Google has announced a number of user-facing and under-the-hood changes in an attempt to boost privacy and security, including rolling out two-factor authentication automatically to all eligible users and bringing iOS-styled privacy labels to Android app listings.
“Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in,” the company said. “Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured.”
Google Play To Get Apple-Like Privacy Labels
The Google Play Store for Android is also getting a huge overhaul on the privacy front. The search giant said it plans to include a new safety section for app listings that highlights the type of data is collected and stored — such as approximate or precise location, contacts, personal information, photos and videos, and audio files — and how the data is used, whether be it for providing app functionality, personalization, or advertising.
The transparency measures into how apps use data echo a similar push by Apple, which rolled out privacy labels in the App Store in December 2020 with an aim to condense an app’s data collection practices in an easy-to-understand and user-friendly format.
Interestingly, the enforcement goes beyond the privacy-oriented nutrition information attached to each app entry, for the changes will also require app developers, including Google, to provide information about whether their apps adhere to security practices, like data encryption, comply with Google’s policies around apps and games aimed at children, and explain why a specific piece of data is being collected, or if users have a choice in opting out of data sharing.
Another key difference is that the section will also highlight whether an independent third-party has verified the app’s privacy labels and whether users can request that their data be deleted should they decide to uninstall the app.
The third-party verification appears to be a move to counter criticism like that faced by Apple for failing to vet apps that provided “misleading or flat-out inaccurate” labels. The changes are expected to go into effect in the second fiscal quarter of 2022.
Google Debuts Cosign for Verifying Container Images
Earlier this March, Google, Linux Foundation, and Red Hat released a tool called Sigstore to secure software supply chains by allowing developers to sign their code and for users to verify them to prevent software supply-chain attacks like dependency confusion.
Now, the company is expanding on that effort with Cosign, a new command-line tool that aims to simplify signing and verifying container images, and as a consequence, prevent users from falling prey to typosquatting attacks or “receive a malicious image if the distroless build process was compromised.”
Google Chrome Gets Hardware-Enforced Exploit Protection
That’s not all. Google on Tuesday revealed that Chrome 90 for Windows, which was released on April 13, 2021, comes equipped with a new Windows 10 security feature called “Hardware-enforced Stack Protection” to safeguard the memory stack from arbitrary code execution attacks.
“Enabling Hardware-enforced Stack Protection will layer with existing and future measures to make exploitation more difficult and so more expensive for an attacker,” Alex Gough of Chrome Platform Security Team said.