Google’s Verify Apps API

Google Verify apps

Google recently announced the availability of a new security API for Android. The new ‘SafetyNet Verify Apps API will enable developers to query whether an Android device is protected by Google Verify Apps’ anti-virus software. The API will also make it possible to identify any potentially harmful apps installed on the device.  

Google Verify Apps

Google’s Verify Apps is a service which Google introduced in 2012. It is part of its suite of security tools labeled ‘Google Play Protect’.  The service checks (at least every 6 days according to Google) whether an Android device has any known malware installed. If it finds anything it prompts the user to uninstall the offending software. Verify Apps comes by default with any Android phone running Google Play. Which means the vast majority of phones in developed markets. Basically, every Android device comes with built-in anti-virus software turned on by default.

So what’s new

What’s new with this week’s announcement is that virus scan results can now be checked not just by the user but by any app running on the user’s device. An app can now use the Verify Apps API to determine if a device is protected by Google’s anti-virus software and check if any malware is present. What’s more, it Verify Apps is turned off the user can be prompted to turn it back on again.

What Google Verify App API  means for Enterprise

As Google explains, this is a feature which is particularly useful for enterprise apps i.e. those handling sensitive company data. Such apps can be programmed to deny access to important information if they discover that a device is not running Google Verify Apps or that known malware is present. Banking Apps and other’s handling sensitive user data might also want to check if a device has a malware infection before allows high value transactions.

Known Unknowns

This is undoubtedly a further significant step in Google’s ongoing efforts to enhance the security of the Android platform. The ability to query security indicators is critical if enterprises are to ‘trust’ Android devices and enable them to be used for mission-critical functions. Using the Google Verify Apps API to check that a device is free of known malware is undoubtedly helpful. However, the greater security to enterprises threat continues to come from malware which has not yet been identified by Google’s algorithms. By combining results from the Verify Apps API with other critical security health signals such as networking traffic metadata enterprises will be able to more rapidly detect new exploits. As the saying goes ‘trust but verify’ when it comes to mobile malware.