely new for users already in the Advanced Protection Program, as Google Play Protect already blocks sideloaded app installations. The only difference is that sideloading can’t even be attempted.

A key new feature of Advanced Protection Mode in Android 16 is its prevention of 2G connectivity. 2G connectivity is outdated and generally insecure, with few legitimate reasons for most users to enable it. Blocking it mitigates the risk of users being tricked into connecting to rogue 2G networks designed for surveillance.

Additionally, Advanced Protection Mode in Android 16 enables Memory Tagging Extension (MTE) for apps. This feature protects against memory safety bugs in Android apps, which are some of the most common sources of security vulnerabilities. MTE is currently an optional feature enabled through Settings > Security > Developer options > Memory Tagging Extension on compatible devices. Google made it optional due to potential performance impacts, a trade-off users in the Advanced Protection Program are likely willing to accept.

Google hasn’t formally announced this new Advanced Protection Mode, so its inclusion in the final Android 16 release isn’t guaranteed. Given the evidence we’ve compiled, though, we think it’s likely it’ll make it in. Blocking 2G and enabling MTE are valuable enhancements, but Advanced Protection Mode’s true potential lies in the new API, which allows apps to check enrollment status and implement further security measures. This effectively transforms the Advanced Protection Program into a one-click solution for enhancing the security of not only your Google account but also any participating Android app.