Google Bans Off-Market Updates
A new provision in Google’s developer content policy will prevent developers from delivering application updates directly via their web-servers. This will protect users from cleared Store apps that go rogue once installed.
According to the latest revision of the Play Developer Program Policies, developers are forbidden to rig Play apps with mechanisms that “modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism”.
Much of Android’s popularity is due to the flexible application distribution model that allows app developers to deliver their APKs either via Google Play or direct downloads from their servers. Mobile cyber-criminals however, exploited this to deliver apparently clean applications via Google Play (where they have maximum exposure) and then force malicious updates unsanctioned and unscreened by Google through their own servers.
With this new rule, Google is looking to stop miscreants that have their app approved into the Google Play only to update it later with malware and attack users right from a platform they consider safe.
This, however, may also mean that users will not be able to fetch, say, an emergency fix right from the developers’ website, and must wait instead for the update to be approved into the official store. This leads to a delay with possible security implications of the nature Google wants to avoid by imposing this regulation.
The Mountain View-based company is constantly trying out new answers for the accusations that malware-laden applications are lurking in the official Play Store itself, and came up with a basic anti-virus solution stuffed into the Jelly Bean or Android 4.2 to scan apps for malware and expensive SMS scams.
Bitdefender urges users to install a mobile security solution that can detect and eliminate malware and apps bundled with aggressive advertisements that might pose a security risk.