Google has announced a handful of Android-related security features today as the company looks to plug any critical gaps in its operating system, which is used by billions of smartphone users around the world. More specifically, the internet giant is looking to better safeguard the Google Accounts most “at risk” from malicious apps — those owned by activists, CEOs, journalists, politicians, and more.

Back in 2017, Google announced a security-focused program called Advanced Protection, designed to protect Google Accounts that may be more vulnerable to tactics such as phishing scams. That program launched in general availability last year. The program is built around three key security components — it provides phishing protection by requiring a physical security key to access a Google account via two-factor authentication (2FA); it limits third-party apps’ ability to access Google apps; and it requires extra verification steps to reduce the chances of someone gaining access to an account through impersonation. Since launch, Advanced Protection has expanded to cover Apple’s native iOS apps, as well as the Chrome browser.

Moving forward, Google Accounts enrolled in the Advanced Protection program will now have two additional features enabled to defend against malware. One of these relates to Google Play Protect, a machine learning-powered security service that scans apps installed through Google Play for malicious behavior. Launched back in 2017, Google Play Protect is on by default on all Android devices that ship with Google Mobile Services (GMS), which basically means most Android devices outside of China (though one notable exception is new Huawei devices, which are no longer allowed to use Google’s apps or services after a U.S. ban was imposed last year.)

While Google Play Protect is already on by default for most Android devices, it can be deactivated manually through settings, which some users may do if they want more control over which apps they can install without Google intervening.

VB Transform 2020 Online - July 15-17. Join leading AI executives: Register for the free livestream.

Above: Google Play Protect can currently be deactivated by most users.

Now, however, those who have signed up to the Advanced Protection Program will have to use Google Play Protect — if the feature is currently switched off, it will be switched on automatically, and they won’t be able to turn it back off again.

“We’re now automatically turning it on for all devices with a Google Account enrolled in Advanced Protection and will require that it remain enabled,” said Roman Kirillov, engineering manager of Android security and privacy, in a blog post.

Restrictions

Google will also restrict apps that can be installed from outside the Play Store. While Google can exert control over which apps can be added to its app store and monitor them, it has little say over apps that are installed by other means — such as side-loading or through third-party app stores. That’s why it’s now preventing users with a Google Account enrolled in the Advanced Protection program from installing apps through any avenues other than Google Play.

There are exceptions to this rule. For example, some Android phones ship with alternative app stores preinstalled, as per their licensing arrangements, and those devices will be unaffected. Moreover, apps installed via Android Debug Bridge will be fine, while apps that have already been installed on the device will remain and receive updates.

It’s worth noting that G Suite users who are enrolled in the Advanced Protection Program won’t receive these new features for now. But there are other ways companies can enable similar functionality in their workforce — for example by stipulating through their endpoint management console that employees can’t deactivate Google Play Protect, or by installing apps from outside Google’s Play Store.

For everyone else signed up to Advanced Protection, these changes will start rolling out from today.