Developer account security on Google Play hasn’t had the best track record, with basic sign-up not requiring any form of contact detail verification. Some groups were exploiting this oversight to create multiple accounts, then selling those accounts to people who would upload malware, scam apps, and so on. Google recently updated developer account creation to require contact info verification for new accounts, but it’s more of a decent start than a complete answer to ongoing issues. “It is a move in the right direction for Google as it starts to protect its source of revenue,” said Katherine Brown, the founder of Spyic, in an email interview with Lifewire, “It will also protect users from sketchy or malicious apps featuring in the marketplace as they will be removed.”
A Good First Step
By requiring new Google Play developer accounts to verify their contact information, Google is making it more difficult (though not impossible) to easily create multiple accounts at once. Making verification an option for existing accounts also helps to better protect legitimate developers from hacking attempts and fake accounts that may co-opt their identity. Two-step verification is also planned for August 2021, and will be required for all new developer accounts once implemented. The added hurdle will make it even more difficult (though still not impossible) for bad actors to take advantage of Google Play account creations, though it hasn’t taken effect yet. “The solution implemented by Google is promising, and it is a good start to deal with cyber hacks,” said Harriet Chan, co-founder of CocoFinder, in an email interview, “It would be better if they embed this technique as quickly as possible.” Google is planning to make contact detail verification and two-step verification mandatory, even for established developer accounts, later this year. This will likely deter many from creating batches of fake developer accounts, but multiple burner accounts is only one of Google Play’s many problems.
Everything Else
A mountain of one-off burner accounts and fake developer accounts have contributed to Google Play’s security issues, to be sure. Many of these types of accounts have been used to trick users into downloading malicious apps they thought were legitimate, upload scam apps, etc. Adding contact info and two-step verification doesn’t do much to address other problems like app cloning or developer account hijacking, however. “This news raises quite a few questions about what Google’s intentions are and what these changes mean for both developers and users,” Brown went on to say. “Topics like fake apps with fake reviews (often bought by spammers) will still exist. Google has been promising to tighten things up for some time, but this latest change has only set a date for when the update will happen.” While Google’s new developer account security measures will definitely help, there’s more they can, and should, be doing to deal with the rest of Google Play’s known issues. Brown suggests an option for developers to tell Google they’re verified when reporting malware and spam apps, as well as having Google step in during “extreme” circumstances. This would make it easier for Google to learn of and deal with malicious apps, while also giving vetted developers a more reliable way to report questionable apps and accounts. Chan wants to address account hacking and interruptions more directly, suggesting even stronger multi-factor authentication requirements like codes and facial recognition. Token-based authorization and certificate-based identification were also recommended as a means of providing developer accounts with even more solid user verification. These measures would make it far more difficult to take control of an established developer’s account, and potentially prevent malicious software being uploaded in their name. In the end, both Brown and Chan agree that Google has a promising start, and hope the developer account security improvements won’t end here.