Tuesday 24 October 2017

Google Offers Big Rewards To Hack Android's Most Popular Apps

Google Offers Big Rewards To Hack Android's Most Popular Apps

Google Offers Big Rewards To Hack Android's Most Popular Apps

Google is looking to improve its Play Store security. Google calls security researchers who invest their time and effort in order to make apps on Google Play Store more secure. It will help in improving the security from Fake and Malicious Apps and more benefit the developers and Android users.

All Google apps are included and developers of only popular Android apps are invited to opt-in to this program yet.

Scope of Program

For now, the scope is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.

This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission.

Examples may include:
  • Attacker gaining full control, meaning code can be downloaded from the network and executed (download and execute arbitrary code, native, Java code etc. Javascript)
  • UI Manipulation to commit a transaction. For example, causing a banking app to make money transfers on behalf of the user without their consent.
  • Opening of webview that may lead to phishing attacks. Opening webview without user input or interaction.

Note: There is no requirement that OS sandbox needs to be bypassed.

Currently, there are eight different developers to be approved for the program such as Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.ru, Snapchat, and Tinder, but Google says it’s working with more app makers to expand the program. And more apps will expand later, Google said.

How it works?

Reports states these steps:
  • Researcher identifies vulnerability within an in-scope app and reports it directly to the app’s developer via their current vulnerability disclosure or bug bounty process. Visit the program page on HackerOne for in-scope apps.
  • App developer works with the researcher to resolve the vulnerability.
  • Once the vulnerability has been resolved, the researcher requests a bonus bounty from the Google Play Security Rewards Program hosted on HackerOne.
  • Android Security team issues a reward to the researcher to thank them for improving the security of the Google Play ecosystem.

Note: All qualifying reports sent to the Google or Chrome Vulnerability Reward Programs will automatically be considered for a reward from the Google Play Security Reward Program. There is no need to submit vulnerabilities submitted to Google again to the Google Play Security Reward Program.

Reward Amounts

The Play Security Reward Program will evaluate each submission based on the above Vulnerability Criteria and reward accordingly. A reward of $1000 will be rewarded for issues that meet this criteria.

Any and all reward decisions are ultimately at the discretion of the Google Play Security Reward Program. In the future, other vulnerabilities may be introduced into scope.


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer