Google wants to help Android users find more trustworthy VPN apps through better badging alerting to independent audits.

The ad impresario and cloud concession has afforded independently audited applications in its Play store a more prominent display of their security bonafides, specifically a banner atop their Google Play page.

VPN apps are the first to receive this special treatment, explained Nataliya Stanetsky, from Google’s Android Security and Privacy Team, in an announcement, because they handle significant amounts of sensitive data. And they’re thus a popular target for subversion by miscreants.

“When a user searches for VPN apps, they will now see a banner at the top of Google Play that educates them about the ‘Independent security review’ badge in the Data Safety Section,” said Stanetsky.

Last year, Google’s partnership with the App Defense Alliance (ADA), launched in 2019, was expanded to include the Mobile App Security Assessment (MASA), a way to check Android apps to ensure they comply with a security standard defined by OWASP.

It’s not a particularly thorough audit. As the ADA’s website states, “MASA is intended to provide more transparency into the app’s security architecture, however the limited nature of testing does not guarantee complete safety of the application.”

The ADA also advises that MASA does not necessarily check app developers’ safety declarations. Obviously the alliance doesn’t want to be blamed if it misses something and an info-stealing app slips by, but the group’s MASA endorsement counts for something.

MASA looks for obvious bad practices, like whether sensitive data gets written to application log files and whether the app reuses cryptographic keys for multiple purposes, among its many checks. It’s safe to say you’re better off with apps that avoid such missteps, even if it’s not safe to say they’re guaranteed to be secure.

At least if MASA misses, the Android ecosystem has other security measures in place. As Google proudly proclaims, it tries to protect against PHAs and MUwS – potentially harmful applications and mobile unwanted software, in case your gibberish translator is down. It does so through static and dynamic risk…