17 January 2017

Silence speaks louder than words when finding malware

Posted by Megan Ruthven, Software Engineer

In Android Security, we're constantly working to better understand how to make Android devices operate more smoothly and securely. One security solution included on all devices with Google Play is Verify apps. Verify apps checks if there are Potentially Harmful Apps (PHAs) on your device. If a PHA is found, Verify apps warns the user and enables them to uninstall the app.

But, sometimes devices stop checking up with Verify apps. This may happen for a non-security related reason, like buying a new phone, or, it could mean something more concerning is going on. When a device stops checking up with Verify apps, it is considered Dead or Insecure (DOI). An app with a high enough percentage of DOI devices downloading it, is considered a DOI app. We use the DOI metric, along with the other security systems to help determine if an app is a PHA to protect Android users. Additionally, when we discover vulnerabilities, we patch Android devices with our security update system.

This blog post explores the Android Security team's research to identify the security-related reasons that devices stop working and prevent it from happening in the future.
Flagging DOI Apps

To understand this problem more deeply, the Android Security team correlates app install attempts and DOI devices to find apps that harm the device in order to protect our users.
With these factors in mind, we then focus on 'retention'. A device is considered retained if it continues to perform periodic Verify apps security check ups after an app download. If it doesn't, it's considered potentially dead or insecure (DOI). An app's retention rate is the percentage of all retained devices that downloaded the app in one day. Because retention is a strong indicator of device health, we work to maximize the ecosystem's retention rate.

Therefore, we use an app DOI scorer, which assumes that all apps should have a similar device retention rate. If an app's retention rate is a couple of standard deviations lower than average, the DOI scorer flags it. A common way to calculate the number of standard deviations from the average is called a Z-score. The equation for the Z-score is below.

  • N = Number of devices that downloaded the app.
  • x = Number of retained devices that downloaded the app.
  • p = Probability of a device downloading any app will be retained.

In this context, we call the Z-score of an app's retention rate a DOI score. The DOI score indicates an app has a statistically significant lower retention rate if the Z-score is much less than -3.7. This means that if the null hypothesis is true, there is much less than a 0.01% chance the magnitude of the Z-score being as high. In this case, the null hypothesis means the app accidentally correlated with lower retention rate independent of what the app does.
This allows for percolation of extreme apps (with low retention rate and high number of downloads) to the top of the DOI list. From there, we combine the DOI score with other information to determine whether to classify the app as a PHA. We then use Verify apps to remove existing installs of the app and prevent future installs of the app.

Difference between a regular and DOI app download on the same device.


Results in the wild
Among others, the DOI score flagged many apps in three well known malware families— Hummingbad, Ghost Push, and Gooligan. Although they behave differently, the DOI scorer flagged over 25,000 apps in these three families of malware because they can degrade the Android experience to such an extent that a non-negligible amount of users factory reset or abandon their devices. This approach provides us with another perspective to discover PHAs and block them before they gain popularity. Without the DOI scorer, many of these apps would have escaped the extra scrutiny of a manual review.
The DOI scorer and all of Android's anti-malware work is one of multiple layers protecting users and developers on Android. For an overview of Android's security and transparency efforts, check out our page.


16 January 2017

Meet the 20 finalists of the Google Play Indie Games Contest

Posted by Matteo Vallone, Google Play Games Business Development

Back in November, we launched the Google Play Indie Games Contest for developers from 15 European countries, to celebrate the passion and innovation of the indie community in the region. The contest will reward the winners with exposure to industry experts and players worldwide, as well as other prizes that will showcase their art and help them grow their business on Android and Google Play.

Thank you to the nearly 1000 of you who submitted high quality games in all types of genres! Your creativity, enthusiasm and dedication have once again impressed us and inspired us. We had a very fun time testing and judging the games based on fun, innovation, design excellence and technical and production quality, and it was challenging to select only 20 finalists:

Meet the 20 finalists
(In alphabetical order)

Blind Drive
(coming soon)

Lo-Fi People
Israel
Causality
(coming soon)

Loju
United Kingdom

Crap! I'm Broke: Out of Pocket
Arcane Circus Netherlands

Egz

Lonely Woof
France

Ellipsis

Salmi GmbH Germany

Gladiabots


GFX47
France

Happy Hop: Kawaii Jump

Platonic Games
Spain
Hidden Folks (coming soon)

Adriaan de Jongh Netherlands
Lichtspeer
(coming soon)

Lichthund
Poland
Lost in Harmony
Digixart

Entertainment France
Mr Future Ninja (coming soon)

Huijaus Studios
Finland
Paper Wings


Fil Games
Turkey
PinOut


Mediocre
Sweden
Power Hover


Oddrok
Finland
Reigns

Nerial
United Kingdom
Rusty Lake: Roots


Rusty Lake Netherlands
Samorost 3


Amanita Design Czech Republic
The Battle of Polytopia

Midjiwan AB Sweden
twofold inc.


Grapefrukt games Sweden
Unworded (coming soon)

Bento Studio France

Check out the prizes

All the 20 finalists are getting:
  • The opportunity to exhibit and showcase their game at the final event held at the Saatchi Gallery in London, on 16th February 2017.
  • Promotion of their game on a London billboard for one month.
  • Two tickets to attend a 2017 Playtime event. This is an invitation-only event for top apps and games developers on Google Play.
  • One Pixel XL smartphone.
At the event at Saatchi, the finalists will also have a chance to make it to the next rounds and win additional prizes, including:
  • YouTube influencer campaigns worth up to 100,000 EUR.
  • Premium placements on Google Play.
  • Tickets to Google I/O 2017 and other top industry events.
  • Promotions on our channels.
  • Special prizes for the best Unity game.
  • And more!

Come support them at the final event

At the final event attendees will have a say on which 10 of these finalists will get to pitch their games to the jury, who will decide on the final contest winners who will receive the top prizes.

Register now to join us in London, meet the developers, check out their great games, vote for your favourites, and have fun with various industry experts and indie developers.



A big thank you again to everyone who entered and congratulations to the finalists. We look forward to seeing you at the Saatchi Gallery in London on 16th February.

12 January 2017

Manage paid orders and payments settings from the Google Play Developer Console

Posted by Suzanne van Tienen, Product Manager, Google Play

Today we are simplifying and improving the merchant experience for developers who have paid apps, in-app purchases, or subscriptions based on the feedback we've heard from the community.

First, we're moving order management from the Google Payments Center to the Google Play Developer Console and adding some improved features. Second, payments settings will now be accessible from the Developer Console in addition to continuing to be available on payments.google.com. The new features come with appropriate access control settings so you can be sure users only have access to the tools they need.



The new order management tab in the Google Play Developer Console

You can perform the same tasks in the Developer Console which you previously would have performed in the Google Payments Center. We've also made some improvements:
  • Bulk refunds: You can now select multiple orders for simultaneous refund, instead of issuing them individually.
  • Subscription cancellations: You can now refund and revoke subscriptions directly from the order management tab (without going to a separate UI).
  • Permissions: We've added a new user access permission to the Developer Console called "Manage orders". This permission will allow a user to find orders, issue refunds, and cancel subscriptions. Other features will be read-only for these users and financial reports will be hidden (only users with "View financial reports" can see financial data). Payments settings are restricted to the account owner when accessed from Developer Console.

Order management migration to the Developer Console

Order management is now available in the Developer Console. Starting January 23, order management will cease being available in Payments Center. User permissions are not automatically carried over from the Payments Center so, as the account owner, you will need to add all users who need access to refunds and any other order management features to your Developer Console account with the new 'Manage orders' permission by January 22 for them to have continued access.
Here's how you can add new users to your Developer Console account:
  1. Log on to Google Payments Center and review all existing users.
  2. Sign in to your Developer Console and add one or both of the following permissions for all users that need access to Order Management in the Developer Console.
    1. View financial reports: Gives the right to access and view financial reports.
    2. Manage orders: Gives the right to view and refund orders but not to view aggregate financial statistics or download sales & payout reports.
  3. Let your users know about the new location for order management.

