Data Safety first. Will developers help Google with this?

Google has recently launched a new privacy section called Data Safety, and it now appears that another security section – App Permissions – is hidden from users. It seems that moving forward, Google will rely solely on developers and their responsible actions in relation to the Data Safety section.

In light of the new rule, Kaspersky experts explore possible risks for users and how the situation will change in the future:

1. The permission model in Android has become more complicated over time. Sensitive permissions are now dynamic, and requested while the application is running. In addition, most permission values no longer include just “allowed/not allowed” options but additional ones, depending on the permission itself. For example, “allow only while using the app”, “ask every time”, “not allowed”. This makes the process of managing apps’ permissions and accessing personal data more accurate and reduces the risk of leaking any sensitive information.
2. In general, the Google initiative helps users check what will happen to their personal information and brings more clarity to the understanding of all stages of data processing. Users also have the ability to abandon the app in favor of an alternative, if they believe that the disclosure of data is unreasonable.
3. Data Safety and App Permission sections relate to Google Store information that the user should receive before installing an app. Nevertheless, if some points in this section cause concern, users still have the option to manage permissions on their devices in the Settings app under Apps. Moreover, apps have no access to any APIs or personal data before being installed on the device, so confidential information will be protected and kept private, ensuring there is no recourse for users.
4. As for further improvements to personal data protection, the next steps could include not just controlling app access to sensitive information (such as received, used and “forgotten” data) but understanding its future fate (such as saving, storing, transferring to third parties etc.). In particular, key aspects could relate to:
1. What data an app collects (and not just one-time access, but future storage. It must have a purpose)
2. Where does app transfer such information - to whom, why and under what conditions?
3. Handling - an explanation to the user, what access to data is necessary for the app to operate (without which it cannot work), and what is optional
4. Additional information - such as whether there is the ability to revoke or delete information, or the app and whether data is encrypted during transmission, etc.
5. Another practice that can lead to enhanced user data protection is providing more checks (e.g., a compliance audit) to ensure a high level of defense and a clear way of processing sensitive information. We see that Google is making steps in this direction by connecting to MASVS.

Additional tips and lifehacks from Kaspersky on how to strengthen privacy controls:

• A good option is to choose and install a reliable security solution which provides users with features that let them optimize storage space on their devices. It is also a good option for users to view the list of apps installed on their devices, see which ones they don't use, uninstall them, and free up storage space on their devices.
• It’s better to avoid installing browser extensions unless you really need them. Carefully check the permissions before you allow them. The full list of permissions is available in the “Settings” page → “Apps” → “About this app” section → “Permissions”.
• A safe practice is also to update an operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.