Android hackers: Now there's a bug bounty program for Google Play

Google has announced that it is teaming up with HackerOne to bring a bug bounty program to the Play Store. Seeking to weed out problems with Android apps, the Google Play Security Reward Program pays out $1,000 for reported issues that meet certain criteria.

The program is a little different to other bug bounty programs as Google will pay out for problems that are found in third party apps, not just its own. At the moment there are a very small number of apps that are taking part, but Google is inviting developers to opt their apps into the program.

The apps that are currently included in the Google Play Security Reward Program are Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat and Tinder, and these are the only ones for which a bounty reward will be paid out. When a problem is discovered by a "hacker" (as Google refers to the discoverer), they must report it to the developer and work with them to help resolve it. Once the issue is fixed, the reward will be paid.

Google also notes that the "Android Security team issues an additional reward to the hacker to thank them for improving security within the Google Play ecosystem."

Announcing the Google Play Security Reward Program, Google says:

Google Play is working with the independent bug bounty platform, HackerOne, and the developers of popular Android apps to implement the Google Play Security Reward Program. Developers of popular Android apps are invited to opt-in to the program, which will incentivize security research in a bug bounty model. The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.

There are a few things to keep in mind if you're hoping to make a small fortune from discovering bugs. The first is that if you report multiple problems that turn out to be related, only one bounty will be paid. Secondly, the patching of issues must be reported to Google within 90 days, or no bounty will be available. Google also has the following vulnerability criteria:

For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.

This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. Examples may include:

• Attacker gaining full control, meaning code can be downloaded from the network and executed (download and execute arbitrary code, native, Java code etc. Javascript)
• UI Manipulation to commit a transaction. For example, causing a banking app to make money transfers on behalf of the user without their consent.
• Opening of webview that may lead to phishing attacks. Opening webview without user input or interaction.

There is no requirement that OS sandbox needs to be bypassed.

Any vulnerability that requires collusion between apps, or where there is a dependency for another app to be installed is considered to be out of scope, and thus will not qualify for a reward.

You can find out more on the Google Play Security Reward Program page on the HackerOne website.

Image credit: dennizn / Shutterstock