Android to Tackle Data Harvesting Scam Apps

A key change to Android could reduce the risk of scammers stealing personal data or money. The update will mean sensitive apps won't open unless potentially risky apps are closed first.

The idea is to tackle rogue apps which are designed to either capture personal data from another app, or to take control of the phone unbeknownst to the owner.

Developer Choice

Google's new tactic aims to find a balance between restricting the activities of such rogue apps and keeping the freedom of users to choose what apps they install, including those from sources other than the official Play Store.

The change is to Play Integrity, a way legitimate app developers can take advantage of Android security measures. App developers will now be able to set their app to ask the Android operating system whether any potentially risky apps are running before launching. This could be because other apps may have the capability to record a screen or control the device, or because the app isn't known to Google's Play Protect security program.

An example might be a rogue app that has the capability to overlay a transparent background over a banking app, then collects login and password input from the user. Information collected would then be sent to a remote server operated by scammers.

Accessibility Exception

The legitimate app developer can also set their app to only open and run once the user has responded to an on-screen message asking them to close any suspicious apps. It's possible this experience could be frustrating for users, which is one of the reasons Google is leaving it up to app developers to decide whether to enable the feature. (Source: androidauthority.com)

There is one potential catch. Accessibility apps that have passed Google's security vetting will still be allowed to run, even if they include screen recording or similar functions. This is often necessary, for example with a text-to-speech app for visually impaired users. That will put extra pressure on Google to make sure it vets such apps correctly. (Source: gadgets360.com)

What's Your Opinion?

Is this a sensible move? If you use banking or similar apps, would you want the developer to enable this feature? Has Google found the right balance between security and the freedom of choice of developers and users?