Global CSS droidcon News droidcon NYC 2019 Share Tweet Why does Google think my app is harmful? By Alec Guertin droidcon New York City 2019 In this talk, we will cover how Google defines harmful behavior in Android applications and how developers can avoid common pitfalls that result in their apps being flagged as MUwS (Mobile Unwanted Software) or PHA (Potentially Harmful Apps) by Google Play Protect. Transcript en-us 00:00 [Music] 00:12 see I'm here from Google today yeah and 00:16 we are the creators of Android or the at 00:20 least the current owners of it I I know 00:25 that we don't we try to get along the 00:27 best we can with all the developers 00:29 especially people who are on Google Play 00:30 but that doesn't always work out there 00:35 are cases where we kind of have little 00:38 run-ins with developers for various 00:40 reasons whether it's vulnerabilities or 00:41 malware or things like that so I'm here 00:46 today today to talk about some of those 00:47 cases and hopefully how they could be 00:49 avoided so just to introduce myself 00:53 I'm coming here today from Google Play 00:55 protects specifically we are the 00:59 pre-installed mobile security software 01:03 on Android devices the majima score so 01:07 we scan for malicious behavior in 01:10 applications and alert users when that 01:13 happens and so users will actually get a 01:16 pop of notification that says hey we 01:17 think that this app is malicious or 01:19 harmful in some way and hopefully you 01:23 can avoid your app ever getting flagged 01:24 or something like that a little bit of 01:28 information about me I'm actually a 01:31 reverse engineer on this team so I'm the 01:33 one actually reading the code so any 01:35 time you might have thought it's ok if 01:38 this goes a little messy because no 01:39 one's ever gonna read it again I'm 01:41 reading it so I would appreciate it if 01:44 you know clean up your code because it 01:46 makes it easier for me to so my job 01:50 specifically is to look for malicious 01:52 behavior in apps which we call pH a 01:54 potentially harmful applications and 01:57 then flag them so that we can alert 01:59 users in the real world and the reason 02:06 I'm here today like I said is we had 02:08 this genius idea that instead of maybe 02:12 just reacting to malicious software we 02:15 could actually prevent it so we're 02:17 trying to be 02:19 more pre-emptive more proactive about 02:22 talking to developers you know because 02:24 we really want to have a good 02:25 relationship with you we know that 02:29 sometimes maybe a policies aren't always 02:31 clear-cut maybe we have differing 02:35 opinions of what constitutes harmful 02:37 behavior and so we just kind of want to 02:40 get out there ahead of time and 02:42 hopefully we can have build a better 02:44 relationship and no this doesn't mean 02:48 I'm going to teach you how to write 02:49 better malware it just means that I'm 02:52 gonna show you some cases that could 02:54 have been avoided so we have two main 02:59 categories of apps that we consider 03:01 harmful the first ones potentially 03:03 harmful apps and these are any apps that 03:06 have some sort of behavior that could 03:09 put the user or their data at risk it 03:16 could only pose a risk to some users so 03:18 may not be harmful to everybody and the 03:21 user might actually still want it so 03:25 depending on the case there's like 03:28 varying levels of severity and different 03:30 kinds of warnings that we actually show 03:31 to the user from the other category is 03:35 mobile unwanted software and these 03:36 aren't necessarily malware or at least 03:40 not by the standards of maybe most large 03:44 antivirus companies and but we still may 03:48 want to warn users about them or get 03:50 them removed from the Google Play Store 03:51 or at least remove that version of it 03:53 and we track those statistics separately 03:56 from pH a it's generally not considered 03:58 as severe we're still trying to create a 04:02 cleaner ecosystem for Android the way we 04:08 alert users like I said there's varying 04:12 severity for these harmful behaviors and 04:16 so sometimes we just warn the users with 04:18 a pop-up or a warning in the Google Play 04:21 Store app that says hey you know this 04:25 app has X behavior that you might not 04:27 have been aware of so you may want to 04:30 think twice about using it or granting s 04:31 or 04:32 permissions or you may just want to 04:34 remove it from your device 04:36 we don't specifically remove it from the 04:38 device because there are cases where the 04:40 user may still want it for example there 04:43 might be an app that you know is 04:46 uploading all your data without you 04:49 knowing but maybe you've had that for a 04:51 couple days and you know you decide you 04:53 still want that functionality so you 04:57 choose to keep it on your device even if 04:59 it's uploading all your context and like 05:00 I don't care if they know that I'm 05:02 friends of George it's ok I just keep 05:04 using this app for apps that we block we 05:07 actually block the installs or remove it 05:10 directly from the device and usually 05:13 these are the more severe cases like 05:15 maybe like fishing or ransomware things 05:19 where