Google Play has flagged 1 million Android apps for pre-release security issues in 5 years

Abner Li | Feb 28 2019 - 10:00 am PT

One way Google ensures safety on the Play Store is by scanning apps that developers upload for common security vulnerabilities. Now five years old, Google is providing an update on the progress of the Application Security Improvement Program.

When developers upload a new version of an application to the Play Console, Google will automatically scan it for “potential security enhancements” and provide “recommendations for building more secure apps.”

If the former is detected, devs will occasionally have to address issues before an app can be published or updated. This includes specific vulnerabilities like bugs in popular libraries or unsafe TLS/SSL certificate validation. In 2018, Google added six additional security vulnerability classes, with the full list also available:

SQL Injection
File-based Cross-Site Scripting
Cross-App Scripting
Leaked Third-Party Credentials
Scheme Hijacking
JavaScript Interface Injection

Since launching five years ago, Google notes that the program has helped more than 300,000 developers fix over 1,000,000 apps. In 2018, 30,000 developers were able to fix 75,000 applications.

Google also looks for potentially harmful applications (PHA) with Play Protect, which is available on over 2 billion Android devices. This effort is enabled by default on all new phones and tablets in 2018, and is the security warnings that users primarily interact with.

For example, when installing a new or rare app, Google will display a warning until it has analyzed the application and determined it is not harmful. Last year, Play Protect showed this warning 100,000 times per day. Another warning is a bold dialogue that warns users when they are about to launch a PHA, with an explanation of why it’s harmful and the option to uninstall.

More about Google Play:

Add 9to5Google to your Google News feed.

FTC: We use income earning auto affiliate links. More.