Google bug bounty program has long maintained the tradition of offering a reward to developers who crack the vulnerabilities in Google’s own websites and apps, for Chrome and Android. Now, the search engine giant is extending its bug bounty program to the third-party Android apps in hopes to improve the quality of the apps in the Play Store.
Google pitches its operating system over others claiming it to be the most open platform. However, Android’s greatest strength is also its biggest vulnerability offering a free way to malicious contents and malware. Even after accelerated efforts by Google to improve the security offering solutions, Android continues to hive some of the most malicious apps. However, the operating system is not the only culprit as most of the security issues arise from the apps present in the Play Store.
Therefore, to at least limit such issues, Google in collaboration with HackerOne, is offering $1000 for every issue that a hacker unearths in the popular third-party apps. It surely is an attractive bug bounty for the hackers as Play Store is known to have spammy apps. In March, Google removed over 100 apps from Google Play, which were under hidden iFrames linking users to the nasty domains. When investigated, it led to a development platform with many developers involved. It was found that these malicious apps were downloaded more than a quarter million times.
Vineet Buch, director of product management for Google Play Apps and Games, told Reuters that Google is not just concerned about their own apps, but rather the overall health of the ecosystem. “It’s like offering a reward for a missing person even if you don’t know who the missing person is personally,” Buch said.
Hackers must submit their findings to the developers via the HackerOne bounty platform. Once the Google team confirms the bug, and the developer has found a fix for it, the hacker will be rewarded $1000. For now, Google is offering apps only from selected developers to the hackers to find vulnerabilities. Apps such as Dropbox, Snapchat and Tinder are included in the bucket of apps that should be cleared of all bugs. As the program progresses, more apps will be included in the list.
“The program is limited to a select number of developers at this time to get initial feedback. Developers can contact their Google Play partner manager to show interest,” Google said, in a blog post. “All developers will benefit when bugs are discovered because we will scan all apps for them and deliver security recommendations to the developers of any affected apps.”
Further, Google noted that the program for now would be limited only to the code execution vulnerabilities on the devices powered by Android 4.4 and above. Offering more clarity over the nature of vulnerabilities that would be added to the reward program, Google said that all the fixes that can be downloaded and manipulated by an attacker to do unauthorized transactions, or webview related bugs, would be considered for the rewards. However, bugs dependent between apps to launch the attack would not qualify for the reward.