How useful did you find this blogpost?

21 December 2016

Introducing the ExifInterface Support Library

Posted by Ian Lake, Developer Advocate

With the release of the 25.1.0 Support Library, there's a new entry in the family: the ExifInterface Support Library. With significant improvements introduced in Android 7.1 to the framework's ExifInterface, it only made sense to make those available to all API 9+ devices via the Support Library's ExifInterface.

The basics are still the same: the ability to read and write Exif tags embedded within image files: now with 140 different attributes (almost 100 of them new to Android 7.1/this Support Library!) including information about the camera itself, the camera settings, orientation, and GPS coordinates.

Camera Apps: Writing Exif Attributes

For Camera apps, the writing is probably the most important - writing attributes is still limited to JPEG image files. Now, normally you wouldn't need to use this during the actual camera capturing itself - you'd instead be calling the Camera2 API CaptureRequest.Builder.set() with JPEG_ORIENTATION, JPEG_GPS_LOCATION or the equivalents in the Camera1 Camera.Parameters. However, using ExifInterface allows you to make changes to the file after the fact (say, removing the location information on the user's request).

Reading Exif Attributes

For the rest of us though, reading those attributes is going to be our bread-and-butter; this is where we see the biggest improvements.

Firstly, you can read Exif data from JPEG and raw images (specifically, DNG, CR2, NEF, NRW, ARW, RW2, ORF, PEF, SRW and RAF files). Under the hood, this was a major restructuring, removing all native dependencies and building an extensive test suite to ensure that everything actually works.

For apps that receive images from other apps with a content:// URI (such as those sent by apps that target API 24 or higher), ExifInterface now works directly off of an InputStream; this allows you to easily extract Exif information directly out of content:// URIs you receive without having to create a temporary file.

Uri uri; // the URI you've received from the other app
InputStream in;
try {
  in = getContentResolver().openInputStream(uri);
  ExifInterface exifInterface = new ExifInterface(in);
  // Now you can extract any Exif tag you want
  // Assuming the image is a JPEG or supported raw format
} catch (IOException e) {
  // Handle any errors
} finally {
  if (in != null) {
    try {
      in.close();
    } catch (IOException ignored) {}
  }
}

Note: ExifInterface will not work with remote InputStreams, such as those returned from a HttpURLConnection. It is strongly recommended to only use them with content:// or file:// URIs.

For most attributes, you'd simply use the getAttributeInt(), getAttributeDouble(), or getAttribute() (for Strings) methods as appropriate.

One of the most important attributes when it comes to displaying images is the image orientation, stored in the aptly-named TAG_ORIENTATION, which returns one of the ORIENTATION_ constants. To convert this to a rotation angle, you can post-process the value.

int rotation = 0;
int orientation = exifInterface.getAttributeInt(
    ExifInterface.TAG_ORIENTATION,
    ExifInterface.ORIENTATION_NORMAL);
switch (orientation) {
  case ExifInterface.ORIENTATION_ROTATE_90:
    rotation = 90;
    break;
  case ExifInterface.ORIENTATION_ROTATE_180:
    rotation = 180;
    break;
  case ExifInterface.ORIENTATION_ROTATE_270:
    rotation = 270;
    break;
}

There are some helper methods to extract values from specific Exif tags. For location data, the getLatLong() method gives you the latitude and longitude as floats and getAltitude() will give you the altitude in meters. Some images also embed a small thumbnail. You can check for its existence with hasThumbnail() and then extract the byte[] representation of the thumbnail with getThumbnail() - perfect to pass to BitmapFactory.decodeByteArray().

Working with Exif: Everything is optional

One thing that is important to understand with Exif data is that there are no required tags: each and every tag is optional - some services even specifically strip Exif data. Therefore throughout your code, you should always handle cases where there is no Exif data, either due to no data for a specific attribute or an image format that doesn't support Exif data at all (say, the ubiquitous PNGs or WebP images).

