Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Google Details New Privacy and Security Policies for Android Apps

Google this week announced a series of updates to its Google Play policies that are meant to improve overall user privacy and security and provide more control over ads personalization.

Google this week announced a series of updates to its Google Play policies that are meant to improve overall user privacy and security and provide more control over ads personalization.

The internet giant has decided to share more details on an upcoming safety section that was initially announced in May, and which will be added to Google Play in the first quarter of the next year. As per the new policy, all applications in Google Play will be required to detail their privacy and security practices by April 2022.

In the new safety section, developers can share details on the application’s security practices (e.g. data encryption), whether the application follows Google Play’s Families policy, and whether it has been independently validated against a global security standard.

Users will be able to access the section from any application’s listing on Google Play, to learn more on what type of data the app collects and shares, how that data is used, and whether they can opt out or not from the data collection practice.

All application developers are required to provide a privacy policy, regardless of whether their app collects or not personal or sensitive information. Developers should provide accurate and complete information in their safety section, including details on the data used by third party libraries or SDKs, Google says.

“This applies to all apps published on Google Play, including Google’s own apps,” the company underlines.

Developers can start submitting the required information in the Google Play Console for review in October 2021 and the safety section will appear in Google Play in early 2022. Overall, developers have until April 2022 to make sure their apps have the section approved, otherwise new app submissions and app updates will be rejected.

Improvements to advertising privacy and security

To further improve user privacy and security, Google also plans to provide even more control over advertising IDs.

Up until now, the company has provided the option to reset the identifier or opt out of allowing for it to be used for ad personalization. Starting late 2021, once the user opts out, their advertising ID will be replaced with a string of zeros.

Applications running on Android 12 devices will be impacted first, but in early 2022 the functionality will be expanded to all apps on all devices that support Google Play. Apps that update their target API level to Android 12 and want to use advertising ID will have to declare a new Google Play services permission.

Google will test a new feature where developers and ad/analytics service providers will be notified of users’ opt-out preferences. If a user deletes their advertising ID, developers will be notified so they can erase the identifiers that are no longer in use.

“In addition, we’re prohibiting linking persistent device identifiers to personal and sensitive user data or resettable device identifiers. This policy adds an additional layer of privacy protection when users reset their device identifiers or uninstall apps,” Google explains.

The Internet search giant also announced a developer preview of “app set ID” for essential use cases, including analytics or fraud prevention. This unique ID allows for the correlation of “usage or actions across a set of apps owned by your organization.”

These IDs cannot be used for ads personalization or ads measurement and will automatically reset if all apps from a developer are uninstalled from a device or if the apps don’t access the ID in 13 months.

Google also announced that applications primarily directed to children are prohibited from transmitting identifiers, such as advertising IDs. Apps that target both kids and adults will be required to avoid transmitting the identifiers for kids.

Other security enhancements coming to Google Play include the closing of inactive or abandoned accounts after a year, including accounts where no app has been uploaded or those where the Google Play Console hasn’t been accessed in a year. Old accounts, applications, or data won’t be available anymore, but developers will be allowed to create new accounts.

Accounts with applications that have more than 1,000 installs or which have in-app purchases within the last 90 days won’t be closed.

Google is also introducing new requirements on the use of the AccessibilityService API and IsAccessibilityTool, where all applications using the AccessibilityService API will need to disclose data access and purpose to be approved.

The company also announced that developers can request a 6-month extension, until March 31, 2022, to comply with the company’s Payments policy, which now more explicitly explains when developers should use Google Play’s billing system.

Related: New Security Measures Announced for Google Play Developer Accounts

Related: Google Play Protect Scans 100 Billion Android Apps Daily

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...