Google is now touting three new security certifications for Managed Google Play, which the company hopes will serve as a badge of security honor for companies thinking about using its enterprise-focused app marketplace.
The move comes as Google continues to try to amp up efforts around the security of its app marketplace and appeal to enterprises, despite numerous malicious apps and security issues found in the past years on Google Play. The certifications, ISO 27001, SOC 2 and SOC 3, indicate compliance with certain standard practices for managing other companies’ data.
“As with any enterprise-grade platform, it’s critical that the managed Google Play Store operates with the highest standards of privacy and security,” said Mike Burr, Android enterprise platform specialist at Google on Thursday. “Managed Google Play has been awarded three important industry designations that are marks of meeting the strict requirements for information security management practices.”
Managed Google Play, Android’s version of an enterprise app store, enables employees to browse and install IT-approved apps on Android devices. Companies can use Managed Google Play to develop software products to sell to enterprises or for internal distribution.
“With managed Google Play, organizations can build a customized and secure mobile application storefront for their teams, featuring public and private applications,” said Burr. “Organizations’ employees can take advantage of the familiarity of a mobile app store to browse and download company-approved apps.”
Managed Google Play now touts three certifications indicating that the “data and private applications that enter Google’s systems are administered according to strict protocols, including determinations for who can view them and under what conditions.”
The ISO 27001 certification, granted by the International Organization for Standardization, demonstrates that a company meets “stringent privacy and security standards when operating an Information Security Management System.” Additionally, ISO 27001 certification is in line with GDPR compliance.
SOC 2, developed by the American Institute of Certified Public Accountants, indicates compliance with an auditing procedure that ensures service providers securely manage data to protect the interests of organizations and the privacy of clients.
And SOC 3, also developed by the American Institute of Certified Public Accountants, focuses on controls relevant to data security, availability, processing integrity, confidentiality and privacy.
To earn the ISO 27001 certification, auditors from Ernst and Young performed a thorough audit of managed Google Play based on established privacy principles; while SOC 2 and SOC 3 designations and auditing procedures were developed by the American Institute of Certified Public Accountants.
For reference, Apple‘s app store has received ISO 27001 and ISO 27018 certifications and undergoes yearly re-audits in order to receive these certifications.
Google Play Security Issues
Google has been trying to ramp up its offensive against malicious apps and other security concerns which have continued to plague the official app store for Android devices over the years.
In February, Andrew Ahn, product manager at Google Play, said that the number of app submissions that were rejected on the app marketplace increased by more than 55 percent in 2018. The number of app suspensions on Google Play also jutted up by 66 percent in 2018, he said.
“[The percentage of] real malware on Google Play is pretty small. In fact, the whole [potentially harmful apps] category, at the end of last year, was down to 0.042 percent, which is actually pretty darn good,” said Burr in a recent Threatpost webinar about mobile enterprise security.
“One of the best ways is to use a strong Play store strategy,” he said. “I think my colleagues will agree that installing your apps through managed Google Play and not sideloading and not using third-party app stores is the actual best way to do it. When you used managed Google Play, you get all kinds of benefits. You can’t have apps that get on that device outside of management. There’s no option for a user to sideload an app in any way, shape or form.”
The Google Play consumer store meanwhile has continued to face a slew of malicious apps that continue cropping up on its platform over the past year.
Just in this past January, Google Play removed two malicious apps that were infecting devices with a notorious banking malware bent on scooping up victim’s credentials. Also, last month an Android spyware dubbed MobSTSPY emerged to ride trojanized apps into victims’ phones, mainly via Google Play.
Also, early last year, Google removed 22 malicious adware apps ranging from flashlights and call recorders to WiFi signal boosters, which together were downloaded at least 7.5 million times from the Google Play marketplace.