we believe there could be some 05:22 kind of irreparable harm to the user or 05:24 the device or that it causes a risk to 05:28 other users as well and you might notice 05:32 we use the word potentially and 05:35 potentially harmful apps this doesn't 05:38 necessarily mean or it doesn't mean that 05:41 it might be harmful it just means it 05:44 might not be harmful to all users so we 05:48 do know that it has harmful behavior 05:51 it's not that we're not sure it's more 05:54 that you know Android is the most widely 05:59 used operating system in the world right 06:01 now and there's a very diverse user base 06:05 instead of devices carriers things like 06:10 that so one app that's harmful to you 06:13 know users on Samsung phones and ver I 06:18 running on Verizon may not be malicious 06:22 to people who have you know Android TV 06:27 in India it just depends and yes we 06:31 don't necessarily always use the word 06:33 malware sometimes antivirus companies 06:34 get a little bit mad at best about this 06:36 but our definitions are a little bit 06:38 different we don't want to use the term 06:42 malware because we don't necessarily 06:43 believe that all of that 06:45 behavior is necessarily intended we 06:49 aren't judging intent of the author 06:52 necessarily we're just trying to warn 06:54 users about behavior that could be 06:56 harmful to them so there's a lot of 07:00 different subcategories when we break 07:02 these down I don't want this to be a 07:05 vocab lesson so I'm not going to go into 07:06 each individual category but these are 07:09 all the different categories of PHA that 07:10 will flag for a lot of these are 07:13 probably self explanatory and familiar 07:15 I'll explain a couple of them as I go 07:17 through some examples and don't worry 07:20 there are also definitions on our 07:22 website at the end of the slides if 07:23 you're if you're interested in learning 07:25 more and there's only a few categories 07:28 for muse 07:30 so whereas spyware for example is PHA 07:34 you'll see data collection as muse it's 07:38 a good example for differentiating 07:39 between PHA and Muse because spyware is 07:43 for higher risk types of personal 07:47 information whereas data collection is a 07:49 types of information that we consider a 07:51 lower risk so my main purpose here today 07:56 is I want to talk about why good 07:59 developers get flagged for PHA or muse 08:04 and I put good in quotes because like I 08:07 said we're not trying to judge in 10 we 08:09 just warn the users about what behavior 08:12 is there so you know we're not trying to 08:15 start a personal beef with companies 08:17 that we feel hag it's just we want users 08:19 to be as safe as possible so I'm going 08:22 to go through a bunch of these with 08:24 examples so that you can see what has 08:28 happened in the past so all of these 08:32 examples are things we've actually run 08:34 into the past so if they seem ridiculous 08:36 just know they have happened so I'm 08:39 gonna start with disclosure so times 08:43 that we've flagged things as spyware I 08:47 don't know if you all can read the 08:48 description here but it says Terms of 08:49 Service we just uploaded all your 08:51 sensitive data to our servers please 08:53 click accept to continue using the app 08:55 so if you're going to upload people's 08:58 data please tell them before you do it 09:00 if you're sending an OP device make sure 09:04 that they know what's happening make 09:07 sure they know it's being sent off 09:08 device and that you have some kind of 09:11 protection in place to keep it safe 09:13 notifying them after the fact isn't 09:15 really disclosure because they should be 09:17 able to opt-out they should also know 09:20 what data you're taking just saying we 09:21 may upload your data doesn't tell the 09:24 user really anything they don't know 09:25 what kind of data you might be 09:27 interested in they don't know what kind 09:28 of data may be getting uploaded off 09:30 device if you don't specify it another 09:34 thing is that we generally require that 09:37 the the user sees an in-app prompt that 09:41 actually tells them what kind of data is 09:43 being uploaded so if you just have a 09:45 link to an external Terms of Service we 09:49 don't really view that as good enough 09:51 necessarily the reason for this is you 09:54 know at the time of publishing the app 09:56 your terms of service might be great and 09:59 solid but the user may not click on it 10:01 and also you might change your Terms of 10:04 Service later when we don't know if it's 10:06 in the app it's part of that version and 10:08 the user it's very clear to the user 10:10 what data is being uploaded so this is 10:14 an example of maybe what a good Terms of 10:18 Service or disclosure for uploading data 10:19 might look like it's 10:28 the set of data that you're uploading 10:29 might be different you know there's 10:32 legitimate use cases for most types of 10:34 data that you might be uploading you 10:35 like for example it could be an SMS 10:37 backup app so that you can restore all 10:39 your SMS to another device or it might 10:44 you know be there might be a case where 10:47 you want recordings of yourself singing 10:50 in the car or the shower uploaded