Google has added a new section to its Android Developers website in a bid to improve the security of Play Store applications through a series of guidelines and best practices. Because it is open-source, the perception is often that Android is more susceptible to viruses, hacking, and malware. Citing that security is the result of a partnership between developers and Google, the company hopes to change that perception to be that Android is the “safest mobile platform in the world.”
The outlined best practices appear to be simple enough and are based on three premises. The first pertains to how applications store and use end-user data. The best practice is to only use sensitive API when absolutely necessary to the function of the application. The guideline also says that any data from external storage connected to the device should be verified before it is used. The next premise is encompassed in two guidelines and pertains to direct security methods. Google asks that communications made between applications and servers are updated to HTTPS or SSL secure connections. Additionally, the company says that developers need to update which version of Google Play Services is in use and the associated “security provider,” to prevent SSL exploits. The final guideline reminds developers to pay closer attention to the permissions used in their apps. More specifically, Google reminds developers that library-specific permissions are inherited when a new library is imported into the application build.
A set of best practices regarding storage and retrieval of data, permissions use, and secure data transport, if followed, go a long way toward mitigating problems of malware that infect legitimate applications and the effects of other security holes. Unfortunately, the open-source nature of android means that it is up to developers to implement changes to create truly secure applications, so the newly-minted developer site goes a bit further again. By outlining new security features and how to implement several solutions – such as explaining how to set up runtime permissions or configure network security settings – the site provides the necessary tools for new or less experienced developers to secure their applications more in line with best practices. The page also offers in-depth information into the Google Play App Security Improvement Program, which provides financial incentives to entities outside of Google who help make Android safer.