Of Non-Nexus Devices and the Android Security Rewards Program

Google’s decision to limit its Android Security Rewards program to Nexus devices could have security consequences for non-Nexus device users.

Google’s decision to limit its Android Security Rewards program to newer Nexus devices clearly puts the Google phones on the top tier of secure mobile devices.

It also could ultimately have the effect of putting non-Nexus devices in the line of fire.

For now, limiting the rewards program to Nexus keeps it manageable.

“The limiting to the Nexus devices is more about controlling scope of the vulnerability program than applying pressure,” said Jon Oberheide, CTO and cofounder of Duo Security and a longtime Android bug hunter. Oberheide said keeping the scope to Nexus 6 and Nexus 9 devices and the base Android Open Source Platform is a sensible first step.

“Perhaps a next step would be to include other Google Play Edition devices,” Oberheide said. “But it just wouldn’t make sense for Google to take on the burden of the crazy customizations and vulnerabilities introduced by other OEMs and carriers.”

Google controls over-the-air updates only for apps written by Google for its Nexus phones and tablets running the latest version of Android, Lollipop. For OEM phones, Google pushes OS, kernel, platform and firmware security and feature updates first to the AOSP, then to carriers and manufacturers. Each party adds modifications along the way and is supposed to update devices. For years, however, those third parties have been criticized for their hesitancy to update their own hardware and for their preference to sell service contracts instead on new hardware.

“The process is so broken that Google has been trying to break up parts of the OS and turn them into updateable apps,” said Oberheide, offering Android System Webview as an example.

Kymberlee Price, senior director of operations at Bugcrowd, a bug bounty platform provider, said the decision could ultimately make non-Nexus devices a bigger target for hackers.

“By limiting to only two devices, that’s an interesting choice. Both ship with Lollipop and the decision achieves the goal of vulnerability disclosures in the latest version of the OS,” Price said. “But at the same time, from a security pro’s perspective, I can’t predict whether this makes Samsung devices more attackble. I believe it does. If I’m an attacker and I look at the Nexus phone on Lollipop and diff the code, I can figure out what’s been patched and what vulnerabilities were present.”

Code diffing is a common practice going back to the early days of Windows patches and security bulletins. Using tools such as BinDiff, a researcher—or attacker—can run the code differential tool against it and show all code changes.

“This allows you to go back and reverse-engineer a vulnerability that’s been fixed,” Price said. “It’s a common practice for both offense and defense.”

Google announced the Android Security Rewards program this week at the Black Hat Mobile Summit in London. The top-end reward for a critical Android bug approaches $40,000; that would involve a single exploit or a chain of attacks that compromise the Android TrustZone or Verified Boot from an installed app. Remote attacks will be worth an additional $30,000 on top of as much as $8,000 for the initial bug, reproduction code, test cases and a patch. Local attacks with those same parameters that lead to a kernel compromise from an installed app can be worth as much as an additional $20,000. Exploits that defeat memory protections such as ASLR, the Android sandbox, or the NX server, are also eligible for the highest rewards.

The baseline rewards are $2,000 for a critical vulnerability, $1,000 for one rated high, and $500 for moderate-severity issues.

While vulnerabilities found through the program will be patched on Nexus devices, the same cannot be necessarily said for Samsung, LG and other Android devices. For consumers concerned with security, Nexus is likely to be their choice; most, however, are interested first in feature updates and that is the economic pressure that carriers understand.

“Fundamentally, I do think [the Nexus-only bounty] is a positive,” Price said. “It does give consumers a choice. If security is an important feature to you, you’re going with Nexus versus another device. You’re certainly at a lower risk doing so.

“Hopefully this applies pressure from a competitive landscape,” Price said. “By making Lollipop available to OEMs, they may feel increased pressure from consumers, pressure to shift the ecosystem.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.