Hack apps, attack code drawbacks for cash stacks, Google yaks

An attempt was made

Got Tips? 3 Reg comments
Boba Fett

Google is offering cash to those who can find, exploit and report bugs in its Android apps, or similarly hack other programs in its Play Store.

The goal is to get a large number of people and developers working together on improving security in the Android world. The advertising giant is very familiar with bug bounties, and has paid out big bucks to the research community over the past couple of years for discovering and detailing flaws in Chrome, the Android operating system, and its websites.

On Thursday this week, Google announced it was extending this to third-party apps in its official Android software store, and its own app offerings, with a new bounty program run by HackerOne called the Play Security Reward Program.

"As the Android ecosystem evolves, we continue to invest in leading-edge ideas to strengthen security," said Vineet Buch, director of product management at Google Play.

"Our goal is continue to make Android a safe computing platform by encouraging our app developers and hackers to work together to resolve unknown vulnerabilities, we are one step closer to that goal."

Researchers who take part in the program can examine apps from participating vendors and get at least $1,000 for each flaw they find. After reporting the issue to the app developer and getting it fixed – which is in itself no easy task – the hacker then applies to Google for their reward.

Not all flaws will be worth Google's moolah however, only the most serious. At this stage Google wants news of remote-code-execution vulnerabilities for Android 4.4 devices and higher, and – if possible – proof-of-concept exploits should be provided.

This bounty program isn’t going to clear up many issues soon, however. So far only eight app developers have signed up to the program, leaving thousands more to go. And the reported bugs actually have to be resolved, which may turn into a fight between the researcher and the vendor itself. Also $1,000 isn't much of an incentive compared to other payouts, although it's not as bad as some firms that just offer a free t-shirt or air miles.

Meanwhile, deliberately malicious programs continue to, from time to time, sneak into Google's Play store. The online souk's gatekeepers aren't exactly perfect. Improving those guardians, which are supposed to stop malware getting into the store, should be a higher priority. ®

Sponsored: Webcast: Ransomware has gone nuclear


Biting the hand that feeds IT © 1998–2020