Google got developers to fix vulnerabilities in 275,000 apps on the Play Store from 2014 – 2016, showing the changing role of mobile app security testing for the Play Store. In most cases, the apps had the threat of a block on updates from failing to meet app security requirements.
As part of Google’s App Security Improvement (ASI) program developed in 2014, Google runs mobile app security testing for all the apps on the Play Store to test for known vulnerabilities. When a known security issue is discovered in an app after mobile app security testing, the app developer is notified via an email and also alerted on the Google Play Developer Console to the security issue.
Initially, mobile app security testing was only focused on embedded Amazon Web Services (AWS) credentials as it was a common problem at the time. Exposed AWS credentials often result in serious compromises of cloud servers that store all user content. The scan also checked for embedded Keystore files that hold public and private cryptographic keys used for securing connections or encrypting data.
When the ASI program was started, developers were notified of the mobile app security issues without any obligation to fix each one. In 2015, Google started mobile app security testing for a wide range of issues and giving deadlines to the developers to boost app security across the Play Store. Along with the notification, Google also sends complete details of the vulnerability and provides guidance on how to fix it. If developers do not fix the issue by the a deadline they may be blocked from releasing new updates for their apps.
As a move towards strengthening mobile app security, Google put checks on six vulnerabilities in 2015, all with patching deadlines; and 17 in 2016, out of which 12 were given a time limit to fix the issues. These included many issues such as development frameworks and advertising SDKs, insecure third-party libraries and insecure implementation of Android Java interfaces and classes.
Till April last year, the ASI program made possible the patching of 100,000 mobile apps. The number has increased threefold since then, with 90,000 developers patching security flaws in over 275,000 apps, making a dent in the problem of mobile app security and showing the need for mobile app security testing.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.