To entice software developers to take cybersecurity seriously, Google is starting to highlight which Android apps have gone through an independent security audit.
On the Google Play Store the company has started placing a new “Independent Security Review” badge on VPN apps that have already been audited. The certification can be found in the “Data Protection” section of eligible apps.
Receiving the badge means the app has been tested against a baseline of security criteria that Google has helped develop with other cybersecurity partners. The company said in a statement, “This signals to users that an independent third-party has verified that the developers have designed their apps to meet industry minimum best practices for mobile security and privacy and that the developers “We are making additional efforts to identify and mitigate vulnerabilities.” Blog post on Thursday.
(Google)
Clearing the bar doesn’t seem that high. For example, the safety rubric includes several levels for each category. But to receive the badge, an app only needs to pass “Level 1” of the requirements, which include ensuring that the app encrypts data when transmitted over the Internet and has the necessary software to operate. Requests a minimum set of permissions.
“While certification against foundational security standards does not mean a product is free from vulnerabilities, the badge attached to these validated apps helps users see at a glance that a developer has prioritized security and privacy practices and is committed to user security,” Google said in justifying the approach. To continue receiving the badge each year, app developers must also undergo another annual independent audit.
For now, Google is the first to place a badge on VPN apps stating “These apps handle sensitive and significant amounts of user data.” If you search for a VPN app on the Play Store, a banner will appear, informing users about the new “Independent Security” review”The badge and its significance.
Recommended by our editors
(Google)
VPN apps like NordVPN, ExpressVPN, and Google One have already gone through independent audits to receive the badge. The company has not said when it will start issuing badges for other categories of apps. But its arrival may raise questions about whether Google will make audits a requirement for some Android software makers, or whether Google Play rankings will favor apps that have received the badge. For now, the company’s FAQ on badges says: “At this time, we have no plans to make certification mandatory for app developers.”
The FAQ states that developers can expect to pay between $3,000 to $6,000 to certified testing labs when requesting an audit.
Like what are you reading?
sign up for security watch Our top privacy and security stories newsletter delivered straight to your inbox.
This newsletter may contain advertisements, deals or affiliate links. Subscribing to the newsletter indicates your agreement to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.
Source
