Does anyone remember what it was like to host a dinner party with friends before we had mobile apps? Multiple, crisscrossing calls. Had to ask strangers because we couldn’t find the venue. Doing grandma’s bills to pay. Getting into debt because someone didn’t have enough cash. Apps have solved all these issues, while at the same time they have become increasingly relevant in our lives, storing and having access to very sensitive data. Therefore, the goal of Google MASA, an initiative of the App Defense Alliance, is to protect apps, people, and businesses from malicious attacks.
ADA, a project driven by the technology giant Google, is tasked with ensuring the security of the Play Store app ecosystem. And, therefore, to protect the users of these apps, whether they are people or businesses.
So that we can meet up with our friends via WhatsApp or Telegram. Get to the restaurant thanks to Google Maps. Do the accounts through a calculator. Pay off debts through Bizum. And then upload a photo of us all together to Instagram. All this without fearing that the security of all the apps we have on our cell phones will be compromised and, with it, our personal information.
1. Periodically evaluate mobile applications
How will the goal of Google MASA of protecting apps, people, and businesses be achieved? Through a periodic independent evaluation system, in which Google, authorized laboratories that provide cybersecurity services and app developers collaborate.
1.1. Contracting cybersecurity services
Any company wishing to join this project to secure the mobile app ecosystem must submit its application for evaluation by one of the labs authorized by Google. These professionals will review the public version of the app, available in the Play Store, to verify whether it complies with the basic security requirements.
1.2. OWASP: Standardizing the assessments
To do this, analysts will use the OWASP methodology, a standard in the cybersecurity world that includes two key documents:
- Mobile Application Security Verification Standard (MASVS). This document stipulates a series of security controls that mobile applications must have to be secure. Google MASA requires apps to meet most of the requirements of security level 1.
- Mobile Security Testing Guide (MSTG). This guide contains the procedures to be followed by analysts to optimally perform the tests to check each of the security requirements present in MASVS. In this way, evaluations are standardized, regardless of the sector of the company that contracts them or the place in the world where they are carried out.
1.3. Troubleshooting and earning the Google MASA Badge
If the assessment verifies that all security requirements are not met, the professionals will propose to the developers the necessary measures to remedy the vulnerabilities found.
Once all the problems are solved, the laboratory will send Google the report validating compliance with the requirements.
Finally, in the security section of the app in the Play Store, there will be a badge, visible to all users, which will guarantee that the app has undergone the evaluation and meets the basic security requirements.
This process must be carried out once a year, to encourage developers to make an ongoing effort to protect their apps against new threats as they emerge.
2. Awareness: The dangers are out there… and they are growing
First of all, Google MASA represents a collective awareness of how important mobile applications are in our daily lives and how vital it is to ensure their security.
Social engineering attacks, malware, ransomware… The bad guys can deploy a myriad of attack types and breach the apps and devices we use.
The effects of these attacks can be devastating, both for the companies that have developed the apps and for the people and businesses that use them.
Scams, theft of money from bank accounts, hijacking of information, disclosure of confidential data… All these actions have repercussions both economically and socially, undermining the credibility of companies and the trust of users.
It is enough to take a look at the news to discover that attacks against or through apps are the order of the day. Trojans such as Brata, which was hiding in a supposed security app, or Xenomorph are proof of this.
Through Google MASA, the multinational company is asking developers and users to be aware of the dangers and to act accordingly. The former by evaluating apps and fortifying them, the latter by only using apps that offer security guarantees.
3. Are the apps we download safe?
Precisely, Google MASA seeks to help people and businesses when deciding whether or not to download an app from the Play Store.
No one wants to install a potentially dangerous mobile application on their device or one that has vulnerabilities that can be exploited by attackers.
However, sometimes we do download such apps. Sometimes, because of a lack of security awareness. As the saying goes: “we only remember Santa Barbara when it thunders”. At other times, it is simply that we are not able to know whether an app is safe or, on the other hand, we should be wary of it.
Google MASA will help us in both aspects, thanks to the badge that will appear in the security section of the apps that join the project.
If the mobile application has the badge we can be sure that:
- The application is owned by the developer and his identity has been verified. This protects us against malware such as TeaBot, which use fake applications, with the appearance of being real, to install Trojans that attack real apps on our mobile, in this case, banking apps.
- The app has been evaluated by professionals of proven value, following the OWASP methodology.
- The tool meets all the basic security requirements and, therefore, boasts an optimum security level.
4. Protection to build trust and prevent crises
Developers, for their part, have a lot to gain by joining Google MASA and thus placing security at the heart of their business strategy. Both in terms of reputation and in purely business-related aspects.
Thus, the leap to the cloud, which many companies around the world have undertaken, must go hand in hand with a consistent security strategy that guarantees the protection of critical business assets. And mobile apps are it.
This issue is seen in the financial sector, where we use apps to manage something as important as our money or the financial services we sign up for. But apps are extremely important in many other sectors. For the media, problems with their mobile apps are a major inconvenience. The same goes for streaming content services such as Netflix or Spotify. Or with the healthcare companies that manage our health data.
It is not enough for apps to work efficiently; their security must also be optimal. Both for the information they store and for the permissions we grant them. If an application is breached, the scope of the attack can extend to other apps.
