Google's
Playstore Verify Apps Feature- can we trust it?
I've been wanting to write this post since Google first announced
changes to the Playstore Verify apps feature at the RSA
conference back in April, but wanted to wait to see the feature in
the wild before jumping to any conclusions... The Verify Apps
feature has been expanded to detect whether apps installed both
from Google Play and outside of Google Play are what it defines
as "behaving in a safe manner". While this is a welcome move
forward it has left many in the security industry scratching their
heads and asking exactly what Google defines to be a
"safe manner".
I've been wanting to write this post since Google first announced
changes to the Playstore Verify apps feature at the RSA
conference back in April, but wanted to wait to see the feature in
the wild before jumping to any conclusions... The Verify Apps
feature has been expanded to detect whether apps installed both
from Google Play and outside of Google Play are what it defines
as "behaving in a safe manner". While this is a welcome move
forward it has left many in the security industry scratching their
heads and asking exactly what Google defines to be a
"safe manner".
Google makes its money
from ads, which increasingly have been
the source of many forms of malware, and it is well known that
the verify apps feature does not cover adware. Many users often
do not realize those free apps they are playing and chatting on
are often aggressively grabbing personal information about them
such as their age, sex and location, and in many cases transferring
that data in a highly unsecure way. A number of popular apps using
a particularly vulnerable and aggressive ad network (now known
as VULNA) were verified by Google and allowed into the Playstore
before being discovered by security experts recently. By that time
it had infected hundreds of millions of devices.
the source of many forms of malware, and it is well known that
the verify apps feature does not cover adware. Many users often
do not realize those free apps they are playing and chatting on
are often aggressively grabbing personal information about them
such as their age, sex and location, and in many cases transferring
that data in a highly unsecure way. A number of popular apps using
a particularly vulnerable and aggressive ad network (now known
as VULNA) were verified by Google and allowed into the Playstore
before being discovered by security experts recently. By that time
it had infected hundreds of millions of devices.
Likewise Google often
turns a blind eye to the growing list of what
have become termed "Potentially unwanted applications" or PUAs.
These are apps that contain not exactly malware, but rather
components that many users might find objectionable such as
unsecure payment methods or a dubious privacy policy.
have become termed "Potentially unwanted applications" or PUAs.
These are apps that contain not exactly malware, but rather
components that many users might find objectionable such as
unsecure payment methods or a dubious privacy policy.
Perhaps the most
troubling thing about Google's Verify Apps
process is the complete lack of transparency over how it works,
how frequently it scans the device, and how it is defining malware.
Unlike independent anti-virus companies, it does not partake in
any standardized industry wide testing such as AV Test or AV
Comparatives. So what Google chooses to define as "Safe" still
leaves many of us scratching our heads.
process is the complete lack of transparency over how it works,
how frequently it scans the device, and how it is defining malware.
Unlike independent anti-virus companies, it does not partake in
any standardized industry wide testing such as AV Test or AV
Comparatives. So what Google chooses to define as "Safe" still
leaves many of us scratching our heads.
No comments:
Post a Comment