Google Says “No” To Independent Security Audits on Android
…because you can just trust Google, right?
Recently, another harmless app (seemingly so, particularly since it’s completely open source and anyone could investigate the code) was taken down from the Google Play Store. The app in particular was a security audit app, called VTS (made by company NowSecure), that would simply scan your Android device for vulnerabilities (such as Stagefright, etc.). Here’s an example of what VTS does:
It’s a simple app–and again, totally open source–that isn’t especially popular, but I can see it as being handy. Think of it as “Tron” to Google’s “MCP” (with Android being the MCP). But much like Tron got in the way of the evil MCP’s plans, the VTS app would seem to have scanned a little to deeply for Google’s liking. Here’s the response from Google about why the app was taken down:
So VTS “crossed a security boundary to perform a security test”. Oh…we wouldn’t want a completely open source app snooping around in areas that Alphabet/Google doesn’t want it snooping around in! Who knows what it might find! Perhaps some malicious content from Google themselves or even the NSA inside of Android (yes, I’m speculating)?
And that’s the first little problem with this whole situation. I think there is an implicit understanding or even warning (if you want to use that word) that exists with open source software, and it goes a little something like this: If you use open source software, all the warning you need about what it does is in the fact that you can read the entirety of the code and know exactly what it does. There’s no need for a company like Google to babysit such apps, “the geeks” will do it themselves. Or if Google has the time to be so specific to ascertain what the VTS app was doing, couldn’t they also see that it wasn’t able (or at least, unlikely) to do any harm to a consumer and thus it could be left in the Play Store? Point being open source software, when properly checked, comes with a built-in assurance of what its purpose is, malicious or otherwise.
SIDE NOTE: Please don’t fall for what I call the “open source fallacy”. What this fallacy means is that just because something is open source doesn’t mean that it’s inherently secure. Consider OpenSSL, which is incredibly insecure. But the fact that we know it’s insecure comes from the open source itself. So the point is, don’t automatically think something is secure, just rest easy that at least it is possible to find out if something is if it is open source.
This whole thing is fishy to me. And not on NowSecure’s part, either.
But it brings back up an old gripe of mine and shines a light on one of the reasons that I created the Dark Android Project: We need independent app repositories and stores for software that are wholly separate from the Play Store (such as F-Droid) to be developed and, if they already exist, to be used. As long as one company has complete control of what apps you can download onto your device, your options for security and privacy (and privacy is a basic human liberty) is seriously questionable. Really, your ability to do anything you’d like to actually do on your Android device becomes questionable when apps can just be removed at whim (this is a common problem with Android games that people spend hard-earned cash on).
And NowSecure’s VTS app isn’t the first security-purposed app that Google has taken down from the Play Store, either. Security apps from Disconnect.me (a company that is a serious thorn in Google’s side since it anonymizes Google searches) have also been taken down from the Play Store, and they can only be had by independently downloading the apps from Disconnect.me’s website. And what was Google’s claim against Disconnect.me? Well, it was very similar to the response given to NowSecure. Disconnct.me’s security apps went further than Google liked (READ: They interfered with Google’s business model). That simple.
Yes, it’s true, fortunately you can install independently downloaded apps and app stores onto on Android device, and that’s great. But the precedent is clear with these stories that Google is continually tightening its grip on what’s normally allowed, and I wouldn’t be shocked if one day that grip tightens so much that Google decides you can no longer install independent software.
Hopefully the continued development and growing support for Android-based alternatives like CyanogenMod will make these anti-open platform actions by Google a moot point in the future. As the CEO of Cyaongen, Inc., Kirk McMaster, said: “We’re going to take Android away from Google”. For the sake of security, privacy, anonymity, and just plain old fashioned user control of a device that you already paid money for…I hope that day comes soon.