Google I/O was big on privacy. So what do app developers need to know?

Privacy has become the new battleground for the world’s tech giants. Google I/O proved it, with the announcement of a bunch of new tools and services. Here’s a summary…

When Google first declared its aim to ‘organise the world’s information‘ it must have seemed so straightforward. It was the early days of the internet, and there were a bunch of search engines trying to direct people to web sites that could best answer their questions. None of these search engines was very good. Google did a much better job – and that propelled the company towards a $1.3 trillion valuation.

More recently, Google’s mission has become a lot more complicated. Why? Because information is no longer just ‘what’s the capital of Nigeria?’ and ‘how can I make a delicious cupcake?’ it’s also people’s logins, bank details, social security numbers and passwords.

And Google has a powerful new competitor that wants to ‘organise’ this very sensitive information.

Yes of course. Fraudsters.

Which explains why Google is now working so hard on its activities around security, consent and privacy. The recent Google I/O annual developer conference made this very clear. Privacy was a central focus.

“Our commitment to keeping you safe online starts with building products that are secure by default, private by design and put you in control,” said Jen Fitzpatrick, Google’s senior vice president for core systems and experiences. “And by combating the spread of online abuse, we provide you with reliable access to trustworthy information.”

In fact, one of the biggest moves in the privacy drive came just a few days before the event. This was when the company announced that it was supporting the use of passkeys to access Google accounts.

Passkeys offer a new way to sign in to apps and websites. They’re easier to use than passwords – and also more secure than passwords. Why? Because passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN.

Hence there’s nothing to remember. And passkeys are also resistant to phishing; there’s nothing to steal.

To help support developers incorporate passkeys, Google launched a Credential Manager Jetpack API. It brings together multiple sign-in methods, such as passkeys, passwords and federated sign in, into a unified interface for users and a single API for developers.

Google also used the I/O event to re-cap its privacy moves in the app space. It spoke again about its new Data Safety section, which it unveiled in April. This is an area of an app where developers are required to give user more information about how the product collects, shares and secures users’ data. More specifically:

• Whether the developer is collecting data and for what purpose.
• Whether the developer is sharing data with third parties.
• The app’s security practices, like encryption of data in transit and whether users can ask for data to be deleted.
• Whether a qualifying app has committed to following Google Play’s Families Policy to better protect children in the Play store.
• Whether the developer has validated their security practices against a global security standard (more specifically, the Mobile Application Security Verification Standard – MASVS).

Developers have until July 20th to complete this section.

Of course, it’s not enough to merely show users what is being collected. They must also be given the ability to take control of their data.

Which is why Google simplified its permissions features. Now users can more easily decide whether they want to grant an app permission to, say, access location. They can choose one time use, only while using the app, or all the time.

In a similar vein is the new data deletion policy. This provides the option to delete data from within the app and online. They can choose whether to delete their account entirely or pick selected content for the trash can (such as activity history, images, or videos).

Google says it knows that developers will need time to implement these new features. But the policy should be universal by next year when Android users will begin to see data deletion status appear in an app’s Google Play store listing.

The other main privacy features introduced at I/O were:

• Google Play Protect

This is a platform-wide Google tool that scans billions of apps every day looking for malware and unwanted software. Google says it has strengthened service, which prevented 1.4 million policy-violating apps from entering Google Play last year.

• Play Integrity API

This API is designed to let an app’s backend server check that user actions and requests are coming from their unmodified app binary, that they are installed by Google Play, and are running on a genuine Android device. This should make it easier to detect abuse, unauthorized access and attacks.

• One click Automatic Integrity Protection

Automatic integrity protection was introduced a few years ago to defend against the tampering and redistribution of an app. Now Google has made it a one-click action with no need to integrate an API in a backend server.

And finally, away from apps, Google has also introduced new protections with end user browsing in mind. These include About This Image, which helps people verify the source of pics they see on news, social or fact checking sites. And there’s also an update of the Safe Browsing AI in Chrome and Android. Google says this will speed up its ability to identify compromised sites, and block 25 percent more phishing attempts every month.