It’s no more hidden that malware creators have taken to sophisticated ways these days – making data breach and privacy big causes of concern. To fight the menace, a number of companies are currently running “bug bounty” programs that provide monetary reward to any individual or group that uncovers critical vulnerabilities in a software. Search engine giant Google also had one such programme limited to its in-house softwares. However, it has now taken the bug bounty project to an all new level by introducing a “Google Play Security Reward Program” – in collaboration with Hackerone. The new program is aimed to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.
For now, the vulnerability criteria of the program has been kept limited to RCE (remote-code-execution) and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher. As per Hacker One, this means that any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. The examples may include:
– Attacker can Manipulate UI to commit a transaction. For example, causing a banking app to make money transactions on behalf of the user without their consent.
– Opening of webview that may cause potential phishing attacks. Opening webview without user input or interaction.
Hacker One says that all Google-developed Android apps available on Google Play are included in the programme. It also requests to report vulnerabilities in Google apps to the Google Vulnerability Reward Program or, for Chrome specifically, to the Chrome Reward Program. For anyone software geek, who is ready to accept Google’s new software challenge, payments of $1,000 (app: Rs 65,000) will be made for each verified software vulnerability, a bgr.com report said. A person is advised to visit http://hackerone.com/googleplay for detailed information and updates.