Google will pay you $1000 to find bugs in most popular Android's apps.


Google will pay you $1000 to find bugs in most popular Android's apps.
Google is eager to clamp down on security flaws associated with some of the most high-profile apps in its Android library, so it's enlisting white-hat hackers as a part of the effort. Should you successfully find a bug in a qualifying app on Google Play, Google will pay you nifty $1,000 for your efforts.

Google is partnering with bug bounty service HackerOne for the project, which it calls the Google Play Security Reward Program. The worldwide program currently only applies to eight popular apps such as Duolingo, Snapchat, Tinder, Headspace and Alibaba, although Google's own suite of apps for Android qualify as well.

Apps currently only qualify for inclusion in the program if their developers get an invitation from Google, but in time the Mountain View, California company plans to roll out the service on an opt-in basis.

Bug out
Nor do all bugs qualify. At the moment, Google is only interested in finding flaws that enable remote code executions (RCEs) on Android 4.4 and above. In essence, that means it's looking for bugs that allow web pages to open in an app for the purpose of phishing, or flaws that allowed the download of malicious code and the possible infection of an Android device with a virus.

It's a not-so-subtle way of forcing Android app developers to get their acts together. You're not even supposed to contact Google if you find a bug; instead, you contact the developer of the app through a form provided by HackerOne, and then the developer contacts Google once it's released a patch for the bug. Only then will you see any cash.

Google already offers similar bounties for Chromebooks and Android proper, but this marks the first time that it's extended the service to developers who use its popular operating system.

For anyone keen on tackling Google’s new software challenge, payments of $1,000 will be made for each verified software vulnerability.

The vulnerability criteria is laid out below:

For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.

This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. Examples may include:

Attacker gaining full control, meaning code can be downloaded from the network and executed (download and execute arbitrary code, native, Java code etc. Javascript)
UI Manipulation to commit a transaction. For example, causing a banking app to make money transfers on behalf of the user without their consent.
Opening of webview that may lead to phishing attacks. Opening webview without user input or interaction.
There is no requirement that OS sandbox needs to be bypassed.

Notably, the new bug bounty program, as it stands now, only applies to Google-developed Android apps and the following third-party apps: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder. Down the line, though, the program may open up to include additional third-party apps.

Comments

Post a Comment

Popular posts from this blog

JFK files show informant told CIA Hitler was living in Colombia

Image
An informant told the CIA that Adolf Hitler survived World War II and was living with ex-Nazis in Colombia in the 1950s, according to newly declassified documents. The source told the agent, whose code name was Cimelody-3, the former Fuehrer was alive and that an ex-SS agent named Phillip Citroen had been in touch with him in the city of Tunja, according to the memo, released as part of the files related to JFK’s assassination. Citroen told the informant he saw a man who strongly resembled Hitler while working in “Residencias Coloniales,” a neighborhood populated by former Nazis. He said Germans living there followed this alleged Hitler with “an idolatry of the Nazi past, addressing him as ‘der Fuehrer’ and affording him the Nazi salute and storm-trooper adulation.” The former SS agent also had a photo of himself with the suspected Hitler, who allegedly went by “Adolf Schritteimayor.” CIA memos make it clear the agency was skeptical of this report, calling it a “fanta...
Read more

US Army working on a device that can assess traumatic brain injury on the battlefield

Image
Traumatic brain injury, when not treated soon could significantly increase chances of developing Alzheimer's. US Army soldiers to receive gadgets that can scan for brain injuries   VANO SHLAMOV/AFP/Getty Images The US Army Medical Research and Materiel Command has awarded a contract worth close to $10m (£7.6m) to Neural Analytics, a company that designs and builds medical instruments, for the development of a device that can help quickly determine if a person has received a head injury and how severe it is instantly on the battlefield. Read More: 'DO SOMETHING!': Trump lashes out as the Russia investigation heats up According to a Military Times report, the device, named Lucid System, will be made to monitor and detect physical signs of traumatic brain injury. Leo Petrossian, chief executive officer of Neural Analytics told the Army Times "Our objective is to build an instrument for someone with little or no training that they can use reliably." The Lucid System s...
Read more

'Kill them all' -- Russian-linked Facebook accounts called for violence

Image
Facebook accounts run by Russian trolls repeatedly called for violence against different social and political groups in the U.S., including police officers, Black Lives Matter activists and undocumented immigrants. Posts from three now-removed Facebook groups created by the Russian Internet Research Agency suggest Russia sought not only to meddle in U.S. politics but to encourage ideologically opposed groups to act out violently against one another. The posts are  part of a database  compiled by Jonathan Albright, the research director at Columbia University's Tow Center for Digital Journalism, who tracks and analyzes Russian propaganda. For example, "Being Patriotic," a group that regularly posted content praising Donald Trump's candidacy, stated in an April 2016 post that Black Lives Matter activists who disrespected the American flag should be "be immediately shot." The account accrued about 200,000 followers before it was shut down. Another R...
Read more