Google to hide outdated or abandoned apps in Play Store for security
posted Tuesday Apr 12, 2022 by Scott Ertz
When Google first launched Android, they made a different decision than Apple in regards to the application submission process. While Apple has taken a very hands-on approach, Google took a mostly automated and hands-off approach. This has made the Google Play Store (and the Android Marketplace before it) home to many malicious applications. Since shortly after the launch of the platform, the company has worked to create policies and procedures to limit the number of dangerous apps in the store. The newest approach will limit the reach of outdated and potentially abandoned apps.
The problem
Because of the Google Play Store policies, once an app exists, it exists forever. The developer is not technically required to submit updates to the app, even as the version of Android has increased annually. The problem comes about because of the changes in technology over time, and the improvements in security continue as Android API versions are improved.
When it comes to older apps that have not been maintained, they do not benefit from the majority of improvements in Android APIs, as they are not targeting those newer versions. So, they are potentially vulnerable to imperfections in previous versions of the app APIs. So, attackers could potentially use those vulnerabilities to attack users of those apps. They could potentially steal data through those imperfections, including text, contacts, photos, location, and more.
In addition, if the company behind the app has become defunct, it's possible that the website behind the server could have become available. When that happens, attackers could also register the domain and set up a new backend specifically to steal data. Both of these issues create a significant danger for people who might download these apps long after they have been abandoned by the developer.
The solution
Google has announced that they will begin to limit the reach of apps that have fallen out of maintenance. The move is specifically to address the current issues inherent in out-of-date applications.
The Google Play Store already has a rule limiting the age of apps, but it is based on the target Android version. This change will also add a second rolling standard to the Store: Target API Level. This target API version determines what features and capabilities the applications has specifically asked the device for. By being older, the app is easily a target for attack.
The new rule will require an application to target an Android API version within 2 years of the current version. For example, Android 12 (which is the currently available Android) has a target API version of 32, and Android 13 (which is the next version to launch) has an API version of 33. So, if an app targets Android API 30 or below, it will be considered out of date by this new standard.
Apps that are considered to be out of date or abandoned will not be removed entirely from the Store. Instead, it will be removed from search results, making it nearly impossible for the casual user to find on accident. It will, however, still be available through its direct link, for those who might still want to install it. This should help limit the reach of dead apps, making devices safer for users.
