Google Play Store Launches ‘Independent Security Review’ Badge for VPN Apps

Google's Play Store has been persistently threatened by malicious and insecure apps over the years, triggering alarm bells among many Android users. In response, the company is trying a new tactic to generate more trust with people looking for safe and reliable software.

This tactic involves highlighting certain apps in the Play Store (currently VPN apps) that have passed independent security audits. These reviews come from third parties that use a global security standard to gauge an app's trustworthiness and resiliency against malware and security flaws. The goal is to feature apps that have met a certain minimum in best practices for security and privacy, hopefully instilling a higher level of user confidence.

An Independent Security Review badge will be displayed at the top of the Google Play search results page when users search for VPN apps. This badge will ensure the app has been scanned through an independent security review. Furthermore, it will provide additional information under the Learn More option, which will redirect users to the App Validation Directory, providing technical assessment details so that users can make informed decisions when downloading VPNs.

Specifically, that standard is MASA (Mobile App Security Assessment), which was introduced last year as an initiative of the App Defense Alliance (ADA) to define a concrete set of requirements for mobile app security.

The requirements concern data storage and data privacy practices, cryptography, authentication and session management, network communication, platform interaction, and code quality.

MASA lets developers submit their apps for validation against the global standard to certify that they've successfully identified and resolved security holes.

After a successful validation, Google allows developers to display an independent security review badge in the Data Safety section of an app's Google Play page. Though the certification doesn't mean an app is completely free of vulnerabilities, the badge serves as a sign that a developer has prioritized security, privacy, and user safety.

Currently NordVPN, ExpressVPN, and SkyVPN have passed the security reviews, allowing them to display the associated badges. Google is asking other VPN app developers to sign up for the security testing, which they can do by filling out and submitting the appropriate form.

"We've launched this banner beginning with VPN apps due to the sensitive and significant amount of user data these apps handle," said Android Security and Privacy Team's Nataliya Stanetsky said.

It is expected that the 'Independent security review' program will expand to other app types beyond VPNs, but Google has not provided a timeline for that yet.

This initiative will also assist Google with tackling malicious apps which commonly masquerade as security apps or other useful apps.

Additional Resources

• https://security.googleblog.com/2023/11/more-ways-for-users-to-identify.html

• https://www.zdnet.com/article/google-play-store-just-unveiled-a-security-badge-for-some-apps-heres-what-it-means/

• https://www.bleepingcomputer.com/news/security/google-play-adds-security-audit-badges-for-android-vpn-apps/

• https://www.hackread.com/google-verification-badges-security-test-vpn-apps/