Starting August 22, 2022, all Android developers must submit a declaration outlining their mobile app security and privacy practices in order to add or update Android apps in Google Play. After this date, all new Android mobile apps will feature Data safety information listing in Google Play outlining how the mobile app collects, stores and shares user data. Failure to provide this information can block publication of Google Play mobile app submissions, hurting dev teams and their business.
Android developers unfamiliar with the new Google Play safety requirements may have questions about the approaching deadline and what they must do to demonstrate compliance. Developers can use this article as a guide to understand the purpose of the policy, what information must be disclosed and other noteworthy details about this initiative.
Why did Google create the data safety section?
Google launched the Data safety initiative to provide mobile app users with greater transparency about how developers collect, share, and secure their data. While most developers analyze mobile app data to fix bugs and improve functionality, others sell personal data to third parties for profit without user consent.
Additionally, the surge in mobile app activity in recent years has put privacy and security concerns in the spotlight. With mobile app activity surpassing desktop activity, threat actors now target mobile apps with insecure coding practices and weak security. As a result, users want to know if developers build their mobile apps with security and privacy in mind.
Google Play Data safety makes it easy for the 2.8 billion Android users to determine which of the 3.5 million+ Android apps they can trust. Just like nutrition labels enable people to make informed decisions about food, the Data safety information educates Android users about how apps use and store personal data.
“We heard from users and app developers that displaying the data an app collects, without additional context, is not enough,” commented Google Vice President, Product, Android Security and Privacy Suzanne Frey in a recent post. “Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties. In addition, users want to understand how app developers are securing user data after an app is downloaded. That’s why we designed the Data safety section to allow developers to clearly mark what data is being collected and for what purpose it’s being used.”
What information must developers disclose?
Android developers must now declare the following details about their code and third-party libraries their mobile app uses:
- Whether the app collects data
- Whether data collection is optional or mandatory
- Types of data collected and purpose
- Whether data is shared with a third-party via libraries or SDKs
- Whether data is encrypted in transit
- Whether users can request data deletion
- Whether an app follows the Google Play Family Safety policies
- Whether an app has been independently validated against a global security standard
Do all Android mobile app developers need to participate?
Yes. In order for new and updated Android mobile apps to be uploaded to Google Play, developers must submit the mandatory Data safety declarations. Developers must complete the form even if the mobile app does not collect user data.
Developers that fail to submit a Data safety form will receive a “No information available” designation in Google Play and can be blocked from actually publishing their app. Google will also send developers an email informing them the app has issues that need to be resolved for eligibility.
How can developers make their app stand out?
While all Android mobile apps developers with new or updated apps must submit a Data safety form, they can demonstrate their commitment to privacy and security even further with an optional independent security review. The App Defense Alliance (ADA) focuses on protecting Google Play users by preventing threats from reaching their devices and improving app quality across the ecosystem.
The ADA consortium has created the Mobile Application Security Assessment (MASA) program as a standard verification program for security and privacy assurance. Based on the Open Web Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS), this MASA verification process allows developers to ensure their mobile apps meet an industry wide mobile security standard.
ADA Authorized Labs perform mobile app security and privacy testing using MASA to validate that the Android apps meet a set of core security requirements. Authorized Labs mobile application security experts use the OWASP Mobile Security Testing Guide (MSTG) to determine if the Android mobile app meet OWASP MASVS L1 requirements in the following areas:
- Data Storage and Privacy
- Authentication and Session Management
- Network Communication
- Platform Interaction
- Code Quality and Build Settings
ADA MASA verified mobile apps have an independent security review designation applied to the app’s Google Play Data safety in the store listings. This review process gives mobile apps a competitive advantage in Google Play by helping users identify which developers went above and beyond to protect users and safeguard trust.
The Google Play safety requirements highlight the trust users place in mobile app makers to safeguard their data. Mobile app devs need to understand this new program and build these steps into their process, factoring in the additional data needed for submission so as to not delay acceptance and mobile app publication. Mobile app devs should consider the benefits of obtaining an independent security review through an ADA MASA verification to validate a secure, quality build that stands out among the competition.
Reach out to NowSecure to receive a free ADA “smoke test” to assess your Android mobile app before undergoing the MASA validation process.