Full Report
Posted by Bethel Otuteye and Khawaja Shams (Android Security and Privacy Team), and Ron Aquino (Play Trust and Safety) Android and Google Play comprise a vibrant ecosystem with billions of users around the globe and millions of helpful apps. Keeping this ecosystem safe for users and developers remains our top priority. However, like any flourishing ecosystem, it also attracts its share of bad actors. That’s why every year, we continue to invest in more ways to protect our community and fight bad actors, so users can trust the apps they download from Google Play and developers can build thriving businesses. Last year, those investments included AI-powered threat detection, stronger privacy policies, supercharged developer tools, new industry-wide alliances, and more. As a result, we prevented 2.36 million policy-violating apps from being published on Google Play and banned more than 158,000 bad developer accounts that attempted to publish harmful apps. But that was just the start. For more, take a look at our recent highlights from 2024: Google’s advanced AI: helping make Google Play a safer placeTo keep out bad actors, we have always used a combination of human security experts and the latest threat-detection technology. In 2024, we used Google’s advanced AI to improve our systems’ ability to proactively identify malware, enabling us to detect and block bad apps more effectively. It also helps us streamline review processes for developers with a proven track record of policy compliance. Today, over 92% of our human reviews for harmful apps are AI-assisted, allowing us to take quicker and more accurate action to help prevent harmful apps from becoming available on Google Play. That’s enabled us to stop more bad apps than ever from reaching users through the Play Store, protecting users from harmful or malicious apps before they can cause any damage. Working with developers to enhance security and privacy on Google Play To protect user privacy, we’re working with developers to reduce unnecessary access to sensitive data. In 2024, we prevented 1.3 million apps from getting excessive or unnecessary access to sensitive user data. We also required apps to be more transparent about how they handle user information by launching new developer requirements and a new “Data deletion” option for apps that support user accounts and data collection. This helps users manage their app data and understand the app’s deletion practices, making it easier for Play users to delete data collected from third-party apps. We also worked to ensure that apps use the strongest and most up-to-date privacy and security capabilities Android has to offer. Every new version of Android introduces new security and privacy features, and we encourage developers to embrace these advancements as soon as possible. As a result of partnering closely with developers, over 91% of app installs on the Google Play Store now use the latest protections of Android 13 or newer. Safeguarding apps from scams and fraud is an ongoing battle for developers. The Play Integrity API allows developers to check if their apps have been tampered with or are running in potentially compromised environments, helping them to prevent abuse like fraud, bots, cheating, and data theft. Play Integrity API and Play’s automatic protection helps developers ensure that users are using the official Play version of their app with the latest security updates. Apps using Play integrity features are seeing 80% lower usage from unverified and untrusted sources on average. We’re also constantly working to improve the safety of apps on Play at scale, such as with the Google Play SDK Index. This tool offers insights and data to help developers make more informed decisions about the safety of an SDK. Last year, in addition to adding 80 SDKs to the index, we also worked closely with SDK and app developers to address potential SDK security and privacy issues, helping to build safer and more secure apps for Google Play. Google Play’s multi-layered protections against bad apps To create a trusted experience for everyone on Google Play, we use our SAFE principles as a guide, incorporating multi-layered protections that are always evolving to help keep Google Play safe. These protections start with the developers themselves, who play a crucial role in building secure apps. We provide developers with best-in-class tools, best practices, and on-demand training resources for building safe, high-quality apps. Every app undergoes rigorous review and testing, with only approved apps allowed to appear in the Play Store. Before a user downloads an app from Play, users can explore its user reviews, ratings, and Data safety section on Google Play to help them make an informed decision. And once installed, Google Play Protect, Android’s built-in security protection, helps to shield their Android device by continuously scanning for malicious app behavior. Enhancing Google Play Protect to help keep users safe on AndroidWhile the Play Store offers best-in-class security, we know it’s not the only place users download Android apps – so it’s important that we also defend Android users from more generalized mobile threats. To do this in an open ecosystem, we’ve invested in sophisticated, real-time defenses that protect against scams, malware, and abusive apps. These intelligent security measures help to keep users, user data, and devices safe, even if apps are installed from various sources with varying levels of security. Google Play Protect automatically scans every app on Android devices with Google Play Services, no matter the download source. This built-in protection, enabled by default, provides crucial security against malware and unwanted software. Google Play Protect scans more than 200 billion apps daily and performs real-time scanning at the code-level on novel apps to combat emerging and hidden threats, like polymorphic malware. In 2024, Google Play Protect’s real-time scanning identified more than 13 million new malicious apps from outside Google Play1. Google Play Protect is always evolving to combat new threats and protect users from harmful apps that can lead to scams and fraud. Here are some of the new improvements that are now available globally on Android devices with Google Play Services: Reminder notifications in Chrome on Android to re-enable Google Play Protect: According to our research, more than 95 percent of app installations from major malware families that exploit sensitive permissions highly correlated to financial fraud came from Internet-sideloading sources like web browsers, messaging apps, or file managers. To help users stay protected when browsing the web, Chrome will now display a reminder