to a 10:51 server I don't know 10:52 I'm not here to judge why you're 10:54 uploading it I just want to know that 10:55 the users know that you are doing it but 10:60 one thing to watch out for even if you 11:01 give disclosure 11:02 please use encryption we are we do warn 11:05 users or we do remove apps from the Play 11:07 Store if they're not using encryption to 11:10 upload sensitive data in terms of 11:15 disclosure I also want to talk about 11:16 billing and I know that at least when I 11:19 talk to people in the United States 11:21 people aren't always familiar with 11:23 different types of mobile billing 11:25 because it's not used as commonly here 11:28 but there's two main types and the first 11:30 one is premium SMS billing and the 11:33 general idea is that you can send a text 11:36 message with a short code a short code 11:41 and key word and that adds a charge on 11:44 your mobile bill and once the phone has 11:47 successfully sent that text message the 11:50 app can verify that it was sent 11:51 successfully so they know that you've 11:52 been billed for something and then they 11:54 can provide you some content a lot of 11:57 times this is used for things like 11:59 stickers emojis ringtones things like 12:04 that where they're like value-added 12:05 services that are add-ons to an app but 12:08 they can also be used for actual payment 12:11 for the app generally speaking we don't 12:14 really allow this in the Play Store 12:15 because we provide our own in-app 12:18 billing system but it can be used for 12:21 cases that are off the Play Store or 12:23 that are providing some sort of service 12:26 that is accessible outside of that as 12:28 well the other kind is direct carrier 12:32 billing and if you look online this term 12:34 is kind of not really well defined and 12:37 that's because a lot of carriers 12:38 implement this too 12:39 but the main idea is that you visit some 12:43 carrier website or a website that's 12:46 partnered with the carrier and it 12:48 informs you that when you click okay 12:49 you're going to be charged some amount 12:52 on your mobile bill and a lot of times 12:55 this is a recurring fee depending if 12:58 it's a subscription for something but it 13:01 can also be a one-time fee and depending 13:04 on the carrier this might include a 13:05 CAPTCHA it might include a password it 13:07 can include a million different things 13:08 it just depends but usually there's some 13:12 kind of physical device verification 13:14 that makes sure the request is actually 13:16 coming from your device and not just 13:19 from some click farm somewhere or a 13:21 server somewhere and so to those ways 13:25 are either they verify your device over 13:28 the mobile data network or they send you 13:31 a one-time password over SMS and you 13:33 have to enter that back into the website 13:35 so with that in mind we required that 13:40 you give disclosure before you do the 13:42 billing we don't want people just doing 13:46 billing without the user being totally 13:48 aware so the first thing to look for is 13:51 does your disclosure actually include 13:53 how much you're billing the user for 13:55 you'd be surprised how many times people 13:58 don't include this when they tell the 13:59 users they're gonna charge them the 14:04 second thing is again give the 14:06 disclosure before you actually do the 14:08 billing process sometimes developers 14:11 either add these terms of service to try 14:14 and trick us into thinking they are 14:16 disclosing to the user when in reality 14:17 they're automating the billing process 14:19 or they're actually trying even if they 14:24 give disclosure they're trying to kind 14:25 of hack the website to automate it once 14:29 you click okay so don't try and solve 14:32 CAPTCHAs that should be obvious don't 14:35 don't try and automate any thing that's 14:38 put in place as a security protection by 14:40 the carrier and the last thing is be 14:45 specific about how the user is going to 14:47 be charged and how much they're gonna be 14:48 charged so this one may also seem like a 14:51 ridiculous example but I have 14:52 seeing things like this before hardware 14:54 it says no cost is somewhere between 99 14:57 cents and 30 pounds depending on you 14:60 know what country you're in and what 15:01 carrier you're on and that doesn't 15:04 really tell the user hole I really 15:08 ideally they should know exactly how 15:10 much they're gonna get charged otherwise 15:12 it is actually fraud so here's an 15:18 example of a disclosure that would be 15:20 considered complete it includes exactly 15:24 how much they're gonna be charged how 15:26 frequently and how to stop a recurring 15:29 payment although we still have run into 15:32 problems where something like this 15:34 happened it was actually even though it 15:38 looked complete it was actually kind of 15:40 a lie because the way to stop the paint 15:43 the recurring payment 15:44 it wasn't accurate so just please make 15:46 sure that you're being accurate in your 15:47 disclosure another complaint that we 15:51 often get from developers is well you 15:54 know I didn't write the code so why am I 15:56 in trouble for it so even if you're 15:59 including third-party code it can it's 16:03 