Find a vulnerability in an application is quite dangerous, especially if it is one of the most popular with tens or even hundreds of millions of installations. For this reason, Google has decided to start paying users who hackeen or find vulnerabilities in the most downloaded applications.
if you find vulnerabilities in apps from the Play Store, you have award
This plan, similar to that of Microsoft, Apple or the Google Chrome is called Play Security Reward Program, and seeks to make an appeal to hackers to find vulnerabilities related to remote code execution (RCE) in the more popular applications of Android in later versions to Android 4.4 KitKat.
In addition to find vulnerabilities, it is necessary to enclose a proof of concept to demonstrate how you can exploit and demonstrate as well that it works. This affects any vulnerability RCE that enables an attacker to run arbitrary code without the user’s permission given, as well as without the user noticing, including examples such as:
- Possibility for an attacker to take complete control of the phone through an app, allowing you to download code from the network and run it (either native, Java, etc).
- Manipulation of the interface to execute banking transactions, getting an app from the bank to make transactions without the permission of the user.
- Open a web window without interaction from the user and to allow for phishing attacks.
For the moment, only 8 developers accept this new program, but they’ll get more
The process for submitting vulnerabilities is the following:
- The researcher discovers them, and if they conform to what described above, are sent to HackerOne.
- The developers of the application go on to receive the information and to work with the investigator to resolve the vulnerability.
- Once resolved, the investigator requests the payment on the same link of HackerOne. The security team of Android happens to send you the money and to thank him for his work.
The amounts received by the users shall be $ 1,000 for each vulnerability that meets the requirements. In the future, Google is working to include other types of vulnerabilities within this program.
Google has a very complex task between hands when it comes to maintaining safety in the Play Store. Despite having several security mechanisms (Play Protect), is affected by the emergence of applications that can be considered as malware, which now joins the possibility of using applications that millions of people have on their mobiles to exploit vulnerabilities.
At the moment, applications of 8 developers have been accepted within this program: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.ru, Snapchat and Tinder. Google is currently working to expand the number of developers included in this program.
This is one of the new features that Google announced today for the Play Store.Also found improvements in the function of Instant Apps, that allow you to test them only to give “Try it now” without having to install them.