Android update fixes vulnerability that let system apps be downgraded beyond factory version

Mishaal Rahman
Try Esper for Free
Learn about Esper mobile device management software for Android and iOS

There are several valid reasons to downgrade or rollback an update to an Android app, but the OS doesn’t provide a way to do so without using developer tools. Downgrading an app can cause problems if the app’s data isn’t cleared, but bugs and stability issues aren’t the only problems to consider. Rolling back an update can expose the device to security vulnerabilities that exist in older versions of the software. That’s why Android now no longer lets users downgrade system apps beyond the factory installed version.

After installing the May 2023 security update on a Pixel 6 Pro, attempting to downgrade a system app beyond the factory installed version will give the INSTALL_FAILED_VERSION_DOWNGRADE error.

Devices that have applied the latest Android security patches detailed in the May 2023 Android Security Bulletin are now protected against CVE-2023-21116, an escalation-of-privilege (EoP) vulnerability that made it possible to roll back a system app below the system image version. A patch is available for AOSP versions 11-13 that fixes a logic error in the verifyReplacingVersionCode method of the InstallPackageHelper class. For testing purposes, Android still allows downgrading a system app beyond the factory version if the build or app is marked debuggable, but otherwise, the INSTALL_FAILED_VERSION_DOWNGRADE error will be given.

Since this vulnerability can only be readily exploited by an attacker with ADB or shell privileges, it makes sense why it only has a severity rating of “moderate.” Ordinary, user-installed apps or attackers without physical access to the device can’t pass the necessary flag to initiate an app downgrade, so the existence of this vulnerability should not concern most users and admins who have yet to or cannot update their devices to the May 2023 security patch level (2023-05-0X). Still, it is worth applying the update as soon as it is made available, as older versions of system apps may have vulnerabilities that can be chained into escalating privileges or exfiltrating sensitive data.

For example, a vulnerability in older versions of the Samsung TTS app can be exploited to escalate the privileges of a regular app to the system level. This vulnerability, assigned CVE-2019-16253, was identified and fixed in 2019 but could still be exploited by downgrading the app to a vulnerable version. Samsung devices with the May 2023 SPL should be fully protected against this vulnerability, as the version of the Samsung TTS app that’s preinstalled in the system image isn’t vulnerable to CVE-2019-16253 and Android won’t allow users to downgrade to a version that is vulnerable.


No items found.
No items found.

Keep Exploring

No items found.
Mishaal Rahman
Mishaal Rahman

Mishaal Rahman is a Technical Editor at Esper. He has been an Android user for over a decade and has been at the forefront of Android news coverage for half a decade. His in-depth breakdowns of new Android versions have been referenced across the Internet.

Mishaal Rahman
Learn about Esper mobile device management software for Android and iOS
Featured resource
Read more
Featured resource

Esper is Modern Device Management

For tablets, smartphones, kiosks, point of sale, IoT, and other business-critical edge devices.
MDM Software
Kiosk mode icon as a feature in mobile device management software

Kiosk mode

Hardened device lockdown for all devices (not just kiosks)
App management icon as a feature in mobile device management software

App management

Google Play, Apple App Store, private apps, or a mix of all three
Devices groups icon as a feature in mobile device management software

Device groups

Manage devices individually, in user-defined groups, or all at once
Remote tools icon as a feature in mobile device management software

Remote tools

Monitor, troubleshoot, and update devices without leaving your desk
Touchless provisioning as a feature in mobile device management software

Touchless provisioning

Turn it on and walk away — let your devices provision themselves
Reporting and alerts as a feature in mobile device management software

Reporting and alerts

Custom reports and granular device alerts for managing by exception