Google confirms Play Store update: disabling apps will begin in the next ten weeks

Android 15 is now live on millions of Pixel devices. But while this upgrade is more about security and privacy than anything else, two of the new key features are missing. One won’t be here anytime soon, but the other is just around the corner and could disable apps on your phone before the end of this year.

The missing security feature in the longer term is Google’s new Mobile Network Security, which protects users from network-based identity tracking and interception. This requires tight modem and operating system integration, and no phone can offer this yet, not even the new Pixel 9s. The second, more upcoming upgrade is even more important and should be a real game-changer for Android security.

When it hits phones before the end of the year, Google Play’s live threat detection will “analyze additional behavioral signals related to the use of sensitive permissions and interactions with other apps and services. If suspicious behavior is discovered, Google Play Protect can send the app to Google for additional review and then alert users or disable the app if malicious behavior is confirmed.”

ForbesSamsung warns millions of Galaxy users: update now to stop new attack threatsBy means of Zak Duffman

While Google Play Protect already scans “200 billion Android apps every day,” this adds a new level of immediacy, running early checks on the phone itself “to conceal fraud and abuse detection against apps that attempt to disguise their actions to improve.” This uses on-device AI processing via Google’s Private Compute Core to maintain user privacy.

While removing blatantly dangerous apps is an easy win, what’s more exciting about this is that there is potential to tackle permission abuse. This has always been a major problem in the Android ecosystem, with even the most popular apps requesting far more permissions than they need as user data is collected at will.

Just last month, Cyber ​​news warned that “popular apps know no boundaries” when it comes to “dangerous permissions,” analyzing 50 of the most popular apps and finding that such permission abuses are widespread. You can read more about it here.

The researchers found that accessing photos and videos on devices was the second most abused permission, with as many as 30 of the 50 apps reviewed requesting it. “Malicious actors,” they warn, “can abuse storage access to exfiltrate or compromise files such as photos, videos, documents and other private information.”

This is exactly the kind of permission abuse that Google’s new device security should keep an eye on. Why do apps need access to media if it is not absolutely necessary to fulfill their functionality? Access to photos is particularly sensitive and Google has been trying to restrict it for a while, but without much success.

“With the launch of Android 13 in 2022,” Android Authority explains that Google has introduced the Photo Picker API… Using the Photo Picker API, apps can request access to the photos or videos of your choice without having to ask permission to access your entire media gallery. It is intended for apps that have a one-time or irregular need to access certain photos or videos.”

But this opt-in for app developers didn’t catch on. “Google really had a hard time getting developers to adopt it. The vast majority of Android apps continued to use either the old system file picker or their own proprietary picker, the latter of which requires broad access to photos and videos.”

But now everything changes. Google has confirmed the enforced use of the Photo Picker through a policy change. At the I/O event, the company announced that “we are working to make photo permissions even more private for users. From this year, apps on Play must demonstrate that they need broad access to use the photo or video rights. Google Play will begin enforcing this policy in August.”

ForbesMicrosoft Update Deadline: New Windows Security Nightmare Slowly Becomes RealityBy means of Zak Duffman

That has now come into effect. “It appears that the repression started at the end of last month” Android Authority reports. “Google says it began asking developers on September 18 to ‘either submit a declaration form to qualify for core use/broad access, or remove permissions (if one-time/infrequent use)’. Developers have until the end of this month to submit declaration forms, and those who don’t will be unable to update their app on Google Play.”

While it appears Google is offering some apps a stay until the end of the year to figure out their code, that’s still only ten weeks away. This is very welcome. It’s better to force a blanket change and then mitigate as the edge cases are found. If developers had adopted the API earlier, such a brute force approach would not be necessary. But they didn’t. And considering the permission abuse in even the most popular blue-chip apps Cyber ​​news report, at some point this will have to be invoked.

I confirmed with Google that it still expects live threat detection to roll out to phones later this year, with Pixels and a few other OEMs being the first to get out of the trap. We will be interested to see how tough the crackdown on misuse of sensitive consent will be. But the other big Play Store update this year was a collection of low-quality, high-risk apps. And the declining number of apps in the store suggests that this is being taken very seriously and the store is changing for the better. Meanwhile, the abuse of photo permission is coming to an even faster end.