Google Online Security Blog: How we fought bad apps and bad actors in 2023

[Obioban]

Summary

Google's PR piece about what they did this year. I thought it was worth linking to to point out that app stores do serve a fairly significant utility, that mostly goes under the radar when all is going as it should. 

 

Quotes

Quote

In 2023, we prevented 2.28 million policy-violating apps from being published on Google Play in part thanks to our investment in new and improved security features, policy updates, and advanced machine learning and app review processes. We have also strengthened our developer onboarding and review processes, requiring more identity information when developers first establish their Play accounts. Together with investments in our review tooling and processes, we identified bad actors and fraud rings more effectively and banned 333K bad accounts from Play for violations like confirmed malware and repeated severe policy violations.

 

Additionally, almost 200K app submissions were rejected or remediated to ensure proper use of sensitive permissions such as background location or SMS access.

 

My thoughts

I'm not really sure what the solution is here. I do think alternate app stores should be allowed it exist, but inevitably someone like facebook or epic is going to make their app require their store, at which point people who don't understand what they're doing will install it, at which point... ticking clock till they install something they shouldn't. 

 

Sources

https://security.googleblog.com/2024/04/how-we-fought-bad-apps-and-bad-actors-in-2023.html

[TempestCatto]

30 minutes ago, Obioban said:

In 2023, we prevented 2.28 million policy-violating apps from being published on Google Play

I wonder if the Floatplane app is included in this metric xD

(Actually wasn't it the Apple app store they had issues with? It's hard to remember which tech giant was more of an asshole this year.)

[Biohazard777]

1 hour ago, Obioban said:

I'm not really sure what the solution is here. I do think alternate app stores should be allowed it exist, but inevitably someone like facebook or epic is going to make their app require their store, at which point people who don't understand what they're doing will install it, at which point... ticking clock till they install something they shouldn't. 

The solution is in the blog (https://security.googleblog.com/2024/04/how-we-fought-bad-apps-and-bad-actors-in-2023.html) :

Quote

To better protect our customers who install apps outside of the Play Store, we made Google Play Protect’s security capabilities even more powerful with real-time scanning at the code-level to combat novel malicious apps.

 

As for Google Play Store:

1 hour ago, Obioban said:

I thought it was worth linking to to point out that app stores do serve a fairly significant utility, that mostly goes under the radar when all is going as it should. 

meh, lots of fluff with near zero impact on actual user privacy and safety.

Take this for example:

1 hour ago, Obioban said:

In 2023, we prevented 2.28 million policy-violating apps from being published on Google Play

Quote

To give users more control over their personal data, apps that enable account creation now need to provide an option to initiate account and data deletion from within the app and online. This web requirement is especially important so that a user can request account and data deletion without having to reinstall an app. To simplify the user experience, we have also incorporated this as a feature within the Data safety section of the Play Store.

(https://security.googleblog.com/2024/04/how-we-fought-bad-apps-and-bad-actors-in-2023.html)
This is a policy violation:

And how exactly is Google gonna check if we <Retacted> are actually deleting anything from our servers?
The violation was "fixed" and the badge is still there without Google knowing anything about how we actually store, delete, or handle data...

All Google can do is take our word, and cover their asses.
So if we are mishandling user data, Google's hands are "clean".

Does the data deletion page we added actually do anything?

 

The point is that the Google Play Store is lulling you into a false sense of security and/or privacy.

They are copying Apple, you can find the same shenanigans on the App Store:

Well obviously: "This information has not been verified by Apple", because it would be near impossible for them to do so.

But it sure makes you (the user) feel better seeing the app doesn't have anything listed under "Data Used to Track You",
which is entirely self-reported by the developers...