The unfortunate implications of a blessed change in Google Play developer policies – and the negative impact it has on ESET's Android app customers
When you download an app from the Google Play store, you're likely to be ignorant Unless you are an app developer, the developer program for Google must be observed to get the app listed and made available for download.
The policies are well-documented, publicly available documents and are there to protect users and developers alike. Limited content, intellectual property rights, privacy, security, deception and revenue generation are among the many topics covered.
As a diligent security security company, ESET often notifies Google's policies when it identifies programs that have malicious intent so that they can be removed. However, bad apps release through the automated compliance processes using exception techniques. Our research on malicious apps is often published here at WeLiveSecurity. A few recent examples include bank robbery and counterfeit financial applications.
We consider pride ourselves as a contributor to keeping users safe from the malicious efforts of cyber criminals that interfere with the Google Play Developer Policy. This is also evident from our partnership that provides Google with the technology to protect Chrome users from unwanted software.
As with any policy, they must be flexible to change and adapt to new legislation and acceptable behavior. They also need to be modified to fight bad developers to find ways to do things that are not in the spirit of politics.
A recent change in licensing policy has caused some of our own security-focused apps to become bully policies. This particular issue refers to the use of the SMS permission group, the ability to read, write, send and receive SMS messages by an app. The new policy states that an app is required to be standard SMS or assistant manager on the device to obtain these permissions . So only one app that replaces standard SMS messaging capabilities on the device can be granted permissions.
The change was made to protect the user's privacy and to stop apps that abuse the access to SMS messages, abuse the user's privacy. At first reading, it seems like a sensible political change, but this non-granular change affects legitimate app developers, such as ESET, from using security, privacy, and security grounds.
More specifically, we are talking about ESET's parental control app that allows parents to communicate with and locate the child's device even when there is no internet connection. This is done by using SMS. A parent can send a specially coded SMS to the device, and if received from a pre-registered number, it responds to it, either by displaying a message to the child or returning the location of the device to the parent. Only under 30% of parents have configured the app to take advantage of this security feature.
In the situation where a child is in a place where internet services are not available, for example in the forest, and the child has been injured, lost or something more unfortunate, the parents will know the location and be able to act accordingly. Without SMS access, this functionality will not be available unless there is an internet connection, thus reducing the security standard of the parents and the child through the app.
ESET's Mobile Security app also uses SMS permissions, with 75% of Thieves users choosing to use SMS. When the device is lost or failed, a specially encoded SMS can be sent to the device to lock, locate or dry the device. This protects the device when it is out of normal connection and in case it has been stolen, and the thief is aware that most theft systems, such as Google's, only work when there is an internet connection. The SMS permission provides important functionality to protect the security and privacy of the device and the data stored on it.
When the change was announced, we received official notice to remove the use of the SMS permission from our apps. We, of course, asked for an exception to this limitation. We traveled directly to our contacts on Google and asked for help to get exceptions, especially since we are a clear source of research on malicious behavior in apps listed in the Play Store.
Unfortunately, our exception request continues to be rejected, despite the fact that the use of the permit is the reason why the policy was changed, to increase security, security, and privacy.
We urge Google's policy law to reassess its position and grant exemption before