Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Details New Privacy and Security Policies for Android Apps

Google this week announced a series of updates to its Google Play policies that are meant to improve overall user privacy and security and provide more control over ads personalization.

Google this week announced a series of updates to its Google Play policies that are meant to improve overall user privacy and security and provide more control over ads personalization.

The internet giant has decided to share more details on an upcoming safety section that was initially announced in May, and which will be added to Google Play in the first quarter of the next year. As per the new policy, all applications in Google Play will be required to detail their privacy and security practices by April 2022.

In the new safety section, developers can share details on the application’s security practices (e.g. data encryption), whether the application follows Google Play’s Families policy, and whether it has been independently validated against a global security standard.

Users will be able to access the section from any application’s listing on Google Play, to learn more on what type of data the app collects and shares, how that data is used, and whether they can opt out or not from the data collection practice.

All application developers are required to provide a privacy policy, regardless of whether their app collects or not personal or sensitive information. Developers should provide accurate and complete information in their safety section, including details on the data used by third party libraries or SDKs, Google says.

“This applies to all apps published on Google Play, including Google’s own apps,” the company underlines.

Developers can start submitting the required information in the Google Play Console for review in October 2021 and the safety section will appear in Google Play in early 2022. Overall, developers have until April 2022 to make sure their apps have the section approved, otherwise new app submissions and app updates will be rejected.

Improvements to advertising privacy and security

Advertisement. Scroll to continue reading.

To further improve user privacy and security, Google also plans to provide even more control over advertising IDs.

Up until now, the company has provided the option to reset the identifier or opt out of allowing for it to be used for ad personalization. Starting late 2021, once the user opts out, their advertising ID will be replaced with a string of zeros.

Applications running on Android 12 devices will be impacted first, but in early 2022 the functionality will be expanded to all apps on all devices that support Google Play. Apps that update their target API level to Android 12 and want to use advertising ID will have to declare a new Google Play services permission.

Google will test a new feature where developers and ad/analytics service providers will be notified of users’ opt-out preferences. If a user deletes their advertising ID, developers will be notified so they can erase the identifiers that are no longer in use.

“In addition, we’re prohibiting linking persistent device identifiers to personal and sensitive user data or resettable device identifiers. This policy adds an additional layer of privacy protection when users reset their device identifiers or uninstall apps,” Google explains.

The Internet search giant also announced a developer preview of “app set ID” for essential use cases, including analytics or fraud prevention. This unique ID allows for the correlation of “usage or actions across a set of apps owned by your organization.”

These IDs cannot be used for ads personalization or ads measurement and will automatically reset if all apps from a developer are uninstalled from a device or if the apps don’t access the ID in 13 months.

Google also announced that applications primarily directed to children are prohibited from transmitting identifiers, such as advertising IDs. Apps that target both kids and adults will be required to avoid transmitting the identifiers for kids.

Other security enhancements coming to Google Play include the closing of inactive or abandoned accounts after a year, including accounts where no app has been uploaded or those where the Google Play Console hasn’t been accessed in a year. Old accounts, applications, or data won’t be available anymore, but developers will be allowed to create new accounts.

Accounts with applications that have more than 1,000 installs or which have in-app purchases within the last 90 days won’t be closed.

Google is also introducing new requirements on the use of the AccessibilityService API and IsAccessibilityTool, where all applications using the AccessibilityService API will need to disclose data access and purpose to be approved.

The company also announced that developers can request a 6-month extension, until March 31, 2022, to comply with the company’s Payments policy, which now more explicitly explains when developers should use Google Play’s billing system.

Related: New Security Measures Announced for Google Play Developer Accounts

Related: Google Play Protect Scans 100 Billion Android Apps Daily

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.