Google has announced that their security protocols in relation to developers and apps in the Play Store will be changing in response to recent security threats. Specifically, Google is making some changes to the processes involved in verifying developers’ intentions with traditional and web apps, as well as the steps taken to verify an app before it lands in the Play Store. The changes are aimed at providing greater security for users, which means a bit of additional work and longer wait times for developers. Web applications will also end up needing a bit more review time depending on their function and permissions, with some needing between 3 and 7 business days for Google to review them by hand.
Web apps that require special user permissions are hit the hardest by the new verification rules. While awaiting review, they’ll simply show an error message instead of the usual prompt for a user to accept requested permissions. Reviews can be requested during the testing phase for now, but Google will enable developers to request a review during the registration phase at some point. Developers of traditional apps will see their works come under additional scrutiny regarding naming, and any content that could mislead a user, intentionally or otherwise. Google did not mention an increase in turnaround time for these apps going into the Play Store, but until all the bugs are worked out of the system, developers can expect to see error messages in the API Console, App Script, and Firebase Console.
These changes come on the heels of a powerful and clever phishing attack that was aimed at Google Docs users. By hooking a fake Docs app into Google’s real login system, the fraudulent app’s developer was able to get their hands on the login information of many an off-guard user. Obviously, this gave the hacker the ability to access any part of the victim’s digital life that they had previously linked to their Google Account, up to and including social media and financial applications. For many, full-on identity theft became possible. A move like this ensures that such an attack won’t happen again, but social engineering attacks will always keep growing more clever and convincing.