notification to re-enable Google Play Protect if it has been turned off. Additional protection against social engineering attacks: Scammers may manipulate users into disabling Play Protect during calls to download malicious Internet-sideloaded apps. To prevent this, the Play Protect app scanning toggle is now temporarily disabled during phone or video calls. This safeguard is enabled by default during traditional phone calls as well as during voice and video calls in popular third-party apps. Automatically revoking app permissions for potentially dangerous apps: Since Android 11, we’ve taken a proactive approach to data privacy by automatically resetting permissions for apps that users haven't used in a while. This ensures apps can only access the data they truly need, and users can always grant permissions back if necessary. To further enhance security, Play Protect now automatically revokes permissions for potentially harmful apps, limiting their access to sensitive data like storage, photos, and camera. Users can restore app permissions at any time, with a confirmation step for added security. Google Play Protect’s enhanced fraud protection pilot analyzes and automatically blocks the installation of apps that may use sensitive permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps, or file managers). Building on the success of our initial pilot in partnership with the Cyber Security Agency of Singapore (CSA), additional enhanced fraud protection pilots are now active in nine regions – Brazil, Hong Kong, India, Kenya, Nigeria, Philippines, South Africa, Thailand, and Vietnam. In 2024, Google Play Protect’s enhanced fraud protection pilots have shielded 10 million devices from over 36 million risky installation attempts, encompassing over 200,000 unique apps. By piloting these new protections, we can proactively combat emerging threats and refine our solutions to thwart scammers and their increasingly sophisticated fraud attempts. We look forward to continuing to partner with governments, ecosystem partners, and other stakeholders to improve user protections. App badging to help users find apps they can trust at a glance on Google Play In 2024, we introduced a new badge for government developers to help users around the world identify official government apps. Government apps are often targets of impersonation due to the highly sensitive nature of the data users provide, giving bad actors the ability to steal identities and commit financial fraud. Badging verified government apps is an important step in helping connect people with safe, high-quality, useful, and relevant experiences. We partner closely with global governments and are already exploring ways to build on this work. We also recently introduced a new badge to help Google Play users discover VPN apps that take extra steps to demonstrate their strong commitment to security. We allow developers who adhere to Play safety and security guidelines and have passed an additional independent Mobile Application Security Assessment (MASA) to display a dedicated badge in the Play Store to highlight their increased commitment to safety. Collaborating to advance app security standards In addition to our partnerships with governments, developers, and other stakeholders, we also worked with our industry peers to protect the entire app ecosystem for everyone. The App Defense Alliance, in partnership with fellow steering committee members Microsoft and Meta, recently launched the ADA Application Security Assessment (ASA) v1.0, a new standard to help developers build more secure mobile, web, and cloud applications. This standard provides clear guidance on protecting sensitive data, defending against cyberattacks, and ultimately, strengthening user trust. This marks a significant step forward in establishing industry-wide security best practices for application development. All developers are encouraged to review and comply with the new mobile security standard. You’ll see this standard in action for all carrier apps pre-installed on future Pixel phone models. Looking ahead This year, we’ll continue to protect the Android and Google Play ecosystem, building on these tools and resources in response to user and developer feedback and the changing landscape. As always, we’ll keep empowering developers to build safer apps more easily, streamline their policy experience, and protect their businesses and users from bad actors. 1 Based on Google Play Protect 2024 internal data.
Analysis Summary
The provided context is a blog post header and archive navigation from the Google Online Security Blog, specifically referencing an article titled "How we kept the Google Play & Android app ecosystems safe in 2024."
**Crucially, the content of the article itself is missing.** The provided text only gives the title, date, source, and associated tags. Therefore, the recommendations extracted will be based *only* on the implied topics derived from the title and labels (Google Play, Android Security, App Ecosystem Safety, Supply Chain, etc.).
Since there are no specific technical actions detailed in the provided snippet, the guidance below extrapolates best practices relevant to securing the described scope (Google Play and Android ecosystems).
---
# Best Practices: Securing the Google Play and Android App Ecosystems
## Overview
These practices address the foundational security posture, proactive threat detection, developer practices, and platform integrity required to maintain a safe and trustworthy application ecosystem for both users (via Google Play) and the Android operating system itself.
## Key Recommendations
### Immediate Actions (Focus on Known Threats)
1. **Review and Update Key Platform Dependencies:** Immediately audit all third-party libraries and SDKs utilized in first-party applications for known vulnerabilities (CVEs). Prioritize dependency updates for libraries flagged in recent threat intelligence reports.
2. **Strengthen Developer Verification Checks:** For organizations managing applications on Google Play, ensure all developer accounts have up-to-date multi-factor authentication (MFA) enabled to prevent account takeover exploitation.
3. **Verify Scanning Tool Efficacy:** Ensure automated static and dynamic application security testing (SAST/DAST) tools are running against the latest build artifacts with up-to-date rule sets specifically targeting known Android/Play Store abuse vectors (e.g., malware patterns, phishing indicators).
### Short-term Improvements (1-3 months)
1. **Implement Mandatory Code Hardening:** Require developers to implement obfuscation and anti-tampering techniques for sensitive logic within Android applications to deter reverse engineering and repackaging attempts.
