Google is looking to squash vulnerabilities on its Google Play app marketplace with a new bug-bounty program aimed at identifying data-abuse issues in Android apps and Chrome extensions.
The company on Thursday announced the Developer Data Protection Reward Program, which, depending on the impact of the bug found, could net as much as $50,000 for a single report. Launched in collaboration with HackerOne, it’s meant to stomp out apps that violate Google Play, Google API and Google Chrome Web Store Extension program privacy policies.
“The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs,” said Google in its announcement. “In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.”
No reward table or maximum reward is listed at the time of publication.
If data abuse is identified that’s related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store, Google said. For example, if an app developer is abusing access to Gmail restricted scopes, their API access will be removed.
The launch comes after several instances in the past year surfaced where apps were found abusing user data. Earlier in July, a report found that over 1,300 popular Android apps defy user permissions and gather sensitive data with no consent, heightening concerns about data privacy in Google Play apps. And, in April, a Buzzfeed report found that popular apps from a major Chinese developer were committing large-scale ad fraud and abusing user permissions.
Google Play Security Reward Program Improvements
Google also said that it will expand the scope of apps included in its existing Google Play Security Reward Program, which was first introduced in 2017 and which rewards bounty hunters who discover flaws in the Google Android app marketplace.
Google is now increasing the scope of the program to include all apps in Google Play that have 100 million or more installs.
Before, bounty hunters could report Google-developed Android apps through the program – but for other apps, developed by third-party developers, they would need to report vulnerabilities directly to the app developer’s bug-bounty program. Bounty hunters also could only submit issues to the Play Security Rewards Program that had already been resolved by the developer; and only issues that had been patched within the last 90 days would qualify for a reward.
In a scenario where the app developers don’t have their own vulnerability-disclosure or bug-bounty program, “Google helps responsibly disclose identified vulnerabilities to the affected app developer,” the tech giant said. “This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google.”
As Google has continued to struggle with malicious apps in its marketplace, it has accordingly refurbished the Google Play Security Reward Program over the last 18 months or so. In 2018, for instance, it expanded the program’s top rewards for remote code execution (RCE) vulnerabilities from $1,000 to $5,000; that top figure changed again in 2019 to reach $20,000. In July, the same program increased payments for theft of “insecure private data” from $1,000 to $3,000, and “access to protected app components” from $1,000 to $3,000.
Google’s focus on Google Play may come as no surprise: Despite several attempts by Google at cracking down on them, apps that are malicious or have privacy-abuse issues continue to be found on the Android app marketplace. Just this week, researchers at Kaspersky discovered a malicious app on Google Play, downloaded more than 100 million times, called CamScanner.
In January, Google Play removed two malicious apps that were infecting devices with a notorious banking malware bent on scooping up victim’s credentials. Also, last month an Android spyware dubbed MobSTSPY emerged to ride trojanized apps into victims’ phones, mainly via Google Play. And in 2018, Google removed 22 malicious adware apps ranging from flashlights and call recorders to WiFi signal boosters, which together were downloaded at least 7.5 million times from the Google Play marketplace.