Skip to main content

Google details App Defense Alliance work on Android Malware Mitigation, certifications

Google announced the App Defense Alliance (ADA) three years ago to “stop bad apps before they reach users’ devices,” and today recapped its work in 2022.

Malware Mitigation before an app gets published on Google Play is the ADA’s primary goal:

Through this program, Google Play Protect detection systems directly communicate with each partner’s scanning engines. This generates new app risk intelligence as apps are being queued to publish. Partners analyze this dataset and act as an additional vital set of eyes before an app goes live on the Play store.

Thousands of apps are scanned daily with “secure two-way communication” between Google and third parties. ESET, Lookout, and Zimperium were the initial partners, with McAfee and Trend Micro joining in 2022. 

Another App Defense Alliance initiative that is now widely available after launching in beta this year is the Mobile App Security Assessment (MASA) where developers “have their apps independently validated against the Mobile Application Security Verification Standard (MASVS standard) under the OWASP Mobile Application Security project.”

The project’s mission is to “Define the industry standard for mobile application security,” and has been used by both public and private sector organizations as a form of industry best practices when it comes to mobile application security. 

This work is done by ADA Authorized Labs with a public, user-facing App Validation Directory that notes the “validation date, test lab, and a report showing all test steps / requirements.” This appears as the “Independent security review” badge on an app’s Data Safety section in the Play Store. Various Google apps have undergone this, while third-party ones include Roblox, Uber, and PayPal.

On average, developers have completed validation within a month and resolved two outstanding issues identified by a security lab.  

Lastly, the Cloud App Security Assessment (CASA) is focused on the server backend of applications:

The CASA framework provides multiple assurance levels in which low-risk cloud applications can be evaluated using either a self assessment or automated scan. For applications which present higher risk (such as a large user base, recent security breach, or processes highly sensitive data), an Authorized Lab may perform an assessment.

More on Google Play:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com