2. **Enforce Binary Transparency Measures:** Integrate application signing verification checks (e.g., using Google Play Protect mechanisms or self-managed Certificate Authorities checks) into deployment pipelines to ensure only authorized builds reach users.
3. **Enhance Consent and Data Handling Audits:** Conduct a focused audit on all applications requiring sensitive permissions (e.g., location, SMS, accessibility). Verify that user consent flows meet the latest Google Play policy requirements, logging all affirmative consent events.
### Long-term Strategy (3+ months)
1. **Adopt Memory-Safe Languages:** Establish a roadmap to migrate critical application components written in C/C++ to memory-safe languages like Rust or Kotlin whenever feasible, aligning with industry trends to eliminate entire classes of memory corruption vulnerabilities (a key focus area for platform security).
2. **Establish Continuous Supply Chain Monitoring (SBOM):** Develop and enforce a Software Bill of Materials (SBOM) generation process for all published apps. Integrate this SBOM into a continuous monitoring system to receive alerts if any included component has a newly disclosed vulnerability.
3. **Integrate Hardware Security Features:** Plan for the integration of hardware-backed security features (e.g., TrustZone, Titan M2 security measures if applicable to organization hardware) to protect cryptographic keys and sensitive processing operations outside of standard OS sandboxing.
## Implementation Guidance
### For Small Organizations
- **Leverage Managed Services:** Rely heavily on Google Play Protect scanning and automated policy enforcement provided by the Play Store. Focus internal resources on input validation and secure coding practices for the application logic itself.
- **Standardize Tooling:** Adopt readily available, free/low-cost security analysis tools that integrate into existing CI/CD workflows rather than building custom auditing tools.
### For Medium Organizations
- **Formalize App Review Gates:** Introduce a mandatory "Security Sign-off" gate in the release process, requiring static analysis reports to clear predefined security benchmarks before submission.
- **Developer Training Focus:** Mandate specialized training for Android developers focusing on Android-specific attack surfaces, such as IPC vulnerabilities (Intents, Content Providers) and storage security controls.
### For Large Enterprises
- **Establish a Vulnerability Disclosure Program (VDP):** Formalize an internal or external program to incentivize the discovery and responsible reporting of zero-day vulnerabilities within proprietary applications.
- **Develop Custom Behavior Detection Models:** Utilize aggregated telemetry (if legally permissible and privacy compliant) to build machine learning models that flag anomalous app behavior or developer submission patterns indicative of potential platform abuse or malware propagation.
## Configuration Examples
*(Note: Specific configuration examples related to proprietary tooling like Google Play Protect are not detailed in the source material, so these are general Android hardening examples referencing known concepts.)*
**Example: Implementing Secure Intent Handling (Android Manifest hardening)**
Ensure that Broadcast Receivers, Activities, and Services that should only be internal to the app are explicitly marked as non-exported:
xml
<service
android:name=".InternalOnlyService"
android:exported="false" />
<provider
android:name=".InternalDataProvider"
android:exported="false" />
**Example: Enforcing Network Security Configuration (TLS Enforcement)**
Configure `network_security_config.xml` to ensure all connections utilize TLS 1.2 or higher and restrict cleartext traffic:
xml
<network-security-config>
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
<domain-config>
<domain includeSubdomains="true">api.yourcompany.com</domain>
<pin-set>
<!-- Pinning configurations would go here for high-value endpoints -->
</pin-set>
</domain-config>
</network-security-config>
(This configuration would then be referenced in the Android Manifest: `android:networkSecurityConfig="@xml/network_security_config"`)
## Compliance Alignment
The stated goals of securing the ecosystems indirectly align with several major frameworks:
* **NIST Cybersecurity Framework (CSF):** Focus areas map heavily to "Protect" (e.g., implementing access control, data security) and "Detect" (e.g., monitoring for anomalous activity).
* **ISO/IEC 27001:** Specifically related to Annex A controls concerning secure development policies (A.14) and supplier relationships (if leveraging third-party SDKs).
* **CIS Controls (v8):** Aligns with Controls 4 (Secure Configuration) and 12 (Network Monitoring).
## Common Pitfalls to Avoid
1. **Over-reliance on Obfuscation Alone:** Do not treat code obfuscation as a silver bullet. It delays attackers but will not stop a determined adversary; layer it with strong runtime integrity checks.
2. **Ignoring Supply Chain Visibility:** Assuming that because a dependency was safe last quarter, it remains safe this quarter. Continuous monitoring for transitive dependencies is critical.
3. **Misconfiguring Intent Filters:** Failing to set `android:exported="false"` on internal components leads to easily exploited IPC vulnerabilities where malicious third-party apps can trigger internal functions.
## Resources
* **Google Play Developer Policies:** Review the latest policies for application submission and targeting consumer data. (Source link: Consult the relevant Google Play Developer portal documentation).
* **Android Security Documentation:** Refer to Google's official Android Security Best Practices guides for implementation details on memory safety and permission handling.
* **Vulnerability Disclosure Program (VDP) Information:** Review guidelines for responsible vulnerability reporting to track current platform weaknesses. (Source link: Consult the relevant Google Security Research pages).