Google pushed developers to fix security flaws in 275,000 Android apps

Over 90,000 developers acted based on alerts issued through the Google Play App Security Improvement program

Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store.

In many cases this was done under the threat of blocking future updates to the insecure apps.

Since 2014, Google has been scanning apps published on Google Play for known vulnerabilities as part of its App Security Improvement (ASI) program.

Whenever a known security issue is found in an application, the developer receives an alert via email and through the Google Play Developer Console.

When it started, the program only scanned apps for embedded Amazon Web Services (AWS) credentials, which was a common problem at the time.

The exposure of AWS credentials can lead to serious compromises of the cloud servers used by apps to store user data and content.

Later that year, Google also started scanning for embedded Keystore files. These files typically contain cryptographic keys, both public and private, that are used to encrypt data or secure connections.

In the early days of the ASI program, developers only received notifications, but were under no pressure to do anything.

That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them.

The company provides detailed information on the flaws it detects along with guidance on how to fix them. However, developers who fail to resolve the problems within the timeframes provided by Google can lose the ability to release future updates for the affected apps through Google Play.

Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes.

These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.

For example, developers who used the Supersonic SDK in their applications have until January 26 to upgrade the SDK to version 6.3.5 or newer.

Older versions of this SDK expose sensitive functions through Javascript that are vulnerable to man-in-the-middle attacks.

Until April 2016, the Google Play App Security Improvement program helped developers patch 100,000 applications.

Since then the number almost tripled, around 90,000 developers patching security issues in over 275,000 apps, said Rahul Mishra, Android security program manager in a blog post Thursday.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

James Cook University - Master of Data Science Online Course

Learn more >

Mobile

Victorinox Werks Professional Executive 17 Laptop Case

Learn more >

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?