Skip to main content

Android Security Improvement Update: Helping Developers Harden Their Apps, One Thwarted Vulnerability At A Time

By admin

Posted by Patrick Mutchler and Meghan Kelly, Android Security & Privacy Team

Helping Android app developers build secure apps, free of known vulnerabilities, means helping the overall ecosystem thrive. This is why we launched the Application Security Improvement Program five years ago, and why we're still so invested in its success today.

What the Android Security Improvement Program does

When an app is submitted to the Google Play store, we scan it to determine if a variety of vulnerabilities are present. If we find something concerning, we flag it to the developer and then help them to remedy the situation.

Think of it like a routine physical. If there are no problems, the app runs through our normal tests and continues on the process to being published in the Play Store. If there is a problem, however, we provide a diagnosis and next steps to get back to healthy form.

Over its lifetime, the program has helped more than 300,000 developers to fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users with the same security issues present, which we consider a win.

What vulnerabilities are covered

The App Security Improvement program covers a broad range of security issues in Android apps. These can be as specific as security issues in certain versions of popular libraries (ex: CVE-2015-5256) and as broad as unsafe TLS/SSL certificate validation.

We are continuously improving this program's capabilities by improving the existing checks and launching checks for more classes of security vulnerability. In 2018, we deployed warnings for six additional security vulnerability classes including:

  1. SQL Injection
  2. File-based Cross-Site Scripting
  3. Cross-App Scripting
  4. Leaked Third-Party Credentials
  5. Scheme Hijacking
  6. JavaScript Interface Injection

Ensuring that we're continuing to evolve the program as new exploits emerge is a top priority for us. We are continuing to work on this throughout 2019.

Keeping Android users safe is important to Google. We know that app security is often tricky and that developers can make mistakes. We hope to see this program grow in the years to come, helping developers worldwide build apps users can truly trust.

Comments

Post a Comment

Popular posts from this blog

Reversing C++ String And QString

By admin
After the rust string overview of its internal substructures, let's see if c++ QString storage is more light, but first we'r going to take a look to the c++ standard string object: At first sight we can see the allocation and deallocation created by the clang++ compiler, and the DAT_00400d34 is the string. If we use same algorithm than the rust code but in c++: We have a different decompilation layout. Note that the Ghidra scans very fast the c++ binaries, and with  rust binaries gets crazy for a while. Locating main is also very simple in a c++ compiled binary, indeed is more  low-level than rust. The byte array is initialized with a simply move instruction:         00400c4b 48 b8 68        MOV        RAX,0x6f77206f6c6c6568 And basic_string generates the string, in the case of  rust this was carazy endless set of calls, detected by ghidra as a runtime, but nevertheless the basic_str...
Post a Comment
Read more

The Base Blockchain Airdrop: Hidden Opportunities You Don’t Want to Miss!

By admin
The Base blockchain, supported by Coinbase, is making waves in the crypto space with its surging Total Value Locked (TVL) and potential airdrop opportunities. In this article, we'll dive deep into Base's ecosystem, its key protocols, and strategies for maximizing potential rewards. We'll also explore SynFutures, a standout perpetual protocol, and other exciting opportunities that could set the stage for a lucrative airdrop. Base Blockchain: A Rising Star Current Status Base has climbed to the sixth position among blockchains in terms of TVL, surpassing even Arbitrum, the long-time leader in Ethereum Layer 2 solutions. With $4 billion+ in TVL , Base's rapid growth is drawing attention from the crypto community. Why the Excitement Around a Potential Airdrop? Coinbase Backing: As a leading exchange, Coinbase's involvement ensures credibility and innovation. Changing Regulations: With evolving regulatory clarity, there's renewed optimism for potential rewards lik...
Post a Comment
Read more

5 Costly Crypto Investing Mistakes to Avoid in Choppy Markets

By admin
Crypto markets can be a wild ride, with exhilarating highs often followed by gut-wrenching lows. Many investors see massive gains during bullish trends only to watch them evaporate in sideways or bearish phases. The key to preserving your portfolio lies in avoiding common pitfalls that trap even seasoned traders. This article dives into five critical mistakes crypto investors make in choppy markets and offers actionable strategies to steer clear of them. Whether you're a beginner or a veteran, these insights will help you navigate the volatile crypto landscape with discipline and confidence. The Perils of Slow Decision-Making In crypto, hesitation can be costly. Opportunities often arise from compelling setups — whether it's a promising chart pattern, a groundbreaking technological innovation, or strong on-chain signals like whale wallet activity. However, in dull or sideways markets, investors often become lethargic, missing the window to act. By the time social media buzz ign...
Post a Comment
Read more