Google is expanding the Google Play Security Reward Program (GPSRP) to include all apps in Google Play with 100 million or more installs, and is launching a new Developer Data Protection Reward Program (DDPRP) and asking for information about data abuse issues in Android apps, OAuth projects, and Chrome extensions.
“The [DDPRP] program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent,” said Google engineers Adam Bacchus, Patrick Mutchler and Sebastian Porst.
“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed.”
About the Developer Data Protection Reward Program
Reporters can earn as much as $50,000 if the impact of the discovered abuse is substantial.
The types of reported issues that will qualify for a bounty include:
- Apps falling afoul of Google Play policies (e.g., data collected by an Android app is sold, disclosed or shared by the developer in a manner that violates Google’s and/or the developer’s data handling or privacy policies)
- Apps violating the Permissions policy
- Apps violating the limited use requirements in the API user data policy (e.g., an app providing travel services, using or transferring user data unrelated to travel, or an app transferring user data to affiliates to help develop new products)
- Chrome extensions violating the Chrome Web Store’s minimum user data privacy requirements
- Chrome extension’s developer lacking transparency in its handling of user data, including lack of disclosure behind the collection.
(e.g., an app that has SMS permission and shares that data with a third party for advertising purposes)
In scope are Android apps with over 100 million installs, Chrome extensions with more than 50,000 users, and apps with more than 50,000 users that use restricted API scopes (allow access to Google User Data).
About the Google Play Security Reward Program
GPSRP is after reports about bugs and vulnerabilities in participating apps on Google Play (developers of Android apps must apply to join the program).
All vulnerabilities must always be reported directly to the app developer first. Once they are fixed, the reporter can request a bonus bounty from Google via this program.
Issues in scope are RCE vulnerabilities, vulnerabilities that lead to theft of private data, and vulnerabilities that allow access to protected app components. The most severe issues (RCE) can be rewarded with as much as $20,000.
The increase in scope of GPSRP means that participants can now report flaws in all apps in Google Play with 100 million or more installs directly to Google, even if the app developers don’t have their own vulnerability disclosure or bug bounty program.
“In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” the engineers explained.
“Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play.”