Add the ExifInterface Support Library to your project with the following dependency:

compile "com.android.support:exifinterface:25.1.0"

But when an Exif attribute is exactly what you need to prevent a mis-rotated image in your app, the ExifInterface Support Library is just what you need to #BuildBetterApps

20 December 2016

Get the guide to finding success in new markets on Google Play

Posted by Lily Sheringham, Developer Marketing at Google Play


With just a few clicks, you can publish an app to Google Play and access a global audience of more than 1 billion 30 days active users. Finding success in global markets means considering how each market differs, planning for high quality localization, and tailoring your activity to the local audience. The new Going Global Playbook provides best practices and tips, with advice from developers who've successfully gone global.

This guide includes advice to help you plan your approach to going global, prepare your app for new markets, take your app to market, and also include data and insights for key countries and other useful resources.

This ebook joins others that we've recently published including The Building for Billions Playbook and The News Publisher Playbook. All of our ebooks are promoted in the Playbook for Developers app, which is where you can stay up to date with all the news and best practices you need to find success on Google Play.

How useful did you find this blogpost?


                                           

Start building Actions on Google

Posted by Jason Douglas, PM Director for Actions on Google

The Google Assistant brings together all of the technology and smarts we've been building for years, from the Knowledge Graph to Natural Language Processing. To be a truly successful Assistant, it should be able to connect users across the apps and services in their lives. This makes enabling an ecosystem where developers can bring diverse and unique services to users through the Google Assistant really important.

In October, we previewed Actions on Google, the developer platform for the Google Assistant. Actions on Google further enhances the Assistant user experience by enabling you to bring your services to the Assistant. Starting today, you can build Conversation Actions for Google Home and request to become an early access partner for upcoming platform features.

Conversation Actions for Google Home

Conversation Actions let you engage your users to deliver information, services, and assistance. And the best part? It really is a conversation -- users won't need to enable a skill or install an app, they can just ask to talk to your action. For now, we've provided two developer samples of what's possible, just say "Ok Google, talk to Number Genie " or try "Ok Google, talk to Eliza' for the classic 1960s AI exercise.

You can get started today by visiting the Actions on Google website for developers. To help create a smooth, straightforward development experience, we worked with a number of development partners, including conversational interaction development tools API.AI and Gupshup, analytics tools DashBot and VoiceLabs and consulting companies such as Assist, Notify.IO, Witlingo and Spoken Layer. We also created a collection of samples and voice user interface (VUI) resources or you can check out the integrations from our early access partners as they roll out over the coming weeks.

Introduction to Conversation Actions by Wayne Piekarski

Coming soon: Actions for Pixel and Allo + Support for Purchases and Bookings

Today is just the start, and we're excited to see what you build for the Google Assistant. We'll continue to add more platform capabilities over time, including the ability to make your integrations available across the various Assistant surfaces like Pixel phones and Google Allo. We'll also enable support for purchases and bookings as well as deeper Assistant integrations across verticals. Developers who are interested in creating actions using these upcoming features should register for our early access partner program and help shape the future of the platform.

Build, explore and let us know what you think about Actions on Google! And to say in the loop, be sure to sign up for our newsletter, join our Google+ community, and use the “actions-on-google” tag on StackOverflow.

19 December 2016

Best practices to improve app engagement

Posted by Niko Schröer, Business Development, Google Play

Driving installs is important to growing a user base, but it's not much use if your app sits on users' devices and is rarely opened. In a competitive app landscape, it's increasingly important to engage and retain users over the long term to build a successful business. Users who are using your app more will have a higher lifetime value and be more likely to share your app. Watch my Playtime session below to hear about the tools and features other developers are using to increase app engagement. You can also read the summary of my main tips below.


1. Build a high quality app to engage Android users
Building a high quality app is the foundation of a great user experience on Android. The better your app's user experience is, the more engaged your users will be. Optimizing for material design, for example, can significantly improve user engagement as well as building for Android Wear, Auto or TV where it makes sense based on your value proposition.

