Click to Skip Ad
Closing in...
  1. MyQ Smart Garage Door Opener
    08:37 Deals

    Oops! Prime Day’s best-selling smart home gadget is still down to $17

  2. Prime Day 2021 Deals
    10:22 Deals

    Amazon just revealed its official list of Prime Day 2021 best-sellers

  3. Wireless Borescope Camera
    13:49 Deals

    Crazy wireless camera that lets your phone see anywhere is still down to $29 at Amazon

  4. Best Amazon Deals Today
    08:02 Deals

    Prime Day is over, but these 10 exclusive deals are for Prime members only

  5. Prime Day Deals
    09:47 Deals

    Did someone forget to end these 15 epic Prime Day deals?




Google will now pay $1,000 for critical software bugs found in popular third-party apps

October 20th, 2017 at 7:45 PM
Android Security

With malware creators becoming more aggressive and sophisticated, a number of tech companies in recent years have instituted “bug bounty” programs that provide monetary rewards to any individual or group that uncovers critical vulnerabilities in software. Google has had a bug bounty program for years now, but the search giant recently expanded the scope of the program beyond its own software developed in-house.

According to HackerOne, Google’s new bug bounty program now incentivizes hackers to unearth software vulnerabilities in some of the more popular third-party apps on the Play Store. The new program will presumably result in more secure Android apps while also limiting the damage whenever a serious issue is discovered. While perhaps not a common occurrence, it’s not all that unusual to see reports of malware infecting widely downloaded Android apps.

For anyone keen on tackling Google’s new software challenge, payments of $1,000 will be made for each verified software vulnerability.

The vulnerability criteria is laid out below:

For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.

This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. Examples may include:

  • Attacker gaining full control, meaning code can be downloaded from the network and executed (download and execute arbitrary code, native, Java code etc. Javascript)
  • UI Manipulation to commit a transaction. For example, causing a banking app to make money transfers on behalf of the user without their consent.
  • Opening of webview that may lead to phishing attacks. Opening webview without user input or interaction.

There is no requirement that OS sandbox needs to be bypassed.

Notably, the new bug bounty program, as it stands now, only applies to Google-developed Android apps and the following third-party apps: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder. Down the line, though, the program may open up to include additional third-party apps.

A life long Mac user and Apple enthusiast, Yoni Heisler has been writing about Apple and the tech industry at large for over 6 years. His writing has appeared in Edible Apple, Network World, MacLife, Macworld UK, and most recently, TUAW. When not writing about and analyzing the latest happenings with Apple, Yoni enjoys catching Improv shows in Chicago, playing soccer, and cultivating new TV show addictions, the most recent examples being The Walking Dead and Broad City.




Popular News