Google has taken a long-awaited step and instituted a public bug bounty focused on finding vulnerabilities in popular mobile apps housed on its Google Play marketplace
At the outset, bug-hunters will work directly with developers of popular apps through the HackerOne platform and are in line for $1,000 rewards for security issues reported through the program.
“Developers of popular Android apps are invited to opt-in to the program, which will incentivize security research in a bug bounty model,” Google said in announcing the program today. “The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.”
Researchers will privately report vulnerabilities directly to developers, Google said, and once the developer has verified the bug and implemented a fix, the researcher can then request their reward from Google’s program.
Google said the reward program is limited in scope at the outset to only remote code execution vulnerabilities triggered on devices running Android 4.4 and later. Google said bugs that enable an attacker to download and execute code on a device, manipulate the user interface to commit transactions, or webview-related bugs that expose users to phishing by opening webview without user interaction all are eligible for rewards.
The exception, Google said, would be vulnerabilities that require a dependency between apps to trigger a flaw; those are not in scope for rewards.
Google said that its home-developed apps on Google Play are in scope, as well as a list of other high-profile apps that includes Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat and Tinder. Other apps may be eventually added, Google said, adding that it may also expand the scope of vulnerabilities eligible for rewards.
The bounty does not extend to adware and spyware apps or rooting malware, all of which have been a thorn this year for Google and its users. In March, Google removed 132 apps from Google Play that infected with hidden iframes linking users to malicious domains. The problem was traced to a development platform used by most of the developers involved. The wonky apps had been downloaded more than a quarter-million times.
On two other occasions this year, Google has been forced to remove dozens of adware apps responsible for everything from flooding devices with ads to seeking excessive permissions. It has also had to boot Trojanized apps posing as one thing that were instead spyware. One called SMSVova was hiding in a System Update app and enabled attackers to change passwords and retrieve location data. On another occasion, spyware called SonicSpy was tucked away inside three messaging apps hosted in Google Play and more than 1,000 others on third-party Android app stores.
Google has also responded with security tools for Android in addition to the bounty. In May, it introduced Google Play Protect, which scans previously downloaded apps to determine whether they’ve been updated with malicious code. This helps secure apps obtained not only from Google Play but also from third-party stores that aren’t subject to Google’s Verify Apps scanner. Google Play Protect is also a cornerstone security measure in Android 8.0, known as Oreo, along with Project Treble, which is expected to go a long way toward improving the scattered patching and update process now hindering Android security.