Google Backs New Security Standard For Smartphone VPN Apps

The Internet of Secure Things Alliance, an IoT security certification body (a.k.a. ioXt), has launched a new security certification for mobile apps and VPNs.

The new ioXt compliance program includes a 'mobile application profile' – a set of security-related criteria against which apps can be certified. The profile or mobile app assessment includes additional requirements for virtual private network (VPN) applications. 

Google and Amazon had a hand in shaping the criteria, along with number of certified labs such as NCC Group and Dekra, and mobile app security testing vendors such as NowSecure. Google's VPN within the Google One service is one of the first to be certified against the criteria.

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

Mobile app makers can get their apps certified against a set of security and privacy requirements. 

The ioXt Alliance has a broad cross-section of members from the tech industry, with its board comprising execs from Amazon, Comcast, Facebook, Google, Legrand, Resideo, Schneider Electric, T-Mobile, the Zigbee Alliance, and the Z-Wave Alliance.

About 20 industry figures helped write the requirements for the mobile app profile, including Amit Agrawal, a principal security architect at Amazon, and Brooke Davis from the Strategic Partnerships team at Google Play. Both are vice-chairs of the mobile app profile group.

The mobile app profile certification includes checks for insecure interfaces, automatic updates, secure password management, security by default, as well as an assessment of whether the software has been verified. It also considers vulnerability reporting programs and end-of-life policies. 

According to Davis, since the ioXt Alliance already does security checks for IoT devices, it was decided to expand coverage to apps that managed these devices.   

"We've seen early interest from Internet of Things and virtual private network developers, however the standard is appropriate for any cloud-connected service such as social, messaging, fitness, or productivity apps," said Davis. 

SEE: Google: Here's how we're toughening up Android security

Consumer VPNs that have been certified include Google One (which has a built-in VPN services), ExpressVPN, NordVPN, McAfee Innovations, OpenVPN for Android, Private Internet Access VPN, and VPN Private.

The accreditation for VPN apps could be handy for Android owners, given that every now and then Google needs to pull malicious VPNs from the Google Play Store.