That is why the goal of Google MASA is ensuring the protection of the entire ecosystem of apps that make up the Play Store.
4.1. Economic and reputational consequences
If an app is successfully attacked, the company that developed it will face multiple consequences. On the one hand, legal consequences, if the appropriate actions have not been taken to protect the data of citizens and companies, include heavy penalties. On the other hand, there are reputational consequences. User confidence drops sharply if an app has proven to be insecure. This results in a decrease in the company’s turnover.
Finally, there are direct economic consequences. If the app’s security breach affects its service, business continuity would be jeopardized, generating immediate economic losses. Imagine, for example, that the Amazon or Aliexpress app suffers a successful attack and users are unable to use it. Every second of paralysis would translate into millions of euros lost.
5. Continuous innovation and permanent fortification
The goal of Google MASA is to help developers avoid these crises. To this end, it offers a very simple recipe:
- Collaboration between companies and cybersecurity analysts.
- Implementation of industry best practices.
- Continuous evaluation.
The expected result is a permanent fortification of the app ecosystem. And, therefore, of the devices used by individuals and companies.
5.1. Collaboration between developers and analysts
The very launch of the App Defense Alliance demonstrates the importance Google attaches to collaboration in the field of cybersecurity. In such a complex field, where malicious actors are constantly innovating, collaboration is essential.
Google MASA is therefore committed to encouraging the participation of both app developers and leading cybersecurity companies. Thus, it is not enough for developers to carry out security audits of their applications; the assessment must be carried out by Google-authorized laboratories. Companies with a long track record in auditing and fortifying mobile apps and with extensive experience in handling the OWASP methodology. Why?
Cybersecurity service companies are key to detecting vulnerabilities and helping developers prepare for new attacks. This is why the assessment of security requirements is accompanied by measures to be implemented to remedy shortcomings. This knowledge transfer contributes to fortifying the app ecosystem.
In turn, cybersecurity professionals increase their knowledge and expertise and remain constantly at the forefront of attacks and threats affecting mobile apps.
5.2. Regularly updated best practices
The goal of Google MASA is to extend industry best practices to the development and protection of mobile applications. This is why it has opted for the OWASP methodology as a tool for establishing the security requirements for apps and the tests that must be carried out to verify compliance.
The OWASP Foundation is a truly global benchmark for collecting, systematizing, and sharing best practices in cybersecurity. Its guides and documents are used all over the world. Therefore, working together with MASVS and MSTG ensures optimal fortification of the app ecosystem. In addition, these documents are updated by the OWASP teams regularly. This allows them to adapt to emerging threats that have been detected since the last version was published.
Thus, continuous protection is achieved not only by a periodic evaluation of the apps but also by a constant updating of the methodological tools used by the analysts.
5.3. Permanent protection tasks
The goal of Google MASA is to create a dynamic that guarantees permanent protection of the apps available in the Play Store. This is why they must be evaluated once a year.
We live in such a fast-moving world that the emergence of a new type of attack, an innovative social engineering technique, or a disruptive Trojan can undermine what was once completely secure.
Even if a company has gone to great lengths to develop a secure mobile app, employing highly skilled professionals and standardized tools and resources, the security guarantee is not eternal. The effort to protect an app does not end with its development, but must be constant. Google MASA reminds developers of this issue, encouraging them to look for, detect and fix security problems on an ongoing basis.
If the bad guys are highly innovative, the actors involved in fortifying the mobile applications that are part of our daily routine must also be innovative. Therefore, going back to the beginning of this section, collaboration among all of them is indispensable. Unity is strength and facilitates the possibility of learning, evolving, anticipating, and adapting to change.
6. Google MASA’s goal: a better-protected app ecosystem for a safer world
Security has been a human need since the dawn of time. Our ancestors took refuge in caves, such as those at Altamira, not only for shelter from inclement weather but also for defensive security. For the same reason, the cities of the past hid behind walls. Today, with the physical world merging with the digital, cybersecurity has become an issue that we cannot and should not avoid. Businesses and individuals have a lot at stake.
Because of this, Google MASA is a pioneering initiative that seeks, through collaboration and awareness, to achieve a more secure mobile app ecosystem. Just as we are concerned about losing our cell phone or having it stolen, we should also be concerned about it being attacked without ever leaving our pockets.
Given the growing relevance of mobile applications in many facets of our lives, whether at a personal, work, or business level, their security must be a priority.
As has been demonstrated by multiple malware in recent years, the economic, personal, and reputational consequences of installing fake and harmful apps or having poorly protected applications are devastating. No company that has developed a mobile application can afford to be burdened by unaddressed vulnerabilities or not fully protected against emerging threats.
In short, a better-protected app ecosystem made up of mobile applications regularly evaluated by professionals of proven value and at the forefront in the fight against cyber threats, is a guarantee of security for all the people and companies that use these apps daily. Otherwise, we will be exposed to malicious attacks against our privacy, our money, and our most sensitive data.
More articles in this series about Google MASA
This article is part of a series of articles about Google MASA
- Google MASA: Assessing the security of apps available in the Play Store
- Google MASA: What are the security requirements for apps?
- Protecting apps, people, and businesses, the goal of Google MASA