Google tightens up Play Store policy, officially bans "off-market" updates...

Filed Under: Android, Featured, Malware

Google has made a number of changes to its Android Play Store ecosystem recently.

Part of the reason is that Mountain View has been copping lots of flak for the prevalence of malware in unofficial application markets, often in pirated apps.

That's a trifle unfair, since one of the attractions of Android over Apple's iOS is that it's actually possible to shop "off-market" if you wish.

Sure, there's a greater risk of shooting yourself in the foot if you do, but you're not forced to live dangerously, and even if you do go outside the Play Store, a little caution goes a long way towards keeping you safe.

More realistically, however, Google has been criticised for the appearance of malicious apps in its own Play Store.

In response to this criticism, Google went against the pronouncement of the company's official Community Chap, Chris diBona, who dubbed anti-virus techies "charlatans."

The company ended up building a rudimentary anti-virus into Android itself.

Configured via the Verify apps item on the Security Settings page, this feature allows you to "disallow or warn before installation of apps that may cause harm."

Cynics might argue that this represents a copout, since the vetting process that accepts an app into the Play Store in the first place ought to be sufficiently vigorous to ensure that apps are verified before they are published, not after they are installed.

That's nonsense, of course, not least because Verify apps can be used to assess off-market software, as well as to give a second opinion on software that passed its initial inspection but has since been noticed to misbehave.

→ Imagine that you gave me two files, one of which you knew had a virus in it, and the other you knew did not. Ceteris paribus, you'd expect me, on average, to take much longer to assert that the clean file really was clean than to spot that the viral one really was infected. Absence of evidence isn't evidence of absence.

Google's next big operational switch went the other way, kicking out from the Play Store a bunch of apps that were not just non-malicious by any reasonable definition, but actually a long-accepted part of the software security and control world.

The apps that were pushed onto their swords in March 2013 were ad-blockers, apps that do their best to identify ads and ad-serving sites, and to filter them out of your browsing experience.

Our readers didn't agree with this ban, with over 90% of respondents in our poll (as at 2013-04-28T05:15Z) imploring Google to restore ad-blockers to first-class app status.

But it wasn't a surprising change.

Google is bankrolled by online ads, and many legitimate apps exist in both "free" and paid versions, with the former supported by revenues from in-app adverts.

The detractors of ad-blockers argue that people aren't likely to pay for the ad-free version if they can get apps, sanctioned by Google in the Play Store itself, to make the ads disappear anyway.

(Ad-blocked "free" versions are rarely equivalent to the paid versions, and many free apps these days have a built-in advert opt-out anyway, but those are details we'll ignore here.)

The latest developer-facing change in the Play Store is Google's recent policy addition, in the Dangerous Products section, about updating:

One possible downside to this is that it now explicitly prevents developers from publishing emergency patches via their own websites, even if only part of the app is changed, while waiting for the new version to be approved into the Play Store.

On balance, though, this seems like a loophole that needed closing.

The risk of a bait-and-switch, where an app draws you in under a veneer of Google-bestowed legitimacy and then turns itself into something you'd never have chosen if only you had known, are obvious.

→ There's an uncomputable ironic tension between a slow, conservative approval process that might force users occasionally to install off-market interim versions for legitimate security reasons, and a rapid one that might allow unscrupulous developers to sneak through dubious changes under the guise of vital patches. In either case, a "second opinion," whether through Google's own Verify apps option, or a third-party security tool such as Sophos Security and Antivirus, can be considered an important part of defence-in-depth.

And that's Google's latest evolutionary move in the Play Store world, with the situation now looking like this:

  • Android itself can optionally Verify apps when you download them.
  • The official Play Store market is also open to third-party anti-malware tools, unlike Apple's iOS.
  • Play Store apps are now only allowed to update their core code via the Play Store.
  • But ad-blockers aren't welcome any more, which seems a pity.

Android has a not entirely unjustified reputation as a den of mobile malware iniquity, but it's still possible to enjoy a malware-free experience on the platform.

And there are plenty of reputable tools to help you protect your Android smartphone or tablet against the increasing number of threats.

That includes (and you knew this link was coming, didn't you?) the Sophos Security and Antivirus app.

, , , , , ,

You might like

4 Responses to Google tightens up Play Store policy, officially bans "off-market" updates...

  1. Freida Gray · 552 days ago

    I find it interesting that Google doesn't allow apps that collect information,such as a users location or behavior, without the user's knowledge.Yet they allowed the Street View cars to do just that;probably they weren't apps,or maybe Google thought everybody knew they were collecting all of the data they were collecting.

  2. Didn't facebook JUST add off-market updates this past month? They've gotta be a little annoyed by this.

  3. Robert (Jamie) Munro · 551 days ago

    You say: "One possible downside to this is that it now explicitly prevents developers from publishing emergency patches via their own websites".

    Last time I pushed an app to the play store, it was live in about 30 minutes, unlike iOS where is typically takes nearly a week.

  4. Greg · 551 days ago

    I have a feeling that this may be in response to the Facebook app on android updating outside of the Play Store update mechanism rather than for virus protection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog