Android is not famed for its security. It’s part of the bargain that makes Google’s mobile platform so appealing to developers. The company hands the OS to OEMs and they can do what they want with it. Beyond the stock Android experience, this makes the platform vulnerable. Google now says some measures it has created to protect the OS are paying off.

One of those measures is the Application Security Improvement Program, which protects the Play Store from malicious apps. Google says it has flagged over one million apps for security issues since the program was announced.

The company also says more than 30,000 developers build fixes for 75,000 apps through 2018. Google explains what the Application Security Improvement Program does:

“Think of it like a routine physical. If there are no problems, the app runs through our normal tests and continues on the process to being published in the Play Store. If there is a problem, however, we provide a diagnosis and next steps to get back to healthy form,” Google says on its online security blog.

The program protects against a range of security problems, and in 2018 the following mitigations were added:

  • SQL Injection
  • File-based Cross-Site Scripting
  • Cross-App Scripting
  • Leaked Third-Party Credentials
  • Scheme Hijacking
  • JavaScript Interface Injection

Still Issues

Google will continue to “evolve” the program and protect against new threats. The question is whether the program is enough. Yes, it has stopped a vast number of security issues, but there is no doubt many Android apps continue to be loaded with malware.

Of course, other areas of Android are also not covered by the program. Last month, we discussed a full system vulnerability that allows bad actors to attack a device through PNG files.

Remote attackers created PNG files that would execute arbitrary code to give privileged access to bad actors. Getting users to open the PNG file could be as easy as hiding the code behind a cool image, or something seemingly innocent.