still harmful to users and so you know 16:05 we're not trying to tell the users that 16:07 you're a bad developer we're trying to 16:08 tell them there's code on your device 16:11 that could be harmful to you so yes we 16:14 know it's not ideal for developers if 16:16 there's someone we have a good 16:17 relationship with but we do want to make 16:22 sure that we're protecting users and you 16:27 might have noticed that one of our PHA 16:28 categories was non Android threats it 16:30 might be wondering what that means and 16:32 something that happens not too 16:34 infrequently is someone will have a 16:37 virus on their personal computer that 16:40 packages itself into the apk the reason 16:44 we warn on this is because we want to 16:46 prevent the spread of this virus so it 16:49 may not actually affect that individual 16:51 user but it could spread to a personal 16:54 computer and this is one of those cases 16:56 that kind of exemplifies why we use the 16:59 word potentially harmful is because it's 17:02 not going to be harmful to that device 17:03 but it will be to other devices so it's 17:05 harmful 17:06 ecosystem as a whole another complaint 17:11 we sometimes get is well okay I left the 17:15 bad SDK in but I don't call it anymore 17:17 so why are you still flagging me and 17:21 that's because doing analysis on an app 17:23 it's not trivial to show that that code 17:26 is never going to get executed and even 17:29 if it's non functioning code you know 17:31 having malicious behavior in your app is 17:34 not good and there are a million 17:37 different ways that that code could get 17:38 called through you know could get called 17:41 through a native bridge a JavaScript 17:43 bridge it could get executed by code 17:47 that's loaded dynamically you know it's 17:50 not our job to prove which code is gonna 17:53 get executed we're just there to warn 17:55 users that there is malicious behavior 17:57 in the app so I if you ever find 18:02 yourself in violation please just remove 18:04 all the code you can yeah 18:11 sorry 18:19 not necessarily because sometimes what 18:23 will happen is like you include an SDK 18:26 or maybe you even have a separate file 18:31 in your assets that never gets loaded 18:33 but it still exists in the apk yes yeah 18:38 so I mean and like I said we're not here 18:41 to teach you how to evade detection I'm 18:44 not gonna tell you what we don't look at 18:47 yeah we we look at all the code that's 18:49 there we don't you know there's millions 18:54 upon millions of apps so we're not 18:56 looking at every single app line by line 18:59 we're just looking at the parts that we 19:02 know to be malicious and so if we find 19:04 that malicious code in the app we're 19:05 gonna flag it another thing that comes 19:09 across this kind of relates the 19:11 third-party SDKs as well is alternative 19:14 monetization methods and some of these 19:17 are harmful to user devices and the two 19:19 main examples I put up here were a 19:21 cryptocurrency mining and proxy SDKs so 19:24 cryptocurrency mining we often see is 19:26 just something like for a while we had a 19:28 lot of apps coming in that had calls to 19:30 coin hive and it was just trying to mine 19:33 Bitcoin or Manero on the user's device 19:35 in JavaScript and also we saw some apps 19:41 that were running a proxy in the 19:45 background that allowed servers to proxy 19:49 their traffic through users devices as 19:52 kind of like a security or privacy 19:54 service and while these might not 19:57 immediately seem like malicious behavior 20:01 they can slow the device down they can 20:03 cause you know unexpected data charges 20:08 to the user in some cases they can 20:10 actually cause physical damage if you 20:12 run too much on the device and in the 20:17 case of proxies they can allow illegal 20:20 behavior to go through the users network 20:21 which is not great so as a general rule 20:24 if a company is offering you a 20:27 monetization method 20:28 seems too good to be true it probably is 20:31 and if there's a nonzero chance that 20:36 it's eventually gonna get flagged so 20:39 just think if you have to ask yourself 20:41 should I be doing this maybe don't do it 20:46 in terms of misleading content or in 20:50 person is it impersonation we see a 20:54 couple different ways that this can 20:55 happen and some of these might not seem 20:58 harmful and this is one of those cases 21:01 that falls under the mobile unwanted 21:03 software not PHA but some examples of 21:08 this might be cloning apps cloning 21:10 content using logos from other companies 21:14 implying you have a partnership or you 21:17 belong to another company all of these 21:20 things are some may be misleading to a 21:23 user so in the real world and 21:28 personation might be a little more 21:30 obvious but in the digital world you can 21:34 just copy paste so if you look at these 21:37 two icons they look pretty much exactly 21:38 the same but one of them's real one of 21:42 them's a fake version of the same app 21:45 and when you open this app you get the 21:49 actual content of that game but then it 21:52 has a added code path into it so I 21:56 apologize this recording was originally 21:59 done for a Vietnamese audience but 22:01 