Google Play to Limit Permissions on Rogue Apps

Google is to take stronger actions against apps that turn out to be potentially harmful. It may revoke permissions where the app is already on a user's device.

One of the most notable aspects of Google's management of Android apps is its particular balance of security and privacy. Although it will remove apps suspected or confirmed to be malicious from the Play Store, it doesn't usually do much if anything about devices which already have the app installed.

The optional Google Play Protect can technically deactivate suspicious apps, but usually it's left to users to hear about the issue (for example in a media report) and manually uninstall it. The main effect of the removal from the store for existing users is that the app will stop automatically updating.

Play Protect can also actively warn users about a suspicious app, though it's unclear how often (and in what proportion of cases) Google uses this functionality.

Permission Withdrawn

However, Google is now taking an active step that's something of a middle-ground between doing nothing about existing installations and completely uninstalling apps. Play Protect will now automatically revoke permissions for an app identified as potentially harmful.

Permissions are the way Android lets an app access some hardware or software features (for example, using the camera) while blocking others (for example, reading SMS messages).

Play Protect will revoke permissions that involve accessing sensitive data such as photos or hardware components that could threaten privacy such as the camera. Users will get a notification about the changes and be able to manually restore permissions, though there will be a security step to reduce the risk of the app itself trying to bypass the restrictions. (Source: googleblog.com)

Tech Support Scams Tackled

There will also be limitations on turning off the Play Protect feature itself. Users will no longer be able to switch it off while making a phone or video call, including through third party apps.

The idea is to reduce the risk of scammers trying to get remote access to a phone, for example during a bogus "tech support" call. (Source: theverge.com)

What's Your Opinion?

Is this a good move by Google? Does it go far enough? Should Google remove all installed apps that it discovers are potentially malware?