Click to Skip Ad
Closing in...

Google will now pay $1,000 for critical software bugs found in popular third-party apps

Published Oct 20th, 2017 7:45PM EDT
Android Security

With malware creators becoming more aggressive and sophisticated, a number of tech companies in recent years have instituted “bug bounty” programs that provide monetary rewards to any individual or group that uncovers critical vulnerabilities in software. Google has had a bug bounty program for years now, but the search giant recently expanded the scope of the program beyond its own software developed in-house.

According to HackerOne, Google’s new bug bounty program now incentivizes hackers to unearth software vulnerabilities in some of the more popular third-party apps on the Play Store. The new program will presumably result in more secure Android apps while also limiting the damage whenever a serious issue is discovered. While perhaps not a common occurrence, it’s not all that unusual to see reports of malware infecting widely downloaded Android apps.

For anyone keen on tackling Google’s new software challenge, payments of $1,000 will be made for each verified software vulnerability.

The vulnerability criteria is laid out below:

For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.

This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. Examples may include:

  • Attacker gaining full control, meaning code can be downloaded from the network and executed (download and execute arbitrary code, native, Java code etc. Javascript)
  • UI Manipulation to commit a transaction. For example, causing a banking app to make money transfers on behalf of the user without their consent.
  • Opening of webview that may lead to phishing attacks. Opening webview without user input or interaction.

There is no requirement that OS sandbox needs to be bypassed.

Notably, the new bug bounty program, as it stands now, only applies to Google-developed Android apps and the following third-party apps: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder. Down the line, though, the program may open up to include additional third-party apps.

Yoni Heisler Contributor

Yoni Heisler has been writing about Apple and the tech industry at large for over 15 years. A life long Mac user and Apple expert, his writing has appeared in Edible Apple, Network World, MacLife, Macworld UK, and TUAW. When not analyzing the latest happenings with Apple, Yoni enjoys catching Improv shows in Chicago, playing soccer, and cultivating new TV show addictions.