Google’s new app safety policy is like the fox guarding the hen house, says expert
Today is the deadline for Android developers to populate Google’s new Data Safety section in the Play Store. The policy update requires all Android app developers to declare how they collect and handle user data for the apps they publish on Google Play by July 20.
Nonetheless, Google apparently will use the new safety feature to replace the app permissions list that used to accompany software on its Play Store. The update appears to transfer responsibility for reporting what apps do with a user’s device solely to developers.
While providing users with the right amount of information to decide what’s best for them is always challenging, Alex Hamerstone, advisory solutions director at TrustedSec, said the update requires improvement in trust.
The app permissions list is not perfect. Dozens of technical permissions are challenging to understand for an average user. The list is curated by Google’s automated analysis, and it’s not always clear what the access being requested is for.
The Data Safety feature is meant to address just that. As Google puts it, the update is intended to “provide more user transparency and to help people make informed choices.” So the reasoning goes, developers know their apps best and are therefore best placed to explain why the data is needed.
However, suppose Google drops the app permissions list. In that case, the new policy will be that specific data requests will not be transparent to the user, instead occurring behind the scenes, Brian Contos, CSO of Phosphorus Cybersecurity, thinks.
The risk is that cybercriminals will exploit the policy to target users with legitimate-looking apps, a tactic that researchers say already makes it harder to detect apps with hidden malware.
“This feels like a step backwards when users need to be more informed, not less, about the data they are sharing and that is being collected. This is especially concerning given the issues that the Google Play store has had, and continues to have, with malicious apps,” Hamerstone said.
The Play Store policy change can leave users with no real way of knowing how much and what type of data the app collects. Experts we’ve talked to think that removing the permissions list increases a consumer’s chances of installing a dangerous app.
“Google’s new policy is sort of like letting cigarette or drug companies write their own warning labels. You’ve got to have a lot of trust to expect them to be forthcoming with all of the relevant information,” Contos said.
Need for education
The key upside to the Data Safety feature is a simplification of a complicated policy. In theory, the update should allow Play Store customers to compare apps using the same categories of information and have a common formula to assess the privacy and security of their information.
“Simplification of complicated policies and uses of information is a win-win for consumers,” Dr Chris Pierson, the CEO of cybersecurity company BlackCloak, said.
Even though the developer-written descriptions may reduce user ability to understand how their data is used, the percentage of people who actually review the information before the download is likely insignificant, meaning that the real-world implications of the change won’t be dramatic.
“What is needed is a better way to educate consumers on privacy impacts of apps, have a common scoring system, and present the data to the consumer on download, so they at least have a chance to review it and change their mind,” Dr Pierson explained.
One thing that’s unlikely to change even if Google updates the Play Store policy is how threat actors think. No matter the policy update and who’s responsible for disclosing how user data is used and processed, a causal link between a malicious actor lying about what an app does currently and what it will do in the future is unlikely to change.
“They might be able to just hide it better from the small percentage of consumers who review the information pages on an app before downloading and using the app,” Dr Pierson said.