Google Pressured 90,000 Android Developers Over Insecure Apps

An anonymous reader quotes PCWorld: Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store. In many cases this was done under the threat of blocking future updates to the insecure apps...

In the early days of the App Security Improvement program, developers only received notifications, but were under no pressure to do anything. That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them... Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes. These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.
100,000 applications had been patched by April of 2016, but that number tripled over the next nine months, with 90,000 developers fixing flaws in over 275,000 apps.

Misused access rights

[short]

All the apps require all the rights. If I do not give them the permissions they won't run. So I have no choice, I have no security then and I cannot store any valuable data on the phone.

Why the apps are lying they need global files access to only store their own data? I have found in some Android SDK doc they can store their own data even without global files access.

Other apps could provide functionality without that specific feature but they refuse to run at all unless they get all the permissions they ask for.

Even opening local files could be done safely by an Android-provided dialog box, without giving uncontrolled permissions to the whole disk.