Google Play hosts nearly 3.5 million Android mobile apps and counting that have been downloaded by billions of users. To help users make informed choices about the mobile apps they install, Google has begun requiring mobile app developers to disclose how their apps collect, share and secure user data.
“At Google, we know that feeling safe online comes from using products that are secure by default, private by design, and give users control over their data,” said Google Vice President of Product Suzanne Frey in the Android mobile application security and privacy program announcement. “The new safety section will provide developers a simple way to showcase their app’s overall safety.”oogle has begun requiring mobile app developers to disclose how their apps collect, share and secure user data.
Google Play Data Safety Requirements
In a move intended to increase transparency and give users more control over their data, Google Play app listings now showcase security and privacy practices. As of July 20, 2022, developers must publish disclosures in their Play store listings about how their apps collect, share and secure user data or face removal.
Google Play Data safety includes the following details:
- Whether the app collects data
- Whether data collection is optional or mandatory
- Types of data collected and purpose
- Whether data is shared with a third party via libraries or SDKs
- Whether data is encrypted in transit
- Whether users can request data deletion
- Whether an app follows the Google Play Family Safety policies
- Whether an app has been independently validated against a global security standard
Developers provide the Data safety information by completing a form in Google Play Console or uploading a CSV file. All new mobile apps and updates require a completed Data safety declaration and Google Play may reject them if there are unresolved issues with the form. Even developers whose apps don’t collect data must complete the Play Console form and provide a link to their privacy policy.
Google Play app listings provide a high-level summary of key privacy and security practices pertaining to an app. Users can drill down for additional details about the specific types of data collected and shared and purpose, such as functionality, personalization or functionality, for example. This unified view of mobile app security and privacy practices enables users to decide which apps to trust.
Google offers Android developers the opportunity to independently assess their applications with the highest standard of mobile security and privacy established by the App Defense Alliance (ADA) using the new Mobile Application Security Assessment (MASA) requirements. This optional independent security review helps developers gain user preference to drive higher download rates while setting their apps apart from the competition and reassuring users of their commitment to safeguard personal information.
“Together, the Google Play Data safety program with an independent security review based on OWASP MASVS enables success for all.” – NowSecure CEO Alan Snyder
Mobile Application Security Assessment (MASA) Validation
A coalition of Google and mobile app security vendors called the App Defense Alliance (ADA) focuses on ensuring the safety of Google Play by protecting users against bad mobile apps. Founded in 2019, the ADA promotes collaboration and transparency to build trust and improve security across the mobile ecosystem.
The ADA has launched the Mobile Application Security Assessment (MASA) program to enable developers to assess their mobile apps for security and privacy vulnerabilities based on industry standards. Undertaken optionally by developers for a small fee, this third-party validation showcases security and privacy practices and gives users confidence that apps have been vetted by outside experts to be safe and secure.
MASA comprises three components:
- ADA Authorized Labs
- OWASP MASVS
- OWASP MASTG
Google has selected NowSecure as an ADA Authorized Lab to perform independent security reviews as part of the Google Play Data safety section. ADA Authorized Lab partners such as NowSecure objectively evaluate a mobile application against a set of testing procedures backed by a well-defined global industry standard. Developers whose mobile apps have passed an independent security assessment will be able to highlight that distinction in their Google Play Data safety section with the independent security review badge.
The NowSecure ADA Authorized Lab has a dedicated practice area around mobile app security and provides comprehensive security testing capabilities and experience. With more than 13 years of expertise in mobile app security, NowSecure is the only mobile-first, mobile-only ADA Authorized Lab to perform MASA validation for Android apps in Google Play.
The Open Web Application Security Project (OWASP) published a globally recognized industry standard for mobile application security, the Mobile Application Security Verification Standard (MASVS). Used to establish confidence in mobile app security, MASVS provides a set of baseline security criteria for developers according to four different levels of requirements. The first level, L1, outlines the basic security practices that all mobile apps should undergo.
The ADA MASA validation is based on OWASP MASVS L1 requirements which include 32 requirements across 6 categories:
- Data Storage and Privacy – How sensitive data is stored and handled on device
- Cryptography – Following best practices including encrypting sensitive data
- Authentication and Session Management – Maintaining a robust authentication and authorization architecture
- Network Communication – Securing data in transit
- Platform Interaction – How apps interact with the OS and/or other apps
- Code Quality and Build Settings – Taking advantage of free options and settings available as part of the toolchain
Security experts from ADA Authorized Labs evaluate apps using the mobile application testing guidelines stipulated in the OWASP Mobile Application Security Testing Guide (MASTG). The MASTG complements MASVS and provides an objective set of testing procedures to guide mobile application security assessments. Mobile apps that pass all requirements achieve MASA validation and receive an independent security review badge in the Data safety section of Google Play.
“The Google Play Data safety section requirement signals Android’s commitment to user data safety and privacy,” said NowSecure CEO Alan Snyder. “The MASA validation is a way for app developers to show the market that they take user data security and privacy seriously and differentiate their app from others. We are proud to partner with Google to establish a new milestone in mobile app security. Together, the Google Play Data safety program with an independent security review based on OWASP MASVS enables success for all.”
Benefits of ADA MASA Validation
ADA MASA validation benefits mobile app security analysts, developers and users alike. Performing regular mobile app security testing helps identify key vulnerabilities, reduce risk and mitigate future liability. An outside expert review uncovers common cryptographic, network or storage issues enabling the development team to begin remediation ahead of annual mobile pen testing. NowSecure offers a fast turnaround to get actionable results into the hands of the developer within two to three days of the start of testing.
Obtaining an independent security review badge differentiates Android apps in Google Play and sets them apart from the competition. By partnering with dedicated expert analysts from NowSecure to achieve ADA MASA validation, Android developers can demonstrate to the world their commitment to safeguard users’ data privacy and security. Users gain confidence that mobile apps have been vetted by outside experts, in turn driving customer trust and more mobile app downloads.
Get tips for completing the Google Play declarations and obtaining an independent security review in our Google Play Data Safety and ADA MASA Validation Checklist.
About NowSecure
As an ADA Authorized Lab, NowSecure can guide you through the ADA MASA validation to get the highly desired independent security review badge applied to your app’s Data safety section. Dedicated solely to mobile, the NowSecure Services team has performed more than 11,000 mobile app pen tests and analyzed millions of apps at scale across all major industries.
NowSecure performs the ADA MASA validation through a combination of manual testing using our mobile pen testing methodology and NowSecure Platform automated mobile application security testing. Our team will partner with you to assess your mobile app and deliver a detailed report, then guide developers in fixing any issues that stand in the way of obtaining ADA MASA validation.
Drive more downloads and set your app apart from the competition in Google Play by reaching out to get the independent security review ADA MASA validation or register for a free “smoke test” review today.
