Google will pay you to help solve Android bugs

Cape Town - Google has expanded its bug reward programme to Android smartphones, with the search giant promising to pay for vulnerabilities discovered.

"Today, we're expanding our program to include researchers that will find, fix, and prevent vulnerabilities on Android, specifically," Jon Larimer, Android Security Engineer wrote on the official Google blog on Tuesday.

Google will pay for each step required to fix a security bug on its Nexus 6 and 9 smartphones for sale on the Play Store.

The company already makes reward payments for bugs discovered in the Chrome browser and Larimer said that in 2014, Google paid out $1.5m in rewards.

In the Android programme, the rewards will be limited to AOSP or Android Open Source Project code as well vulnerabilities discovered in libraries and drivers.

Third party code vulnerabilities such as chip-set firmware will generally not be covered unless it impacts on the security of Android, Google said.

Rewards

"In addition to rewards for vulnerabilities, our program offers even larger rewards to security researchers that invest in tests and patches that will make the entire ecosystem stronger," said Larimer.

Rewards are divided into critical, high, and moderate severity and Google will typically pay $2 000, $1 000 and $500 respectively.

However, researchers who demonstrate serious security failures can expect to earn higher rewards, said Larimer.

"The largest rewards are available to researchers that demonstrate how to work around Android's platform security features, like ASLR, NX, and the sandboxing that is designed to prevent exploitation and protect users."

Android faces a similar threat landscape that Windows faces as the dominant operating system. (Duncan Alfreds, Fin24)

For serious application exploits that can be demonstrated to compromise the kernel, Google will pay out an additional $10 000, with successful remote attacks netting up to $30 000.

The company warned that while the reward amounts were not set in stone, it would pay more for "unusually clever or severe vulnerabilities".

Android is the most popular mobile operating system and criminals have turned their attention to steal personal and financial data from users.

Security scans

"IBM found that 73% of the 41 popular dating applications analysed have access to current and historical GPS location information. Hackers may capture your current and former GPS location details to find out where you live, work or spend most of your day," IBM said of its study to investigate vulnerable applications.

But Google said that it performs 200 million security scans of devices per day to ferret out malicious applications.

"Fewer than 1% of Android devices had a Potentially Harmful App (PHA) installed in 2014. Fewer than 0.15% of devices that only install from Google Play had a PHA installed," said Adrian Ludwig, lead engineer for Android Security.

Google indicated that rewards that go unclaimed for 12 months will be donated to charity.

- Follow Duncan on Twitter