© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Google’s new app safety policy is like the fox guarding the hen house, says expert

A coherent evaluation system for Android app safety is welcome. However, dropping the app permissions list from the Play Store and relying on developer-written descriptions is akin to tobacco companies crafting their own warning labels, a cybersecurity expert says.

Today is the deadline for Android developers to populate Google’s new Data Safety section in the Play Store. The policy update requires all Android app developers to declare how they collect and handle user data for the apps they publish on Google Play by July 20.

Nonetheless, Google apparently will use the new safety feature to replace the app permissions list that used to accompany software on its Play Store. The update appears to transfer responsibility for reporting what apps do with a user’s device solely to developers.

While providing users with the right amount of information to decide what’s best for them is always challenging, Alex Hamerstone, advisory solutions director at TrustedSec, said the update requires improvement in trust.

“Having the companies and developers that create the applications be the ones to provide information to users about the data seems like the fox is guarding the hen house,” Hamerstone told Cybernews.

Whitewashing apps

The app permissions list is not perfect. Dozens of technical permissions are challenging to understand for an average user. The list is curated by Google’s automated analysis, and it’s not always clear what the access being requested is for.

The Data Safety feature is meant to address just that. As Google puts it, the update is intended to “provide more user transparency and to help people make informed choices.” So the reasoning goes, developers know their apps best and are therefore best placed to explain why the data is needed.

However, suppose Google drops the app permissions list. In that case, the new policy will be that specific data requests will not be transparent to the user, instead occurring behind the scenes, Brian Contos, CSO of Phosphorus Cybersecurity, thinks.

“The risk is that you will have certain developers that whitewash their apps by deliberately withholding or minimizing important details about their data-collection practices. This will give consumers the false impression that the app is relatively harmless, when in fact it is engaging in robust data collection activities,” Contos explained to Cybernews.

Google to switch app permissions with data safty feature
Images by Google. Edited by Cybernews.

Hiding malware

The risk is that cybercriminals will exploit the policy to target users with legitimate-looking apps, a tactic that researchers say already makes it harder to detect apps with hidden malware.

“This feels like a step backwards when users need to be more informed, not less, about the data they are sharing and that is being collected. This is especially concerning given the issues that the Google Play store has had, and continues to have, with malicious apps,” Hamerstone said.

The Play Store policy change can leave users with no real way of knowing how much and what type of data the app collects. Experts we’ve talked to think that removing the permissions list increases a consumer’s chances of installing a dangerous app.

“Google’s new policy is sort of like letting cigarette or drug companies write their own warning labels. You’ve got to have a lot of trust to expect them to be forthcoming with all of the relevant information,” Contos said.

“The risk is that you will have certain developers that whitewash their apps by deliberately withholding or minimizing important details about their data-collection practices,“

Brian Contos, CSO of Phosphorus Cybersecurity, told Cybernews.

Need for education

The key upside to the Data Safety feature is a simplification of a complicated policy. In theory, the update should allow Play Store customers to compare apps using the same categories of information and have a common formula to assess the privacy and security of their information.

“Simplification of complicated policies and uses of information is a win-win for consumers,” Dr Chris Pierson, the CEO of cybersecurity company BlackCloak, said.

Even though the developer-written descriptions may reduce user ability to understand how their data is used, the percentage of people who actually review the information before the download is likely insignificant, meaning that the real-world implications of the change won’t be dramatic.

“What is needed is a better way to educate consumers on privacy impacts of apps, have a common scoring system, and present the data to the consumer on download, so they at least have a chance to review it and change their mind,” Dr Pierson explained.

One thing that’s unlikely to change even if Google updates the Play Store policy is how threat actors think. No matter the policy update and who’s responsible for disclosing how user data is used and processed, a causal link between a malicious actor lying about what an app does currently and what it will do in the future is unlikely to change.

“They might be able to just hide it better from the small percentage of consumers who review the information pages on an app before downloading and using the app,” Dr Pierson said.

More from Cybernews:

Meta hit with trademark lawsuit by virtual-reality company

US seizes $500k from North Korean ransom gangs

Novel CloudMensis spyware targets Apple macOS users

Warning: popular vehicle GPS tracker comes with 6 severe bugs

Netflix launches “add a home” feature to fight freeloaders

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked