Google Rewards Bugs Found in All Android Apps with 100M+ Installs


Google extended its Google Play Security Reward Program (GPSRP) to include more than 100 million Google Play Store Android applications.

Security scientists reporting vulnerabilities in one of these applications will be able to obtain Google and one of its developers awards if they also run their own Hacker One bug bounty software.

“This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” says Google.

Google will collect all GPSRP vulnerability information and include them in its own malware security instruments “to generate automated controls that scan all Google Play applications for comparable vulnerabilities.”

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. — Google

Developers will also be notified if an in-scope vulnerability is revealed, including safety flaw information and guidelines for patching it.

As part of the App Security Improvement (ASI) program, the alerts will be sent via the Play Console, and a service provides Google Play app developers with guidance on how to improve the safety of their applications.

“Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play,” adds Google.

ASI notification example

ASI notification example

The downstream impact is that the 75,000 sensitive applications will not be distributed to customers until the problem has been resolved. “Until now, Google has paid over $265,000 on bounties through GPSRP, both in scope and reward rises, leading in $75,500 in July and August alone in bug bounty.

Developer Data Protection Reward Program also launched today

In cooperation with HackerOne, Google is also launching the Developer Data Protection Reward Program (DDPRP) which is a bug bounty program intended to recompense scientists that assist “define and mitigate data abuse problems in Android apps, OAuth projects and Chrome extensions.”

The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. — Google

If DPRP confirms the problem of information abuse, the applications and extensions concerned will be removed from Google Play or Google Chrome Web Store.

If designers also abuse Google service APIs to access data from a limited range, their access to the APIs is also withdrawn.

Although Google has not yet provided a maximum prize or a reward table, a single study could reward net scientists as high as $50,000, depending on the effect of the reporting problem.

Credit: Bleeping computers

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.