Google Play puts Android apps on notice: No naughty JavaScript, Python, Lua

Google's pending Play Store policy changes are bringing various privacy improvements – but also include a security enhancement and disclosure requirement that deserve mention.

First, there's a specific ban on the deceptive use of interpreted languages like JavaScript, Python, and Lua. This is more of a refinement and tightening of prior policy than a new rule.

Starting October 15, 2021, Google said, "We're clarifying the Device and Network Abuse policy to prohibit apps or SDKs with interpreted languages (e.g., JavaScript) loaded at run time from violating any Google Play policies."

Previously, the web titan's Device and Network Abuse policy gave it broad latitude to take action against apps that "interfere with, disrupt, damage, or access in an unauthorized manner the user’s device, other devices or computers, servers, networks, application programming interfaces (APIs), or services."

Google's policies also forbade Google Play apps from modifying or updating themselves outside of Google Play's update system and from introducing or exploiting security vulnerabilities.

Fetching executable code from sources other than Google Play is also disallowed, except for code running in a virtual machine that has limited access to Android APIs, like JavaScript running in a WebView or browser.

• Google Play to require privacy labels on apps in 2022, almost two years after Apple
• We've got some really bad news about Apple's privacy measures, Google tells iOS app devs: It'll hurt your Google ad revenue
• Apple begins rejecting apps that use advertising SDKs for fingerprinting users
• COVID-19 notification app update blocked by Apple, Google over location privacy fears

While Google's policy language generally provides a rationale for dealing with most sorts of app misbehavior, the addition of a specific prohibition on interpreted languages like JavaScript, Python, and Lua suggests a need to address persistent abuse.

Google declined to explain why it is implementing the policy enhancement, but research findings published by Snyk last year offer a possible rationale. The security firm reported that the Mintegral advertising SDK – integrated by Android and iOS app developers into their apps to serve ads – misused various native platform APIs as well as JavaScript code on iOS to conceal the capacity for malicious behavior.

"We discovered the MTGBaseBridgeWebView class, used everywhere in the [iOS] SDK to communicate with JavaScript, acts as a backdoor, allowing for the invocation of arbitrary functions from the native application code," Snyk said in an October 2020 post. That was a follow-up to its initial findings in August 2020, which Mintegral denied.

According to Snyk, Mintegral removed the MTGBaseBridgeWebView code following the publication of the security firm's findings and the China-based ad-tech biz has since posted about its support for Apple's SKAdNetwork attribution API – suggesting it may have remedied the alleged rules violations.

We asked Apple and Google whether Mintegral's SDK currently complies with their respective store policies, but we've not heard back.

The point, however, is that JavaScript in the past has been employed to flout app store rules. The possibilities of this approach were demonstrated at the Black Hat security conference in 2012 when Trustwave SpiderLabs researchers Nicholas Percoco and Sean Schulte described how they found a way to use a WebView-based JavaScript bridge to communicate with native Android APIs. This allowed them to enable malicious functionality after being scanned by Google Play's "Bouncer" malware scanner.

Starting in mid-October, there will be a specific prohibition against the misuse of interpreted languages. And maybe it will help, if Google makes the effort to enforce its rules.

Developers must provide accurate information related to personal or sensitive user data their apps collect, use, or share

The other noteworthy policy change is that personal data usage in Google Play apps must be disclosed and must be accurate. Google's current User Data policy implies but does not explicitly demand accuracy – a requirement spelled out in separate Misrepresentation and Deceptive Behavior sections.

"We’re adding a new Data privacy and security section to the User Data policy where developers must provide accurate information related to personal or sensitive user data their apps collect, use, or share," Google said.

This is to be accompanied by a privacy policy in the app and in the Google Play Console.

The accurate disclosure requirement takes effect on April 1, 2022, which in the US, the UK, and various other countries, is known as April Fool's Day. ®