Google’s policy change reduces security, privacy and safety for 75% of users of ESET’s Android anti-theft service.

Tony Anscombe

When downloading an app from the Google Play store it’s likely that you are oblivious, unless you’re an app developer, to the Google Developer Policy that needs to be adhered to in order to get the app listed and made available for download.

The policies are well-documented, publicly available documents and are there to protect users and developers alike. Restricted content, intellectual property, privacy, security, deception and monetization are among the many topics covered.

As a diligent cybersecurity company, ESET frequently notifies Google’s policy team when it identifies apps that have malicious intent, so they can be removed. However, bad apps slip through the automated compliance processes by using evasion techniques. Our research into malicious apps is often published here on WeLiveSecurity. A few recent examples include Banking Trojans and Fake Finance apps.

We proudly consider ourselves a contributor to keeping users safe from the malicious endeavors of cybercriminals flouting Google Play Developer Policy. This is also demonstrated by our partnership that provides Google with the technology to protect Chrome users against unwanted software.

As with all policies, they need to be flexible to change and adapt, taking into account new legislation and acceptable behavior; they also need to be modified to fight against bad developers finding methods to do things that are not in the spirit of the policy.

A recent change to the Permissions Policy has caused some of our own security-focused apps to fall foul of the policy. This specific issue refers to the use of the SMS permission group, the ability to read, write, send and receive SMS messages by an app. The new policy states that an app is required to be the default SMS or assistant handler on the device to be granted these permissions. So only an app that’s replacing the default SMS messaging abilities on the device can be granted the permissions.

The change was made to protect user privacy and to stop apps that misuse the access to SMS messages, abusing the user’s privacy. On first reading it seems like a sensible policy amendment, but this blanket non-granular change affects legitimate app developers, like ESET, from using the permission for security, privacy and safety reasons.

More specifically we are talking about ESET’s Parental Control app which allows parents to communicate with and locate their child’s device even when there is no internet connection. It does this by using SMS. A parent can send a specially coded SMS to the device and, if received from a pre-registered number it will respond accordingly, either displaying a message to the child or returning the location of the device to the parent. Just under 30% of parents have configured the app to utilize this safety feature.

In the scenario where a child is in a location where internet services are not available, for example in the woods, and the child has been hurt, is lost or something more sinister is happening, then the parent will know the location and be able to act accordingly. Without SMS access, this functionality will not be available unless there is an internet connection, thus reducing the standard of safety afforded to the parent and child through the app.

ESET’s Mobile Security app also uses SMS permissions, with 75% of the anti-theft service users electing to use SMS. When the device is lost or mislaid, a specially coded SMS can be sent to the device to lock, locate or wipe the device. This protects the device when outside of normal connectivity and in the case where it has been stolen and the thief is aware that most anti-theft systems, such as Google’s, only work when there is an internet connection. The SMS permission provides essential functionality to protect security and privacy of the device and the data stored on it.

When the change was announced, we received official notification to remove the use of the SMS permission from our apps. We, of course, requested an exception to this restriction. We even reached out directly to our contacts at Google and requested assistance in gaining an exception, especially since we are a trusted source of research on malicious behavior in apps listed in the Play Store.

Unfortunately, our request for an exception continues to be declined, despite the fact that our use of the permission is for the very reason the policy was amended, to enhance safety, security and privacy.

We urge the Google policy team to reconsider their position and grant an exception, before the deadline in January, set by them, allowing our customers and their children to remain safe and secure.