Yeah, so checking for the latest OS came out of the DHS Study on Mobile Security + NIST Guidelines, but specifying a min API level sounds good to me too.