An operating system with as many users as Android does requires that new features undergo a lot of A/B testing before rolling out. Android app developers may be familiar with Firebase Remote Config, a Firebase SDK that enables running A/B tests. While Remote Config is open source and doesn’t have any GMS dependencies, Google uses a different API to toggle AOSP feature flags from a remote server. That API is called “DeviceConfig”, and before Android 14, any user with ADB access could override device config flags. Starting in Android 14 Beta 2, however, users will need root access to override most Android experiment flags.
In Android 10, Google introduced the Device Config API so that they could better A/B test new Android features. To read flags in the device config settings table, an app must hold the READ_DEVICE_CONFIG permission, which can only be granted to preinstalled system apps or apps that are signed with the platform certificate. To write flags in the device config settings table, an app must either be signed with the platform certificate, be defined as the system verifier app, or be defined as the system configurator.
On Android devices with GMS, the system configurator is defined as “com.google.android.gms”, which is the package name for Google Play Services. This lets Google perform A/B tests on new Android platform features and roll them out to millions of users when they’re ready, all without needing to update the OS itself. Of course, this assumes the code implementing the feature(s) in question is written in such a way that they’re controllable via device config flags that Play Services can toggle remotely, but this has been the case for many, many Android features during the course of their development.
Here are just a few examples of recent Android features that are/have been toggleable through device config flags:
- 7-day view in the privacy dashboard
- Clipboard auto clear
- DNS-over-HTTP/3 (DoH) support
- Multi-generational LRU support
- Photo picker on Android 11-12L
- Photo picker replacing system file picker
- Quick Launch V2
- Safety Center
- Separate ring/notification volume
- Smart actions in the clipboard editor overlay
- Unified search bar for the home screen and app drawer
All of these features were either introduced with or after Android 13’s launch, but they aren’t the only features in Android 13 that are controllable by device config flags. Google also uses device config flags to A/B test a lot of under-the-hood changes that aren’t directly relevant to end users. Device config is integral to the development and testing of new Android features, which is why there’s also a command-line interface (accessible through ‘device_config’ or ‘cmd device_config’ in shell) that can be used to read and write flags without needing to push changes through Play Services each time.
Starting in Android 14 Beta 2, shell can no longer write most device config flags by default. The CLI hasn’t been removed, but instead can only be accessed by the shell if it has superuser privileges. That’s a bummer for power users who like to enable new Android features right away instead of waiting for a server-side rollout to complete.
I’m not sure why Google is requiring root privileges to override device config flags using the CLI in Android 14, since it’s not like third-party apps can access the CLI anyway (well, not unless they use the Shizuku library). One possible reason may be because device config flags are being used in Android 14 to control security features like the minimum installable target SDK. Even though a user would have to manually send an ADB shell command to disable a security feature like that, it’s possible they could be tricked into doing so, so I can sort of understand why they may see this capability as a security issue.
Besides, the fact that Play Services would often randomly reset flags (unless the command to disable syncing is sent) means that overriding device config flags offers little utility to most users. Overriding these flags is something that only platform developers will really find useful, and it’s easy for them to get root access in shell since userdebug/eng builds provide access to adb root by default.
There is some good news, at least. At least some device config flags will remain toggleable via the CLI even for unrooted users. A flag allowlist has been added to ConfigInfrastructure, a new Project Mainline module that provides an updatable Device Config implementation. This allowlist currently contains the following flags:
adservices/disable_sdk_sandbox
adservices/enforce_broadcast_receiver_restrictions
adservices/fledge_ad_selection_enforce_foreground_status_custom_audience
adservices/fledge_custom_audience_max_count
adservices/fledge_custom_audience_max_num_ads
adservices/fledge_custom_audience_max_owner_count
adservices/fledge_custom_audience_per_app_max_count
adservices/fledge_js_isolate_enforce_max_heap_size
adservices/fledge_js_isolate_max_heap_size_bytes
adservices/sdk_request_permits_per_second
adservices/sdksandbox_customized_sdk_context_enabled
configuration/namespace_to_package_mapping
constrain_display_apis/always_constrain_display_apis
constrain_display_apis/never_constrain_display_apis
constrain_display_apis/never_constrain_display_apis_all_packages
device_policy_manager/disable_resources_updatability
flipendo/default_savings_mode_launch
flipendo/essential_apps
flipendo/flipendo_enabled_launch
flipendo/grayscale_enabled_launch
flipendo/lever_ble_scanning_enabled_launch
flipendo/lever_hotspot_enabled_launch
flipendo/lever_work_profile_enabled_launch
flipendo/resuspend_delay_minutes
namespace/key
namespace1/key1
namespace1/key2
namespace2/key1
namespace2/key2
package_manager_service/incfs_default_timeouts
package_manager_service/known_digesters_list
privacy/location_access_check_periodic_interval_millis
rollback/enable_rollback_timeout
rollback/watchdog_explicit_health_check_enabled
rollback/watchdog_request_timeout_millis
rollback/watchdog_trigger_failure_count
rollback/watchdog_trigger_failure_duration_millis
rollback_boot/rollback_lifetime_in_millis
systemui/nas_generate_actions
systemui/nas_generate_replies
systemui/nas_max_messages_to_extract
systemui/nas_max_suggestions
testspace/another
testspace/flagname
textclassifier/config_updater_model_enabled
textclassifier/key
textclassifier/key2
textclassifier/manifest_url_annotator_en
textclassifier/manifest_url_annotator_ru
textclassifier/model_download_backoff_delay_in_millis
textclassifier/model_download_manager_enabled
textclassifier/multi_language_support_enabled
textclassifier/testing_locale_list_override
textclassifier/textclassifier_service_package_override
window_manager/enable_default_rescind_bal_privileges_from_pending_intent_sender
wrong/nas_generate_replies
The up-to-date allowlist can be read from the “AdbWritableFlags__adb_writable_flags_list” flag under the “configuration” namespace, eg. ‘cmd device_config get configuration AdbWritableFlags__adb_writable_flags_list’.
