We have all witnessed that even after so many efforts by Google, malicious apps somehow managed to fool its Play Store’s security mechanism continuously and infect millions of Android users.
To wipe out bugs from its Google Play store, Google has now launched a bug bounty program for Android apps on Google Play Store, inviting security researchers to find and report vulnerabilities in some of the most popular Android apps on Google Play. Dubbed “Google Play Security Reward,” the bug bounty program offers security researchers to work directly with Android app developers to find and fix Android app flaws, for which Google will pay at least $1000 each in rewards.
Under this programme announced on Thursday, the security researchers have to back up automated checks that have failed to block malware and other problems that infect the app store.
Google is collaborating with HackerOne, a bug bounty platform, to help rid it of malicious apps that often go undetected by software scans.
Software scans cannot match a person’s ability to discover “a truly creative hack,” Vineet Buch, director of product management for Google Play Apps and Games, said in an interview.
According to HackerOne, hackers will identify app vulnerabilities and report it to the app developer, and both work out a resolution within 90 days. Once the security vulnerability has been resolved, the hacker then requests a reward from the program. Once it’s evaluated and found to meet Google’s criteria, the finder will be awarded $1000.
“The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem,” Google wrote in a blog post.
“For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof-of-concepts) that work on Android 4.4 devices and higher.” The program and the reward is restricted only to apps that have signed up for this Play Security Rewards Program. These include apps such as Alibaba, Dropbox, Duolingo, Headspace, Mail.Ru, Snapchat, and Tinder. Google says that this list will expand with time.
Better late than never.