Google Is Finally Tired of Apps Ruining Android Security – Introduces a Bug Bounty Program
While Google may have done a lot to improve user security offering solutions that are being used by the entire industry (for example, its Safe Browsing protections), its Android operating system is widely considered as the most insecure popular operating system. The number of users that Android has attracts more efforts from cybercriminals, and the fragmentation adds in to the troubles. However, many security problems come through the apps - not the OS - even if installed from Google's Play Store.
The search giant has continued to fortify Play Store against criminals' tricks, but the problem has also continued to persist. Google has finally announced a public bug bounty program focused on finding security vulnerabilities in mobile apps hosted in its marketplace. Right now, the company is offering $1,000 in reward for RCE (remote code execution) vulnerabilities and corresponding PoCs (Proof of Concepts) that work on Android 4.4 or higher.
"The Google Play Security Reward Program recognizes the contributions of security researchers who invest their time and effort in helping us make apps on Google Play more secure," Google wrote in today's announcement. "All Google’s apps are included and developers of popular Android apps are invited to opt-in to the program."
Through the program, we will further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.
The company is collaborating with HackerOne, an independent bug bounty platform, and app developers to implement the Google Play Security Reward Program.
Play Store bug bounty program doesn't extend to malicious apps
Note that the program and the reward is restricted only to apps that have signed up for this Play Security Rewards Program. These include all of Google apps, along with some high profile apps, such as Alibaba, Dropbox, Duolingo, Headspace, Mail.Ru, Snapchat, and Tinder. For now, there are only a few apps, but that is soon going to change since the program has just been announced. This list will continue to be updated to add any new comers.
Surprisingly, this program is only restricted to legitimate apps requiring developers to opt in the program. It doesn't extend to spyware, malware, or ransomware apps that have been a huge issue for Google Play Store this year, with the company removing hundreds of apps infected with malicious code.
Since this is only a start, the company will hopefully add more possibilities for researchers to help Google make Play Store and its apps more secure for users.