To achieve high quality, we recommend you to check out the latest Android features, tips, and best practices in our Playbook for Developers.

The developer of the golf app, Hole19, tailored their app's user experience thoughtfully for Android Wear and, as a result, saw a 40% increase in user engagement compared to non-Wear users. Watch a video about Hole19's success.

2. Make your users feel at home
Personalising your app experience to make users feel at home is a good way to start a long lasting relationship. Onboarding new users is a crucial step in this process. Onboarding should be fast and seamless and ask for minimal user input - after all users want to start using your app as quickly as possible. Furthermore, the onboarding should be a core part of the overall product experience. Use images and wording that's true to your brand and only ask for user input when it's actually needed, to reduce friction and avoid losing users.

Freeletics, a fitness app, created an engaging user onboarding flow in which they tailored imagery and text to male and female users respectively. They also moved the registration process to a later stage in the funnel to reduce friction. The improved onboarding flow increased user activity by 58% within the first 7 days. They also implemented Google Smart Lock to seamlessly sign-in returning users.

3. Optimize feature releases as a way to increase user engagement
Introducing new features is essential to staying ahead of competition and relevant to your users to ensure they keep coming back to your app. To make new feature launches successful drivers for user engagement, follow these simple steps:
  • Define a clear objective for each release to measure your impact, e.g. increase number of users who edit a photo by at least 10%.
  • Use beta testing to gather user feedback and iterate a feature before it's rolled out to all of your users.
  • Enable the pre-launch report in the Play developer console to spot potential flaws and ensure technical stability in your alpha and beta apps.
  • Guide users to each new feature as if it is a light onboarding experience. Visually highlight what's new and provide a short explanation why users should care.
  • Measure performance with analytics to see if the new feature drives engagement (that you've defined as your objective).
4. Use notifications wisely
Push notifications are a popular engagement tool and rightfully so. However, there is a fine line between driving engagement and annoying users (who might then uninstall your app). Follow these guidelines to ensure your notifications are on the right side of the line:
  • Be relevant and only send messages that matter to the user in context. Be creative and true to your brand, speak your users language and use an authentic tone.
  • Make notifications actionable for your users and don't forget to deep link to content where applicable to save your users time.
  • Remember that not all your users are equal so personalize your message to different user cohorts with Firebase Notifications.
  • Consider timeliness of your messages to get users the right notification at the right time and with the right frequency. For example, it might be better to send a notification about something interesting to read at a time when the user normally gets out their phone – like during their commute – instead of the middle of the day, when they might be busy and dismiss a new notification.
  • Finally, give users control over what notifications they receive so that they can opt-in and opt-out of the notifications they like and don't like respectively. If users get annoyed about certain types of notifications and don't have a way to disable them, they might uninstall your app.
The Norwegian news app Aftenposten implemented a new onboarding flow that clarified which notifications were available, allowing readers to manage their preferences. This reduced uninstalls by 9.2.% over 60 days and led to a 28% decrease in the number of users muting notifications completely. Read more about Aftenposten's success.

5. Reward your most engaged users
Last but not least, you should find ways to reward your most loyal users to retain them over time and to make it desirable to less engaged users to engage more. These rewards can come in many shapes and forms. Start by keeping it simple and make sure the reward adds real value to the user and fits in your app's ecosystem. You can do this by:
  • Giving sneak peeks of new features by inviting them to a beta group.
  • Decorating user accounts with badges based on their behaviour.
  • Offer app exclusive discounts or promo codes that can only be redeemed in your app.
Generally, the more you can personalize the reward the better it will work.

Find success with ongoing experimentation
A great Android app gives developers a unique opportunity to create a lasting relationship with users and build a sustainable business with happy customers. Therefore optimising apps to engage and retain your users by following these 5 tips should be front and centre of your development goals and company strategy. Find more tips and best practices by watching the sessions at this year's Playtime events.
How useful did you find this blogpost?