2 min read

Google's bug bounty bid to make big Android apps more secure

Graham CLULEY

August 30, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Google's bug bounty bid to make big Android apps more secure

Google wants Android users to feel that its platform is secure, and knows that people’s confidence can be shaken when the media is full of headlines of the latest security scare.

And it’s with that in mind that Google announced this week that it was expanding its bug bounty program, that rewards security researchers who responsibly disclose vulnerabilities so users can be patched as quickly as possible.

Google, which admittedly has rather deep pockets when it comes to funding such things, has said it is changing its Google Play Security Reward Program (GPSRP) so that it not only covers its own products, but additionally includes all apps in the official Google Play store which have had 100 million or more installs.

In other words, if you were to find a serious security hole in a popular Android app you could contact Google rather than the app’s developer, and Google will be happy to not only alert the developer about the flaws, but also pay you handsomely for your work.

Although Google is encouraging app developers to start their own bug bounty program through which researchers can be rewarded for disclosing vulnerabilities responsibly, it says that all popular Android apps with 100 million or more installs are now automatically eligible under GPSRP.

“This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” wrote Adam Bacchus, Sebastian Porst, and Patrick Mutchler of Google’s Android Security & Privacy group. “If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google.”

Google says that it has helped over 300,000 app developers fix flaws in approximately one million Android apps on Google Play already, paying out $265,000 in the past. A rise in the rewards offered has seen Google pay out $75,500 in just the past few months.

Let’s not turn a blind eye to the reality here. Google has not done a great job in the past of policing the apps in its official Google Play store. On countless occasions malicious apps have been found that put Android users and their data at risk. And it’s even more common for poorly-coded mobile apps to contain vulnerabilities – even if they were not created with malicious intent.

As such, it’s hard to complain about Google expanding its bug bounty program to encourage more security researchers to look for security holes in the most widely used apps.

In addition, Google has announced a new initiative: the Developer Data Protection Reward Program (DDPRP).

DDPRP is another bounty program, but this time built specifically with the intention of identifying and mitigating “data abuse issues in Android apps, OAuth projects, and Chrome extensions.”

“In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent.

According to Google, a single DDPRP report could net a researcher a bounty as large as $50,000.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Malware and PUA Campaigns Abuse Existing Apps, Here’s a Top 10 to Watch Out For Malware and PUA Campaigns Abuse Existing Apps, Here’s a Top 10 to Watch Out For
Silviu STAHIE

May 19, 2022

3 min read
Researchers Find Thousands of Websites that Record Everything You Type Researchers Find Thousands of Websites that Record Everything You Type
Radu CRAHMALIUC

May 16, 2022

2 min read
Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online
Silviu STAHIE

May 13, 2022

2 min read