basically it just says you know you have 22:03 to do some verification before you get 22:05 the content of the app and okay now 22:07 we're gonna require that you download 22:09 some other apps or write some other apps 22:11 or take a survey and then you'll be 22:14 provided the content of the app and in 22:17 this case this violates a couple 22:19 different rules it's it's just 22:21 impersonation they clone contents 22:23 copyright infringement and electoral 22:25 property infringement there's a lot of 22:28 different issues with this but to the 22:31 user it looks like all this content came 22:33 from the original developer so that 22:36 could damage their reputation it could 22:38 damage their revenue stream 22:42 and sometimes we get apps trying to post 22:47 the Playstore or posting to other stores 22:50 and they're just trying to get installs 22:55 based on the reputation of another 22:57 developer and this is also harmful to 22:59 the original developers so you know I'm 23:02 actually not even sure if any of these 23:04 are the real snapchat on here which one 23:07 of them is real if any of them the one 23:09 on the right okay I guess that's the 23:11 biggest size of the apk is probably true 23:16 another thing that often comes up is 23:19 disruptive ads and generally speaking 23:22 this just means ads out of context so in 23:25 this video we see that when a user hangs 23:28 up a call they get an ad and this isn't 23:31 a great user experience and it doesn't 23:34 tell the user which app the ad is coming 23:36 from another example is this is just 23:41 also ads out of context on the home 23:45 screen so in all these cases these are 23:47 should know you know who's advertising 23:49 to them how do they stop the 23:50 advertisements and it shouldn't be 23:52 outside the context of the app so just 23:56 at a higher level the main things I 23:59 would hope you leave here with is you 24:01 know don't take user data for granted 24:05 the data that you take from users can be 24:10 sensitive and hopefully you can respect 24:15 that and respect that they should know 24:17 what data is being taken that and assure 24:20 them that it's gonna be secured properly 24:23 in terms of third-party libraries or 24:27 code that you add into your app make 24:28 sure you know the source make sure 24:30 they're accountable somehow make sure 24:32 it's someone you can trust because 24:33 eventually you're going to be held 24:35 accountable for that code that you 24:36 include in your app we're here to 24:39 protect the users so if we see malicious 24:41 behavior regardless of where that code 24:43 comes from we're gonna warn users about 24:46 that behavior and the last thing is like 24:50 I mentioned earlier the Android user 24:52 base is very wide and very diverse so 24:56 think about what kind of assumptions 24:58 you're making about your users you may 25:00 be developing your app for you know 25:04 users on the west coast of the United 25:07 States but you may actually get users 25:12 halfway across the world that have 25:13 completely different use cases different 25:16 expectations and different resources 25:19 even you know using the same amount of 25:22 data for a user in California and a user 25:26 in a country another country who maybe 25:35 pays per megabyte or per gigabyte or has 25:39 minutes it could cause problems so just 25:42 plan for diversity user base make sure 25:44 you're thinking could this be maybe not 25:48 even harmful to a user but I could have 25:50 provide a bad user experience if you 25:54 have more questions we have detailed 25:56 policies all the information I described 25:59 here - the examples is listed on our 26:02 developer website and on Google Play 26:04 policies website if you don't take a 26:07 picture of this slide or you don't 26:08 remember these links you know you can 26:10 always just google it 26:12 so hopefully I will leave you some time 26:15 to get out of here for lunch early 26:16 thanks for coming come to my talk this 26:18 afternoon 26:20 [Applause] droidcon News Tech Showcases, Developer Resources & Partners /portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/home-details/EmployerBrandingHeader EmployerBrandingHeader https://jobs.droidcon.com/ /portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/jobs-droidcon/jobs.droidcon.com jobs.droidcon.com Latest Android Jobs http://www.kotlinweekly.net/ /portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/kotlin-weekly/Kotlin Weekly Kotlin Weekly Your weekly dose of Kotlin https://proandroiddev.com/ /portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/pad/ProAndroidDev ProAndroidDev Android Tech Blogs, Case Studies and Step-by-Step Coding /detail?content-id=/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Zalando/Zalando /portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Zalando/Zalando Zalando Meet one of Berlin's top employers /detail?content-id=/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Academy for App Success/Academy for App Success /portal/rest/jcr/repository/collaboration/Groups/spaces/droidcon_hq/Documents/public/employerbranding/Academy for App Success/Academy for App Success Academy for App Success Google Play resources tailored for the global droidcon community