Security protocols like TLS often have a two-sided upgrade problem, it takes a long time to upgrade, as both the client and the server must be upgraded. An API is a protocol, and there are a two-sided upgrade problems with APIs. We have evaluated a particularly nasty API vulnerability in Android for which we have data on the different approaches used to fix it and their deployment timeline. First I will describe the vulnerability, and why it is important.