Google Play adds security audit badges for Android VPN apps

Google Play, Android's official app store, is now tagging VPN apps with an 'independent security reviews' badge if they conducted an independent security audit of their software and platform.

Specifically, that standard is MASA (Mobile App Security Assessment), which was introduced last year as an initiative of the App Defense Alliance (ADA) to define a concrete set of requirements for mobile app security.

The requirements concern data storage and data privacy practices, cryptography, authentication and session management, network communication, platform interaction, and code quality.

Starting with VPN apps, which Google considers critical for user privacy and security due to handling sensitive data, the Play Store will display the "Independent security review" badge in the Data Safety Section.

This badge indicates that the apps' compliance with the MASA standard has been independently verified, enhancing transparency and bolstering user trust.

As VPN providers are used to provide anonymity while browsing the web, many make claims that they do not keep any logs and do not expose the user's actual IP address, whether that be through bugs or other reasons.

To prove these claims, some VPN providers perform third-party audits that examine source code, server configurations, and attempt to find bugs that may make users less secure while using the app.

For this new Google Play tag, VPN vendors are also required to perform the MASA audit from an approved cybersecurity partner.

The VPN vendors that have opted to go through the MASA security audit and currently display the new Google Play badge are NordVPN, Google One, and ExpressVPN.

Other VPN apps that hold a valid MASA certificate but haven't received a Google Play badge yet are Aloha Browser + Private VPN, Private Internet Access VPN, SkyVPN – Fast Secure VPN, Tomato VPN, and vpnify – Unlimited VPN Proxy.

Additional technical details about the MASA assessment for these apps can be found in this directory, containing the MASA certifications for the mentioned VPN apps.

It is anticipated that a growing number of VPN apps will join this initiative shortly, helping foster greater transparency on Google Play.

Google encourages VPN developers and publishers to participate in this movement by completing this form to submit their applications for an independent security review.

It is expected that the 'Independent security review' program will expand to other app types beyond VPNs, but Google has not provided a timeline for that yet.