Google Play – the app store for Android devices – is introducing a range of new policies to catch malicious developers who attempt to gain access to user’s personal data. These so-called ‘bad-faith developers’ often create multiple new accounts to get around Google’s current controls.
The Google Play store has around 2.6 million apps available for download, making it the largest application store; Apple’s App Store has 2.2 million as of February 2019. Because of this, it is a target for those creating apps which can harvest user’s data.
Google Play has been known by developers for a long time as the easier of the two major platforms to get a program added to, thanks to its much lower registration cost and less intensive submission process. However, this allows for those ‘bad-faith developers’ to create and distribute an application which could access the user’s personal data.
In order to reduce the number of potentially dangerous apps, Google are introducing a number of new and updated measures with consideration to feedback from developers. A beta version of Android Q was released in March, giving developers a preview of new features, such as more transparent location sharing controls and limiting which apps can access files. Android Q will also introduce support for foldable screens, improved connectivity and dynamic depth format for photos.
The evaluation process to add apps to Google Play will be more rigorous, but will take days rather than weeks to review apps from unknown developers. By increasing checks on newly registered developers, Google aim to catch those who are using new accounts to bypass security if their previous account has been blocked. They will be able to determine whether or not they believe a new account to be linked to a previous account which has been flagged for suspicious activity.
The human team behind the review process is also being expanded. Every sensitive decision is already evaluated by a human, but more people are being brought in to reduce the time of this process, and to make responses more personal to explain to developers why they have been rejected.
Rejections can be immediately appealed if the developer believes that they have been falsely blocked from the platform, though Google claim that “99%+ of these suspension decisions are correct”.
‘Bad-faith developers’ most commonly create a functioning app, but which has the ability to access personal data on the user’s device. One such area of information commonly targeted is the user’s call records and SMS messages. Changes made by Google late last year have limited the cases where apps can access this data, such as when a user makes an app their default text message app. They now say that the total number of apps with access to this sensitive information has been reduced by 98%.
Google Play Protect scans over 50 billion apps every day to identify potentially dangerous apps and remove them from the device. This proactive approach means that if those apps already on the app store are edited to become malicious, they are targeted and quarantined in a short time.
However, another large factor at play is the amount of data which the user grants permission for the app to access. Many apps display messages when first installed to prompt the user to allow access to certain features of the phone, such as the camera or microphone. Similar permission granting may also be given when accepting the terms and conditions of the app.
Therefore, no matter how much the platform increases their security and review procedures, users must always be aware of what data they are allowing their apps to acquire. If you are not sure why an app needs access to a certain feature on your device – don’t install it.