To entice software developers to take cybersecurity seriously, Google is starting to highlight which Android VPN apps have gone through an independent security audit.
On the Google Play Store, the company has started to place a new “Independent security review” badge on VPN apps that have already undergone the audit. The certification can be found in the "Data safety" section of apps that qualify.
Receiving a badge means the app has been tested against a baseline of security criteria that Google helped develop with other cybersecurity partners. “This signals to users that an independent third party has validated that the developers designed their apps to meet these industry mobile security and privacy minimum best practices and the developers are going the extra mile to identify and mitigate vulnerabilities,” the company said in a blog post.
The bar doesn’t seem that high. For example, the security rubric encompasses several levels for each category. But to receive the badge, an app only needs to pass “Level 1” of the requirements, which include ensuring the app encrypts data when it’s transmitted over the internet and requesting the minimum set of software permissions neccessary to operate.
“While certification to baseline security standards does not imply that a product is free of vulnerabilities, the badge associated with these validated apps helps users see at-a-glance that a developer has prioritized security and privacy practices and committed to user safety,” Google said in justifying the approach. To keep receiving the badge each year, app developers will also need to undergo another annual independent audit.
For now, Google is only placing the badge on VPN apps “due to the sensitive and significant amount of user data these apps handle.” If you search for a VPN app on the Play Store, a banner will appear, notifying users about the new “Independent security review” badge and its importance.
VPN apps such as NordVPN, ExpressVPN, and Google One have already undergone the independent audits to receive the badge. The company hasn’t said when it’ll begin rolling out the badge for apps in other categories. But its arrival may spark questions about whether Google will make the audits a requirement for certain Android software makers, or if Google Play rankings will favor apps that receive the badge. For now, the company’s FAQ on the badge says: “At this time, we don't have plans to make certification mandatory for app developers.”
The FAQ adds that developers can expect to pay between $3,000 to $6,000 to the certified testing labs when requesting an audit.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters