SecurityStateManager

Kotlin |Java

public class SecurityStateManager
extends Object

java.lang.Object
↳	android.os.SecurityStateManager

SecurityStateManager provides the functionality to query the security status of the system and platform components. For example, this includes the system and vendor security patch level.

Summary

Constants
`String`	`KEY_KERNEL_VERSION` The kernel version key returned as part of the `Bundle` from `getGlobalSecurityState`.
`String`	`KEY_SYSTEM_SPL` The system SPL key returned as part of the `Bundle` from `getGlobalSecurityState`.
`String`	`KEY_SYSTEM_SUPPLEMENTAL_PATCHES` The system supplemental patches key returned as part of the `Bundle` from `getGlobalSecurityState`.
`String`	`KEY_VENDOR_SPL` The vendor SPL key returned as part of the `Bundle` from `getGlobalSecurityState`.
`String`	`KEY_VENDOR_SUPPLEMENTAL_PATCHES` The vendor supplemental patches key returned as part of the `Bundle` from `getGlobalSecurityState`.

Public methods
`Bundle`	`getGlobalSecurityState()` Returns the current global security state.

Inherited methods

From class


        
          java.lang.Object

`Object`	`clone()` Creates and returns a copy of this object.
`boolean`	`equals(Object obj)` Indicates whether some other object is "equal to" this one.
`void`	`finalize()` Called by the garbage collector on an object when garbage collection determines that there are no more references to the object.
`final Class<?>`	`getClass()` Returns the runtime class of this `Object`.
`int`	`hashCode()` Returns a hash code value for the object.
`final void`	`notify()` Wakes up a single thread that is waiting on this object's monitor.
`final void`	`notifyAll()` Wakes up all threads that are waiting on this object's monitor.
`String`	`toString()` Returns a string representation of the object.
`final void`	`wait(long timeoutMillis, int nanos)` Causes the current thread to wait until it is awakened, typically by being notified or interrupted, or until a certain amount of real time has elapsed.
`final void`	`wait(long timeoutMillis)` Causes the current thread to wait until it is awakened, typically by being notified or interrupted, or until a certain amount of real time has elapsed.
`final void`	`wait()` Causes the current thread to wait until it is awakened, typically by being notified or interrupted.

Constants

KEY_KERNEL_VERSION

Added in API level 35

public static final String KEY_KERNEL_VERSION

The kernel version key returned as part of the Bundle from getGlobalSecurityState.

Constant Value: "kernel_version"

KEY_SYSTEM_SPL

Added in API level 35

public static final String KEY_SYSTEM_SPL

The system SPL key returned as part of the Bundle from getGlobalSecurityState.

Constant Value: "system_spl"

KEY_SYSTEM_SUPPLEMENTAL_PATCHES

Added in API level 37

public static final String KEY_SYSTEM_SUPPLEMENTAL_PATCHES

The system supplemental patches key returned as part of the Bundle from getGlobalSecurityState.

The value is a String[] of CVE IDs (e.g., "CVE-2026-12345") that are affirmed to be fully mitigated in the system image, supplemental to the declared KEY_SYSTEM_SPL.

Constant Value: "system_supplemental_security_patches"

KEY_VENDOR_SPL

Added in API level 35

public static final String KEY_VENDOR_SPL

The vendor SPL key returned as part of the Bundle from getGlobalSecurityState.

Constant Value: "vendor_spl"

KEY_VENDOR_SUPPLEMENTAL_PATCHES

Added in API level 37

public static final String KEY_VENDOR_SUPPLEMENTAL_PATCHES

The vendor supplemental patches key returned as part of the Bundle from getGlobalSecurityState.

The value is a String[] listing CVEs (e.g., "CVE-2026-12345") that are affirmed to be fully mitigated in the vendor image, supplemental to the declared KEY_VENDOR_SPL.

Constant Value: "vendor_supplemental_security_patches"

Public methods

getGlobalSecurityState

Added in API level 35

public Bundle getGlobalSecurityState ()

Returns the current global security state. Each key-value pair is a mapping of a component of the global security state to its current version/SPL (security patch level). For example, the KEY_SYSTEM_SPL key will map to the SPL of the system as defined in Build.VERSION. The bundle will also include mappings from WebView packages and packages listed under config config_securityStatePackages to their respective versions as defined in PackageInfo.versionName.

The bundle will also include lists of CVEs that are affirmed to be patched in the source code, supplemental to the declared Security Patch Level (SPL). These lists are associated with KEY_SYSTEM_SUPPLEMENTAL_PATCHES and KEY_VENDOR_SUPPLEMENTAL_PATCHES.

The presence of a CVE in these lists indicates that the device implementation has fully mitigated the vulnerability. The accuracy of this information is critical, as it is used to determine the device's security posture.

Returns
`Bundle`	A `Bundle` that contains the global security state information as string-to-string key-value pairs. This value cannot be `null`.