In an effort to improve Android app security, integrity, and quality, Google notified Android developers on Friday that it is revising its Google Play Developer Program Policies to deter abusive practices. The company has given developers offering apps through Google Play 15 days to revise apps that fail to meet its requirements.
More oversight should be beneficial. The number of malicious Android apps available through the Google Play grew 388% from 2011 to 2013, the security firm RiskIQ said in February. During this period, the percentage of malicious apps removed by Google annually declined from 60% in 2011 to 23% in 2013.
All new apps submitted to Google Play are subject to Google's new policy. Developers with apps found to violate the rules might receive a warning to fix the issue, or they might have their noncompliant apps removed from Google Play.
The changes are as follows:
1. Sexual content clarification
Previously, Google's rules said that Google Play does not allow sexuality explicit material. The revision focuses not only on apps that contain sexually explicit material, but also apps that promote it. In addition, Google notes that its rules cover icons and product descriptions in Google Play.
2. No deceptive promotion
Developers may not use deceptive ads on websites, apps, or elsewhere, "including simulated system, service, or app notifications or alerts." They may not use promotion or installation tactics that cause redirection to Google Play or initiate an app download without informed user consent. And they may not engage in unsolicited promotion via SMS services.
3. In-app payment disclosure
In-app payments have been a source of controversy for both Android and iOS devices. In January, Apple and the FTC announced a $32.5 million settlement to end a lawsuit over kids making unauthorized in-app purchases. In March, Google was hit with a similar claim from an aggrieved parent. The Google Play policy changes seek to ensure that app makers disclose possible charges when app descriptions mention features subject to in-app fees.
4. System interference clarification
Google previously banned adding content partner links to a user's homescreen and bookmarks. The revised rules expand this prohibition to forbid modifying settings or bookmarks.
5. Ads policy clarification
Amplifying its prohibition on deceptive app promotion and UI elements masquerading as system notifications, Google requires that "all advertising behavior must be properly attributed to, or clearly presented in context with the app it came along with." In other words, users must be able to tell which app is presenting each ad.
6. Dangerous products expansion
Google has extended its rules to prohibit, not only the transmission of malware, but also the inclusion of links that lead to malware. The company has also updated its spyware policy to cover surveillance and tracking apps.
Google maintains that the openness of Android is a security strength. "An often overlooked benefit of openness is security: by developing in the open, anyone can check Android's code to verify that it's trustworthy or discover areas where it can be improved," Google security engineer Adrian Ludwig wrote in a December blog post. "Furthermore, the security community can even write code to make Android stronger and protect it against unrealized attacks."
Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls (free registration required).