New security measures to keep Google Play safe
Google is announcing two new security measures aimed at minimizing the number of malicious / potentially unwanted apps available for download from the Google Play Store: additional Android developer identification requirements and 2-step verification.
New Android developer identification requirements
Android is the most widely used mobile OS (and OS) in the world, and malicious actors love nothing better than to prey on a massive pool of potential targets.
Getting a malicious app – whether its outright malware, a scammy or fraudulent app, or simply fleeceware – on Google’s official app store is an exercise that malicious developers often engage in.
To be able to do it, they must either hijack an existing Google Play developer account or create a new one and associate an email address and phone number with it (though Google currently does not validate that information).
But starting in August 2021, new developer account owners will have to say whether their account is personal or belongs to an organization, provide a contact name, physical address, and a (verified) email address and phone number.
“Your contact information allows us to share important information and updates about your app. It also helps us make sure that every account is created by a real person with real contact details, which helps us keep the Play Store safe for all users,” Luke Jefferson, Product Manager at Google Play, and Raz Lev, Product Manager at Google Play Trust and Safety, explained.
“This information will not be public-facing and is just to help us confirm your identity and communicate.”
Owners of existing developer accounts can declare the account type and verify contact details immediately, and will be required to do it later this year.
2-step verification (i.e., two-factor authentication)
Android developers will have to start using Google’s 2-Step Verification to better secure their Google accounts against account hijacking, the company has also announced.
This will be a requirement for all new developer accounts starting in August, but all existing developer account owners will have until later this year to implement this security measure.