Google Launches New Program to Quickly Fix OEM Security Issues, Creating Team for Bug Discovery in Sensitive Apps

Google Launches New Program to Quickly Fix OEM Security Issues, Creating Team for Bug Discovery in Sensitive Apps

 

Google has now introduced a new initiative to help third-party Android vendors patch flaws and vulnerabilities faster. It has introduced a new Android Partner Vulnerability Initiative which essentially helps manufacturers in discovering flaws and fixing them soon. Separately, Google is also creating a new Android security team that will only be focused on looking for vulnerabilities in highly sensitive apps on Google Play store.

The new Android Partner Vulnerability Initiative (APVI) has been launched by Android Security and Privacy team to manage security issued related to third-party Android vendors. The blog post explains that this initiative looks to ‘drive remediation and provide transparency to users about issues discovered at Google that affect device models shipped by Android partners.’

The APVI has already addressed a number of security issues. It doesn’t list vendor partners, but a bug tracker for the initiative mentions OEMs like Oppo, Huawei, Vivo, ZTE, and Meizu. Chip maker MediaTek has also been listed, along with Digitime and Transsion. Google mentions that most of the vulnerabilities found have been fixed by vendors. If anything, this initiative will put some onus on Android vendors to take security of phones and other devices more seriously and fix issues speedily.

Google has also published a new job posting looking for a ‘Security Engineering Manager’ to help ‘create and maintain the safest operating environment for Google’s users and developers’.

Sebastian Porst, Software Engineering Manager for Google Play Protect told ZDNet that Google is looking to build a team that will focus on highly sensitive apps like COVID-19 contact tracing apps and election-related applications. The job posting explains, “Your team will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers.”

While Google does have a bug bounty initiative called the Google Play Security Reward Program (GPSRP) wherein it offers security researchers money in exchange for finding bugs, but this program is limited to apps that have more than 100 million users and highly sensitive apps aren’t always eligible for GPSRP rewards. This new team looks to close this loophole and help make the Google Play store ecosystem a little more secure.