Google announced the App Defense Alliance (ADA) three years ago to “stop bad apps before they reach users’ devices,” and today recapped its work in 2022.
Malware Mitigation before an app gets published on Google Play is the ADA’s primary goal:
Through this program, Google Play Protect detection systems directly communicate with each partner’s scanning engines. This generates new app risk intelligence as apps are being queued to publish. Partners analyze this dataset and act as an additional vital set of eyes before an app goes live on the Play store.
Thousands of apps are scanned daily with “secure two-way communication” between Google and third parties. ESET, Lookout, and Zimperium were the initial partners, with McAfee and Trend Micro joining in 2022.
Another App Defense Alliance initiative that is now widely available after launching in beta this year is the Mobile App Security Assessment (MASA) where developers “have their apps independently validated against the Mobile Application Security Verification Standard (MASVS standard) under the OWASP Mobile Application Security project.”
The project’s mission is to “Define the industry standard for mobile application security,” and has been used by both public and private sector organizations as a form of industry best practices when it comes to mobile application security.
This work is done by ADA Authorized Labs with a public, user-facing App Validation Directory that notes the “validation date, test lab, and a report showing all test steps / requirements.” This appears as the “Independent security review” badge on an app’s Data Safety section in the Play Store. Various Google apps have undergone this, while third-party ones include Roblox, Uber, and PayPal.
On average, developers have completed validation within a month and resolved two outstanding issues identified by a security lab.
Lastly, the Cloud App Security Assessment (CASA) is focused on the server backend of applications:
The CASA framework provides multiple assurance levels in which low-risk cloud applications can be evaluated using either a self assessment or automated scan. For applications which present higher risk (such as a large user base, recent security breach, or processes highly sensitive data), an Authorized Lab may perform an assessment.
More on Google Play:
- Google Play lists best Android apps and games of 2022
- Play Store readies download progress bubble and app archiving [Gallery]
- December Google Play System Updates: Digital driver’s license beta, Find My Device expansion [U]
Author: Abner Li
Source: 9TO5Google