Android VPNs to get audit badges in Google Play Store if they aren't comically crap
No promises it's actually secure, just that it doesn't do anything obviously dumb
Google wants to help Android users find more trustworthy VPN apps through better badging alerting to independent audits.
The ad impresario and cloud concession has afforded independently audited applications in its Play store a more prominent display of their security bonafides, specifically a banner atop their Google Play page.
VPN apps are the first to receive this special treatment, explained Nataliya Stanetsky, from Google's Android Security and Privacy Team, in an announcement, because they handle significant amounts of sensitive data. And they're thus a popular target for subversion by miscreants.
"When a user searches for VPN apps, they will now see a banner at the top of Google Play that educates them about the 'Independent security review' badge in the Data Safety Section," said Stanetsky.
- Google bins integrity API that looked more than a bit like horrible DRM for websites
- Meta's ad-free scheme dares you to buy your privacy back, one euro at a time
- Help, Android 14 ate my Pixel! Bug causes endless reboots, loss of storage access
- Alphabet CEO testifies in Google Search trial: We pay billions to keep Apple at bay
Last year, Google's partnership with the App Defense Alliance (ADA), launched in 2019, was expanded to include the Mobile App Security Assessment (MASA), a way to check Android apps to ensure they comply with a security standard defined by OWASP.
It's not a particularly thorough audit. As the ADA's website states, "MASA is intended to provide more transparency into the app's security architecture, however the limited nature of testing does not guarantee complete safety of the application."
The ADA also advises that MASA does not necessarily check app developers' safety declarations. Obviously the alliance doesn't want to be blamed if it misses something and an info-stealing app slips by, but the group's MASA endorsement counts for something.
MASA looks for obvious bad practices, like whether sensitive data gets written to application log files and whether the app reuses cryptographic keys for multiple purposes, among its many checks. It's safe to say you're better off with apps that avoid such missteps, even if it's not safe to say they're guaranteed to be secure.
At least if MASA misses, the Android ecosystem has other security measures in place. As Google proudly proclaims, it tries to protect against PHAs and MUwS – potentially harmful applications and mobile unwanted software, in case your gibberish translator is down. It does so through static and dynamic risk analysis, by gathering data about malicious apps, with machine learning, and other mechanisms.
Previously, those Android developers who submitted their apps for MASA interrogation, successful certification received a small badge buried in the app's "Data safety" section.
Throwing modesty aside, Google Play will now proclaim MASA merit for VPN apps in a way that's more easily visible, using a banner near the top of the store listing that links to the App Validation Directory. That's a central repository where all validated VPN apps – eight at the moment – can be seen as separate from more dubious peers of uncertain provenance.
"Research shows that transparent security labeling plays a crucial role in consumer risk perception, building trust, and influencing product purchasing decisions," said Stanetsky. "We believe the same principles apply for labeling and badging in the Google Play store." ®