You can no longer downgrade system apps other than the one previously installed
You may not rely on it much, but downgrading an Android app that came pre-installed on your phone is a vital ability. It can help you get an app up and running again when it crashes due to corrupted data, and provide a clean slate for you to upgrade back to the latest version available on the Play Store. With the latest May 2023 Android security patch, there is a small change now that makes this process more secure. It is no longer possible to downgrade an app that is older than the version your device was originally shipped with.
The May 2023 security patch notes reveal that the CVE-2023-21116 vulnerability is now closed, as spotted by Android expert Mishaal Rahman, writing for Esper. This means that on a production device, it is no longer possible to downgrade from the version previously installed with the device. Rahman notes that it’s still possible to downgrade when using a debuggable build for testing purposes, though.
The security issue is marked as moderate as it requires physical access to the device in question to exploit it. ADB access is a necessary prerequisite for a successful downgrade process, and it is usually only achieved when an attacker gains access to the physical device. This makes it unlikely that the vulnerability could have been used in the wild, at least not on ordinary people who would not be a high-value target for hackers.
The reason it’s dangerous to downgrade apps is that they may introduce security issues that have been fixed in newer versions. This is an issue for any app, but it’s especially a problem for system apps as many of them have elevated privileges compared to anything you install from the Play Store. Mishaal Rahman cites Samsung’s text-to-speech app as one possible culprit, as it was patched for a security issue all the way back in 2019. The vulnerability enabled Samsung’s system app to be used to grant other apps higher privileges. Once Samsung phones are updated to the May 2023 security patch, hackers will no longer be able to revert to this old version of the Samsung Text-to-speech app and exploit this vulnerability.