For the better part of two years, Google’s made a concerted effort to improve control over data in Android apps, chiefly by introducing system-level changes in Android, refining its Google Play developer policies, requiring developers to disclose the collection and use of sensitive data, and restricting access to certain permissions (like those involving SMS and call logs). But it hasn’t always been fully transparent with about these changes, and toward that end, the Mountain View company today announced that it’s “clarifying” several of its rules and reviewing the way it handles noncompliant apps.
“From the outset, we’ve sought to craft Android as a completely open source operating system … This developer-centric approach and openness have been cornerstones of Android’s philosophy from the beginning,” vice president of product management Sameer Samat wrote in a blog post. “But as the platform grows and evolves, each decision we make comes with trade-offs … This responsibility to users is something we have always taken seriously.”
Google says that in the coming weeks, it’ll revamp the email messages it sends policy rejections and appeals to “better explain” with more details, including why a decision was made, how apps might be modified to comply, and how to appeal. It also says that it’ll include appeal instructions in all enforcement emails along with the corresponding forms going forward, and that it’ll add more reviewers to its app review team in order to “accelerate” and make more “personalized” the appeals process.
Additionally, Google says it’ll now take more time to review apps by developers without a proven track record, which it contends will allow it to perform “more thorough” checks before approving apps to go live in Google Play Store and help it to make fewer inaccurate decisions on developer accounts. “While the vast majority of developers on Android are well-meaning, some accounts are suspended for serious, repeated violation of policies that protect our shared users,” Samat said. “While 99%+ of these suspension decisions are correct, we are also very sensitive to how impactful it can be if your account has been disabled in error.”
Today’s news follows two months after Google began requiring all new apps to target API level 28 (Android 9) or higher by August 2019, and mandating that updates to existing apps target API level 28 or higher by November 2019. In a related announcement, it said that Google Play Protect — an automated security solution that scans more than 50 billion apps on billions of devices each day — would begin to warn users when they attempt to install apps from any source that don’t target a recent API level.
Despite a few bumps in the road, Google’s recent policy changes have measurably decreased the number of predatory Android apps in the wild.
The company reports that the number of apps with access to text message and call information has declined by more than 98%. And in its annual Android Security & Privacy Year in Review, Google revealed that in 2018, only 0.08 percent of devices that used Google Play exclusively for app downloads were affected by PHAs, and that even devices that installed apps from outside of Play — 0.68 percent of which were affected by one or more PHAs, down from 0.80 percent in 2017 — saw a 15 percent reduction in malware.