Naked Security Naked Security

Google throws bug bounty bucks at mega-popular third-party apps

If an app has more than 100 million installs, Google will pay for bugs, even if the app makers already have their own bounty programs.

Google’s going to throw more bug bounty money at the problem of nasty apps in its Play Store, it announced on Thursday.

In a post from the Android Security & Privacy team’s Adam Bacchus, Sebastian Porst, and Patrick Mutchler , the company said that it’s throwing the security net over not just its own apps, but over all uber-popular third-party software – as in, apps that have more than 100 million installs.

The search king is fattening up its Google Play Security Reward Program (GPSRP), and it’s launching a new Developer Data Protection Reward Program (DDPRP).

Money from the enlarged pot in the GPSRP will go to hunters who find bugs in apps from Android app makers even if those makers are running their own bug bounty programs.

Google is encouraging app makers that don’t yet have bug bounty programs to start them up. If a given app developer doesn’t have a bug bounty program yet, though, Google will be helping bug hunters to responsibly disclose identified vulnerabilities to them.

Google’s sweetening of the pot should help stamp out all that many more bugs, the company said, though it would be nice if the app developers set up these programs themselves:

This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.

In July 2019, Google announced that it was tripling the maximum baseline reward amount from $5,000 to $15,000 for Chrome bugs, and doubling the maximum reward amount for high-quality reports from $15,000 to $30,000. It also doubled the additional bonus given to bugs found by fuzzers running under its Chrome Fuzzer Program to $1,000.

It also pumped up its standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode.

At that time, Google said that rewards paid out under its Google Play Security Reward Program for remote code execution bugs was going way up: from $5,000 to $20,000. At the same time, rewards for bugs involving theft of insecure private data was increased from $1,000 to $3,000, and payment for bugs enabling access to protected app components was pushed from $1,000 to $3,000.

It’s all adding up: Google says that to date, GPSRP has paid out over $265,000 in bounties. Increasing the scope has resulted in $75,500 in rewards across July and August alone, Google says, and the more it adds, the more it expects the security research community is going to help it stamp out bugs.

Good to hear. It needs the help!

Playing rough in Google Play Store

There’s been a long string of rotten apples spoiling the Google Play store barrel. The most recent one cropped up in April 2019, when government spyware, named Exodus, was found hidden in apps.

Some months before that discovery, in February 2019, research found that 18,000 Play Store apps, many with hundreds of millions of installs, appeared to be sidestepping the Advertising ID system by quietly collecting additional identifiers from users’ smartphones in ways that couldn’t be blocked or reset.

Before that: in May 2018, SophosLabs found photo editor apps hiding malware on Google Play.

And before that? In February 2018, Google announced that just in the previous year alone, it had removed 700,000 bad apps and stopped 100,000 bad-app developers from sharing their nastyware on the Google Play store.

In short, it’s long been true that you don’t have to be much of an evil genius of an app developer to get past Google’s filters. As Motherboard reported back when Exodus was discovered lurking on the app store, more than 20 malicious apps in the Exodus family went unnoticed by Google over the course of roughly two years.

Teaming up with HackerOne on the DDPRP

Also on 28 August, Google announced the brand-new Developer Data Protection Reward Program (DDPRP): a bounty program it’s running in collaboration with HackerOne that’s meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.

In separate news, HackerOne announced that six hackers have become the first in the world to earn over $1 million each on the bug bounty platform. It’s quite the disparate collection: One is an ex-convict living in the rural US, another a 20-something traveling the world on his bounty cash, and a third is an industry veteran coaching people like HackerOne’s first million-dollar hacker – a 19-year-old living in Argentina. Another’s a serial entrepreneur, and the last is a “hacking powerhouse” who made $75k in July alone.

At any rate, Google says the purpose of the new joint venture with HackerOne, the DDPRP, is to recognize the people who report apps that violate Google Play, Google API, or Google Chrome Web Store Extensions program policies.

That includes people who identify situations where user data is being abused, Google says, whether it’s being “used or sold unexpectedly, or repurposed in an illegitimate way without user consent.” Accurate reports can lead to apps or extensions getting yanked from Google Play or Google Chrome Web Store, or, in the case of app developers who are found to be up to no good, it can lead to those developers losing API access.

Google doesn’t have a reward table yet for this new program, but it says that payout could be as much as $50,000.

“Happy bug hunting!”

Thanks, Google said, and please do keep sending those reports on over – we’ll look forward to seeing what you find:

As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe.

Leave a Reply

Your email address will not be published. Required fields are marked *