FreshRSS

Zobrazení pro čtení

Jsou dostupné nové články, klikněte pro obnovení stránky.

Google Play will no longer pay to discover vulnerabilities in popular Android apps

  • Google has announced that it is winding down the Google Play Security Reward Program.
  • The program was introduced in late 2017 to incentivize security researchers to find and responsibly disclose vulnerabilities in popular Android apps.
  • Google says it is winding down the program due to a decrease in actionable vulnerabilities reported by security researchers.


Security vulnerabilities are lurking in most of the apps you use on a day-to-day basis; there’s just no way for most companies to preemptively fix every possible security issue because of human error, deadlines, lack of resources, and a multitude of other factors. That’s why many organizations run bug bounty programs to get external help with fixing these issues. The Google Play Security Reward Program (GPSRP) is an example of a bug bounty program that paid security researchers to find vulnerabilities in popular Android apps, but it’s being shut down later this month.

Google announced the Google Play Security Reward Program back in October 2017 as a way to incentivize security searchers to find and, most importantly, responsibly disclose vulnerabilities in popular Android apps distributed through the Google Play Store.

When the GPSRP first launched, it was limited to a select number of developers who were only allowed to submit eligible vulnerabilities that affected applications from a small number of participating developers. Eligible vulnerabilities include those that lead to remote code execution or theft of insecure private data, with payouts initially reaching a maximum of $5,000 for vulnerabilities of the former type and $1,000 for the latter type.

Over the years, the scope of the Google Play Security Reward Program program expanded to cover developers of some of the biggest Android apps such as Airbnb, Alibaba, Amazon, Dropbox, Facebook, Grammarly, Instacart, Line, Lyft, Opera, Paypal, Pinterest, Shopify, Snapchat, Spotify, Telegram, Tesla, TikTok, Tinder, VLC, and Zomato, among many others.

In August 2019, Google opened up the GPSRP to cover all apps in Google Play with at least 100 million installations, even if they didn’t have their own vulnerability disclosure or bug bounty program. In July 2019, the rewards were increased to a maximum of $20,000 for remote code execution bugs and $3,000 for bugs that led to the theft of insecure private data or access to protected app components.

Google Play Security Reward Program eligible vulnerabilities

Credit: Mishaal Rahman / Android Authority

The purpose of the Google Play Security Reward Program was simple: Google wanted to make the Play Store a more secure destination for Android apps. According to the company, vulnerability data they collected from the program was used to help create automated checks that scanned all apps available in Google Play for similar vulnerabilities. In 2019, Google said these automated checks helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. Thus, the downstream effect of the GPSRP is that fewer vulnerable apps are distributed to Android users.

However, Google has now decided to wind down the Google Play Security Reward Program. In an email to participating developers, such as Sean Pesce, the company announced that the GPSRP will end on August 31st.

The reason Google gave is that the program has seen a decrease in the number of actionable vulnerabilities reported. The company credits this success to the “overall increase in the Android OS security posture and feature hardening efforts.”

The full email sent to developers is reproduced below:

“Dear Researchers,

 

I hope this email finds you well. I am writing to express my sincere gratitude to all of you who have submitted bugs to the Google Play Security Reward Program over the past few years. Your contributions have been invaluable in helping us to improve the security of Android and Google Play.

 

As a result of the overall increase in the Android OS security posture and feature hardening efforts, we’ve seen fewer actionable vulnerabilities reported by the research community. Due to this decrease in actionable vulnerabilities reported, we are winding down the GPSRP program. The GPSRP program will end on August 31st. Any reports submitted before then will be triaged by September 15th. Final reward decisions will be made before September 30th when the program is officially discontinued. Final payments may take a few weeks to process.

 

I want to assure you that all of your reports will be reviewed and addressed before the program ends. We greatly value your input and want to make sure that any issues you have identified are resolved.

 

Thank you again for your support of the GPSRP program. We hope that you will continue working with us, on programs like the Android and Google Devices Security Reward Program.

 

Best regards,

Tony

On behalf of the Android Security Team”

In September of 2018, nearly a year after the GPSRP was announced, Google said that researchers had reported over 30 vulnerabilities through the program, earning a combined bounty of over $100k. Approximately a year later, in August of 2019, Google said that the program had paid out over $265k in bounties.

As far as we know, the company hasn’t disclosed how much they’ve paid out to security researchers since then, but we’d be surprised if the number isn’t notably higher than $265k given how long it’s been since the last disclosure and the number of popular apps in the crosshairs of security researchers.

Google shutting down this program is a mixed bag for users. On one hand, it means that popular apps have largely gotten their act together, but on the other hand, it means that some security researchers won’t have the incentive to disclose any future vulnerabilities responsibly, especially if those vulnerabilities impact an app made by a developer who doesn’t run their own bug bounty program.

Google's latest Play Store change could make APKs harder to install

Android has always given users a lot of freedom, letting them manage their devices pretty much how they want, including grabbing apps from third-party sources. While Google did require people to enable a certain setting to install apps from outside the Play Store, it was a simple process. But now, Googles new policy is about to make sideloading apps a bit more of a hassle. With the latest guidelines, users will have to go through an extra step when downloading apps from third-party sources.

Google Play could soon help you fix Play Protect certification issues (APK teardown)

Google Play Store logo on smartphone stock photo (5)

Credit: Edgar Cervantes / Android Authority

  • Google Play could soon get a new feature to help fix Play Protect certification issues.
  • The feature is currently in development, but we’ve managed to get an early look at it in the latest Google Play Store release.
  • The upcoming “Fix device issue” button will run a few checks to address Play Protect certification issues or provide details about why a device is not certified.


Google Play might soon help users fix issues resulting in a failed Play Protect certification. We’ve spotted an upcoming feature in Google Play Store version 42.1.21 that could either address the Play Protect certification error or provide details about why a device is not certified.

The latest Play Store release includes evidence suggesting that Google could add a new “Fix device issue” button to the Play Protect certification option in the Play Store settings. This button will likely appear on devices that fail the Play Protect certification, and let users address the issue by performing a few checks.

As you can see in the following video, the feature delivered a “Couldn’t fix device certification issue” on our test device. It also showed a “Reason code” that states the device did not meet Play Integrity requirements, along with a link to a support page highlighting how users can fix Play Protect certification status issues.

At the moment, we are unaware of the checks the feature runs to fix the Play Protect certification issue. We’ll let you know as soon as we have more details. Until then, if you’re getting a Play Protect certification error on your device, you may want to try registering your device by submitting your Google Services Framework Android ID on this Device registration page.

Google may soon allow you to update sideloaded Android apps via the Play Store

You may soon have the ability to update the sideloaded apps on your Android device via the Play Store. Android Authority reports that a teardown of the Play Store version 42.0.18 APK appears to indicate that Google will introduce the option in a future release. Apps that have been sideloaded display an “Update from Play” […]

The post Google may soon allow you to update sideloaded Android apps via the Play Store appeared first on Liliputing.

❌