Check for vulnerabilities in dependencies and do the same thing they described in this post, just with... meaningful feedback.

I'm more an infra guy, and such scans are actually absolutely awesome. I see everything in my k8s clusters, all java/python dependencies that need attention.

I'm more surprised how anyone can run an app for more than 2 weeks with no high severity vulnerabilities. I guess mobile doesn't have the same attack vectors, but still

Mobile has unbelievably smaller attack vectors due to the hefty sandboxing, as long as you're doing normal things and not including a bunch of janky ad libraries. You're largely just contacting APIs you control and not running arbitrary code, and there's no outside connections coming in at all - lots of extremely bad CVEs are completely irrelevant in that context.

Sure, you can bend your scope to make them relevant... but if you've got someone who can control your system in ways you didn't build by bypassing the OS protections, they already have control of the device and can do darn near anything. If you haven't protected from that, and it's frequently not possible, many other protections are meaningless.

Your backend though has to handle this kind of malicious-modified-client scenario, as well as random connections from code you don't control at all.

(This is not true for all apps of course, but for B2B stuff? Most small companies? Frequently valid)

You are right, but those "janky ad libraries" are the very reason most of the apps on google play were created.

If you're not an app that's intentionally risking your users' safety though, you probably have some reason to trust the ad vendor to do their part. It's calculated risk for most non-malicious apps, and the major vendors are broadly fine in that respect. Ignoring privacy anyway.

And we can ignore the shovelware, which probably is actually a majority of apps. Those won't care about security patches, and will probably go out of their way to hide them so they don't appear vulnerable and don't have to do maintenance releases. They wouldn't be affected by forced updates.

So as a conclusion, it seems we agree that those that are the ones creating most risk for users will not be impacted.

I am sticking to android ecosystem as best one I know, because I still have choices + I can use fdroid for a lot of my apps.

But when my mom uses a tablet or phone ... I have absolutely no smart advise to give her. All apps are hostile and annoying. The play game subscription is fine (apps/games cannot have apps and are fully unlocked) but other that that play store is a minefield.

Yup, pretty much. Which makes me wonder what the actual goal is, especially since they've had vulnerability scanning for years iirc