Android security: ​Google will pay $1,000 for holes in these top apps

Google brings the bug bounty vulnerability research model to Android apps in the Play Store.
Written by Liam Tung, Contributing Writer

Google has teamed up with bug bounty platform HackerOne to open the Google Play Security Reward Program.

Google runs its own bug bounties for Chrome, Android, and websites, and is now expanding the concept to popular Android apps in the Google Play Store. Researchers will be paid $1,000 reward for qualifying vulnerabilities.

Apps in the Google Play Security Reward program include Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder, however more apps may be included later.

Qualifying bugs are limited to remote code execution (RCE) flaws that work on devices running Android 4.4 and higher. This includes attacks that allow malicious code to be downloaded and executed, manipulating the user interface to cause a fraudulent transaction, or opening a webview in an app for phishing. The exploit isn't required to bypass Android's sandbox.

Researchers who do find a bug need to report the issue to the affected developer first. The bounty page has links to the page where they should report issues to the participating firms. After the developer fixes the bug, then researcher reports it to the Play Security Reward Program for consideration of a reward.

"As the Android ecosystem evolves, we continue to invest in leading-edge ideas to strengthen security," said Vineet Buch, Director of Product Management, Google Play.

"Our goal is continue to make Android a safe computing platform by encouraging our app developers and hackers to work together to resolve unknown vulnerabilities, we are one step closer to that goal."

Most of the companies in the bounty program already offer bug bounties separately, either through their own programs or via HackerOne. Dropbox has run its bounty since 2014 and currently offers $15,625 for "trivial" RCE's affecting its iOS and Android app and higher rewards for attacks on its servers. Tinder has bug bounty too, but it's a private program. Snapchat meanwhile has paid out over $140,000 through its HackerOne bounty program.

According to the Play Security Reward Program page, developers of popular Android apps are invited to opt-in to the program, which aims to incentivize research in a bug bounty model.

"The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem," it notes.

Editorial standards