Google wants bug hunters to probe popular Android apps for bugs

Google has started another bug bounty initiative: the Google Play Security Reward Program.

Google Play Security Reward Program

While the name of the program might suggest that bug hunters will be after vulnerabilities in Google’s official Android app market, in reality they will be asked to unearth bugs in all of Google’s apps available on Google Play, as well as a short list of other popular ones.

Currently in scope are the Alibaba, Dropbox, Duolingo, Headspace, Line, Snapchat, Mail.Ru, and Tinder apps, but the list is likely to expand in time.

“Developers of popular Android apps are invited to opt-in to the program, which will incentivize security research in a bug bounty model. The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem,” Google noted.

For the moment, the program is limited to a select number of developers to get initial feedback.

More details about the Google Play Security Reward Program

As with the recently set up Internet Bug Bounty program for bugs in data processing libraries, bug hunters are instructed to limit themselves to reporting remote code execution vulnerabilities.

As examples of RCE bugs in scope, Google mentioned bugs that allow attackers to fain full control of the device, perform transactions via UI manipulation, or open webview without user input or interaction (as it might be used for phishing).

“There is no requirement that OS sandbox needs to be bypassed. Any vulnerability that requires collusion between apps, or where there is a dependency for another app to be installed is considered to be out of scope, and thus will not qualify for a reward,” Google added.

The report has to include a proof-of-concept that works on Android 4.4 devices and higher.

Bug reports should be submitted directly to the developers of those apps, and after the bug is resolved, bug hunters should request Google to pay out the bounty, which can reach as much as $1,000.

In the future, other types of vulnerabilities may be introduced into scope.