Skip to main content

Android Security Improvement Update: Helping Developers Harden Their Apps, One Thwarted Vulnerability At A Time

By admin

Posted by Patrick Mutchler and Meghan Kelly, Android Security & Privacy Team

Helping Android app developers build secure apps, free of known vulnerabilities, means helping the overall ecosystem thrive. This is why we launched the Application Security Improvement Program five years ago, and why we're still so invested in its success today.

What the Android Security Improvement Program does

When an app is submitted to the Google Play store, we scan it to determine if a variety of vulnerabilities are present. If we find something concerning, we flag it to the developer and then help them to remedy the situation.

Think of it like a routine physical. If there are no problems, the app runs through our normal tests and continues on the process to being published in the Play Store. If there is a problem, however, we provide a diagnosis and next steps to get back to healthy form.

Over its lifetime, the program has helped more than 300,000 developers to fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users with the same security issues present, which we consider a win.

What vulnerabilities are covered

The App Security Improvement program covers a broad range of security issues in Android apps. These can be as specific as security issues in certain versions of popular libraries (ex: CVE-2015-5256) and as broad as unsafe TLS/SSL certificate validation.

We are continuously improving this program's capabilities by improving the existing checks and launching checks for more classes of security vulnerability. In 2018, we deployed warnings for six additional security vulnerability classes including:

  1. SQL Injection
  2. File-based Cross-Site Scripting
  3. Cross-App Scripting
  4. Leaked Third-Party Credentials
  5. Scheme Hijacking
  6. JavaScript Interface Injection

Ensuring that we're continuing to evolve the program as new exploits emerge is a top priority for us. We are continuing to work on this throughout 2019.

Keeping Android users safe is important to Google. We know that app security is often tricky and that developers can make mistakes. We hope to see this program grow in the years to come, helping developers worldwide build apps users can truly trust.

Comments

Post a Comment

Popular posts from this blog

Reversing C++ String And QString

By admin
After the rust string overview of its internal substructures, let's see if c++ QString storage is more light, but first we'r going to take a look to the c++ standard string object: At first sight we can see the allocation and deallocation created by the clang++ compiler, and the DAT_00400d34 is the string. If we use same algorithm than the rust code but in c++: We have a different decompilation layout. Note that the Ghidra scans very fast the c++ binaries, and with  rust binaries gets crazy for a while. Locating main is also very simple in a c++ compiled binary, indeed is more  low-level than rust. The byte array is initialized with a simply move instruction:         00400c4b 48 b8 68        MOV        RAX,0x6f77206f6c6c6568 And basic_string generates the string, in the case of  rust this was carazy endless set of calls, detected by ghidra as a runtime, but nevertheless the basic_str...
Post a Comment
Read more

דף הבית | הטכניון - מכון טכנולוגי לישראל

By admin
https://technion.ac.il http://library.technion.ac.il/he https://www.technion.ac.il/%D7%A8%D7%A9%D7%99%D7%9E%D7%AA-%D7%94%D7%A4%D7%A7%D7%95%D7%9C%D7%98%D7%95%D7%AA-2/ http://www.admin.technion.ac.il/dpcalendar/ https://www.technion.ac.il/%D7%94%D7%A0%D7%94%D7%9C%D7%94-%D7%91%D7%9B%D7%99%D7%A8%D7%94/ https://www.technion.ac.il/%D7%A1%D7%9E%D7%99%D7%A0%D7%A8%D7%99%D7%9D/ https://dean.web.technion.ac.il/%D7%A7%D7%9E%D7%A4%D7%95%D7%A1-%D7%AA%D7%95%D7%A1%D7%A1/ http://www.dmag.co.il/pub/technion/tmag.html http://moodle.technion.ac.il/ https://tender-logistics.web3.technion.ac.il http://cis.technion.ac.il/ http://video.technion.ac.il/ https://portal.technion.ac.il/irj/portal https://www.technion.ac.il/ https://www.technion.ac.il/en/home-2/ http://arabic.net.technion.ac.il https://www.technion.ac.il/%d7%97%d7%96%d7%95%d7%9f-%d7%94%d7%98%d7%9b%d7%a0%d7%99%d7%95%d7%9f/ https://www.technion.ac.il/%d7%94%d7%99%d7%a1%d7%98%d7%95%d7%a8%d7%99%d7%99%d7%aa-%d7%94%d7%98%d7%9b%d7%a0%d7%99%d7%95%d7%9f/ ht...
Post a Comment
Read more

Top 12 Highest Paying URL Shortener 2019: Best URL Shortener to Earn Money

By admin
Short.pe Short.pe is one of the most trusted sites from our top 30 highest paying URL shorteners.It pays on time.intrusting thing is that same visitor can click on your shorten link multiple times.You can earn by sign up and shorten your long URL.You just have to paste that URL to somewhere. You can paste it into your website, blog, or social media networking sites.They offer $5 for every 1000 views.You can also earn 20% referral commission from this site.Their minimum payout amount is only $1.You can withdraw from Paypal, Payza, and Payoneer. The payout for 1000 views-$5 Minimum payout-$1 Referral commission-20% for lifetime Payment methods-Paypal, Payza, and Payoneer Payment time-on daily basis Short.am Short.am provides a big opportunity for earning money by shortening links. It is a rapidly growing URL Shortening Service. You simply need to sign up and start shrinking links. You can share the shortened links across the web, on your webpage, Twitter, Facebook, and more. Short...
Post a Comment
Read more