Starting in November, Google will prevent Android VPN apps hosted on its Play Store marketplace from blocking or interfering with ads. Although the new policy aims to counter data-harvesting VPN services and ad manipulation fraud, it could also impact legitimate privacy protection apps.
The new policy, announced in late July, takes effect Nov. 1 and applies to Android VPN service providers that use the VPN Service base class.
“Only apps that use the VPNService and have VPN as their core functionality can create a secure device-level tunnel to a remote server,” reads Google’s announcement. However, there are also exceptions for apps that use remote servers “for core functionality,” such as parental control apps, anti-virus solutions, firewalls, web browsers, remote access tools, carrier apps, and app usage trackers.
This merely means that the mentioned apps can also create secure device-level tunnels to a remote server, but they’re not required to function as VPNs.
The update seems directed against VPN providers that surreptitiously collect personal, sensitive data from end-users without seeking their consent or disclosing the activity beforehand.
The policy also aims at VPNs that impact app monetization by manipulating ads and those that redirect or manipulate traffic for monetization purposes (e.g., redirecting ad traffic through a different country than the user).
Google’s changes should boost user privacy by bottlenecking intrusive Android apps that pose as legitimate VPNs to track and collect user data. However, several developers worry that the updated policy may inflict collateral damage on other privacy apps on the tech giant’s Play Store.
Aside from restricting VPN apps from manipulating ads or harvesting user data, the changes also affect apps that use the VPNService to apply local traffic filters on devices.
In the updated policy, Google mentioned a series of requirements for apps that use the VPNService base class, including:
- Documenting usage of the VPNService base class in the Google Play listing
- Encrypting data from the device to the VPN tunnel exit node (the VPN server)
- Abiding “by all Developer Program Policies including the Ad Fraud, Permissions, and Malware policies”