Google Play needs actual quality control, not even VPN apps are safe
Google Play is the official Android app market place and as such is regarded as the safest one. However, multiple reports of malicious apps have been pouring in lately. Malware masquerading as games, beauty apps stealing users' photos and more. Of course, the Mountain View company is usually quick to respond and remove such applications, but often enough they reach thousands if not millions of downloads before being pulled. Now, a new report by Top10VPN reveals that even VPN apps, which are supposed to protect your privacy, can actually make you more vulnerable. Where is the quality control?
High risk VPN apps
VPN or virtual private network connections are commonly used with increased privacy and security in mind. Yet, the 150 most popular free apps that provide the service on Google Play have been found to suffer fundamental privacy issues. Research by Top10VPN revealed that 85% of the most popular VPN applications request excessive permissions. For example, despite VPN routinely being used to mask user location, 25% of the apps studied requested location permissions.
Simon Migliano, Head of Research at Top10VPN disapproves of this practice: “Given how fundamental masking a user’s true location is to the concept of a VPN, it’s disturbing to see just how many apps contain code for getting the user’s last known location. It’s also hard to believe that any developer could expect anyone to trust their VPN app when it includes permissions and commands for using the camera or accessing your contacts."
Google has been trying to crack down on excessive permissions for a while now, but it seems that the problem persists. Another issue are third party advertising libraries, which also put user privacy at risk, but which remain incredibly common, even among VPN apps.
More worryingly, however, Top10VPN detected DNS leaks in 25% of the most popular free Android VPN apps: "This security flaw occurs when a VPN fails to force DNS requests through its encrypted tunnel to its own DNS servers and instead permits the requests to be made directly to the default ISP DNS servers. Even though the rest of their traffic may be concealed, the leak exposes a user’s browsing history to their ISP and any third-party DNS server operator that it may use."
Knowing this, it's not hard to conclude that these apps are not serving their primary purpose even if there might be no malicious intent on the part of the developers. Which leads us to the next question:
What is Google doing about it?
If you think that Google has been idly standing by while dubious or malicious apps flood the Play Store, you'd be wrong. Although they haven't always been the fastest to respond to problems with their platform, they have been making continuous efforts to better it.
Openness is Android's greatest strength, but also its greatest weakness. Fragmentation has always posed security problems, making it easier to exploit known faults in older versions of the operating system. However, Project Treble has addressed this issue to some extent, with security patches a lot more common than they were a few years ago. And since the release of Android Oreo, Google has given users more control over permissions. It has also cracked down on SMS and Call Log permissions, restricting their use only for 'approved critical core app functionality'.
However, is it time to do the same with apps which request location, microphone and camera use? Independent developers might argue against it, since the approval process or any disputes that might arise can be time-consuming. Of course, some users also would disagree if it meant less choice of applications. There is no easy solution.
Malware-ridden apps are another matter, however. Here Google relies on automation. Google Play Protect is Android's 'built in malware protection'. It uses machine learning algorithms to scan billions of devices daily. The Mountain View company also claims that 99% of apps with 'abusive content' never make it on the Play Store precisely because of machine learning. Yet, the company still had to take down 700, 000 apps that violated policies in 2017, after they had already made it onto the platform. Play Protect hasn't always performed well in tests either.
What can be done in this case? If there is one company with sufficient funds and resources to have at least some screening performed by humans, it's Google. Yes, AI is the way forward and it's needed when it comes to scanning through such vast amounts of data. That doesn't mean, however, that it's infallible. There always will be some malicious apps that slip through the cracks, but machine learning assisted by humans could probably have a better chance of taking them down before they reach millions of downloads.
What can you do?
What can users do to protect their privacy and avoid malware? The usual applies - don't install apps that require extensive permissions. Flashlight apps don't really need to know your location to do their job. Relying on system apps instead of third-party ones for the essentials (keyboard, camera, etc.) is also preferable, since these apps create or have access to sensitive data. Of course, always check the app reviews as well. If the majority of users have had a bad experience, it's likely that you will too. You can also check out our guide on spotting copycat and fake apps:
Finally, sometimes there just isn't much you could have done - some malicious app disguise themselves incredibly well. This is where Google has to step in and take action. They have made progress in the last couple of years, but in my view, there's still a lot of work that needs to be done.
What do you think? What steps should Google take? Share your thoughts in the comments.
My personal steps have been to avoid apps with fewer than four stars and many thousands of users awarding them, and install a third party scanner (BitDefender) because I use APKs to maintain some older versions and to purchase apps outside the Play Store (won't give Google my credit card ID). BitDefender independently scans Play Store downloads, too.
Re permissions, there are four million apps in the Play Store, hundreds competing for the same services, uses, and business models - too much for Google alone to police. Many just won't work if permissions are denied. I'd suggest Google should establish some firm rules regarding justifiable permissions, and try letting the developer community report on each other's violations - that would create a pool of hundreds of thousands of skilled compliance officers, with financial incentives to eliminate bad actor competitors, recommending takedowns for Google to follow up on. (Google could, of course, also keep track of intentional fake reports, and ban the contributors.)
I think the governments should start taking more serious steps to stop this. Got a new Vivo phone which came with a bunch of their own apps installed but most don't work without giving them full permission. I have no idea why the camera app needs to have access to my contacts? Photo album wont work without access to contacts. Its ridiculous.
Google needs some actual app store competition.
Competition is healthy, but third party app stores can have even more security issues because they don't have Google's resources. If Google Play is flooded with malware, I don't expect other app stores to be any better.