diff --git a/src/blobs/build.ts b/src/blobs/build.ts
index 95c0647..c6eba37 100644
--- a/src/blobs/build.ts
+++ b/src/blobs/build.ts
@@ -161,7 +161,7 @@ export async function generateBuild(
       namespace: true,
     },
     proprietaryBlueprint: {
-      modules: namedModules.values(),
+      modules: Array.from(namedModules.values()),
     },
     modulesMakefile: {
       device,
diff --git a/src/build/soong.ts b/src/build/soong.ts
index 1422d5d..6eb6073 100644
--- a/src/build/soong.ts
+++ b/src/build/soong.ts
@@ -6,6 +6,7 @@ import { SOONG_HEADER } from '../util/headers'
 export const SPECIAL_FILE_EXTENSIONS = new Set(['.so', '.apk', '.jar', '.xml', '.apex'])
 
 export const TYPE_SHARED_LIBRARY = 'cc_prebuilt_library_shared'
+export const TYPE_APK = 'android_app_import'
 
 export interface TargetSrcs {
   srcs: Array<string>
@@ -120,7 +121,7 @@ export type SoongModule = {
 export interface SoongBlueprint {
   namespace?: boolean
 
-  modules?: Iterable<SoongModule>
+  modules?: SoongModule[]
 }
 
 function getRelativeInstallPath(entry: BlobEntry, pathParts: Array<string>, installDir: string) {
@@ -263,7 +264,7 @@ export function blobToSoongModule(
     }
   } else if (ext == '.apk') {
     moduleSpecific = {
-      _type: 'android_app_import',
+      _type: TYPE_APK,
       apk: entry.srcPath,
       ...((entry.isPresigned && { presigned: true }) || { certificate: 'platform' }),
       ...(entry.path.startsWith('priv-app/') && { privileged: true }),
diff --git a/src/config/device.ts b/src/config/device.ts
index 3a07140..1084654 100644
--- a/src/config/device.ts
+++ b/src/config/device.ts
@@ -54,6 +54,7 @@ export interface DeviceConfig {
     sepolicy_dirs: Filters
     dep_files: Filters
     files: Filters
+    deprivileged_apks: Filters
   }
 }
 
@@ -109,6 +110,7 @@ const DEFAULT_CONFIG_BASE = {
     sepolicy_dirs: structuredClone(EMPTY_FILTERS),
     dep_files: structuredClone(EMPTY_INCLUDE_FILTERS),
     files: structuredClone(EMPTY_FILTERS),
+    deprivileged_apks: structuredClone(EMPTY_INCLUDE_FILTERS),
   },
 }
 
diff --git a/src/frontend/generate.ts b/src/frontend/generate.ts
index 174917f..3bdb77f 100644
--- a/src/frontend/generate.ts
+++ b/src/frontend/generate.ts
@@ -27,6 +27,8 @@ import {
 import { generateFileContexts } from '../selinux/labels'
 import { exists, readFile, TempState } from '../util/fs'
 import { ALL_SYS_PARTITIONS } from '../util/partitions'
+import {ApkModule, TYPE_APK} from "../build/soong"
+import assert from "assert"
 
 export interface PropResults {
   stockProps: PartitionProps
@@ -358,5 +360,16 @@ export async function generateBuildFiles(
     await fs.writeFile(`${dirs.out}/proprietary-files.txt`, `${fileList}\n`)
   }
 
+  // Handle deprivileging of APKs
+  for (let m of build.proprietaryBlueprint?.modules ?? []) {
+    if (m._type == TYPE_APK) {
+      let apkModule = m as ApkModule
+      if (filterValue(config.filters.deprivileged_apks, apkModule.apk)) {
+        assert(apkModule.privileged, apkModule.apk + " is already unprivileged")
+        apkModule.privileged = false
+      }
+    }
+  }
+
   await writeBuildFiles(build, dirs)
 }