Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.
If you’re an Android app developer with a nose for hunting down security issues, you could get paid for loaning your skills to Google. Hackers have managed to plant malware-infected apps on the Google Play Store, some of which got millions of downloads.
In response, Google has opened up its bug bounty program which lets developers dig for security issues in common apps. Previously only a few apps were covered. Now, all popular Play Store apps are part of the program. The program pays out cash rewards for developers who find and report security issues.
Why Google Has a Bug Bounty Program
Google has had a bug bounty program for its own apps for a long time. Like many companies, Google offers rewards to developers who uncover issues in its websites. It also offers rewards for finding bugs its Chrome browser, or its Chrome operating system. But recently it has taken the more radical step of offering rewards for bugs found in other companies’ apps as well.
The first iteration of the Play Store bug bounty program only applied to a very small number of top apps. Now, Google has expanded the program to cover any app in the Play Store with more than 100 million installs. This means there are many more opportunities for bug hunters to discover issues in Play Store apps and get rewarded for reporting them, even if the app developers don’t offer their own bug bounty programs.
Google says it introduced this program in hopes of “encouraging the community to help us improve security for everyone”. Therefore, it encourages bug hunters who do discover a bug to report it to the app developers as well as to Google. This gives the original app developers the chance to fix the bug quickly. And that means better security for everyone who uses Android apps.
How to Get Involved in the Bug Bounty Program
The Play Store bug bounty scheme is called the Google Play Security Reward Program (GPSRP). Google invites security researchers and app developers to participate. The first step is to fill out an application to join the program. You can look for security issues in any eligible app on the Play Store once you have been approved.
There are three types of vulnerability which participants look for. Firstly, Remote Code Execution vulnerabilities are those which allow a hacker to access a user’s device and make changes. These are very serious security issues.
Secondly, there is the issue of theft of insecure private data. This is where a vulnerability allows a hacker to steal personal information such as login information, web history, or contact lists.
Thirdly, there is access to protected app components. This refers to apps which perform functions which they do not have permission for. For example, an app which sends SMS messages even if it does not have permission from the user to do so.
The program does not cover some security issues. For example, phishing attacks, while potentially dangerous, do not qualify. This is because they work by deceiving the user and not by running malicious code. The program also does not cover attacks which require physical access to a device.
Once you discover a bug, you should contact the app’s developer to let them know. Then you can work together with the developer to fix the issue. Once the vulnerability has been resolved, you can claim your cash reward from Google.
Earn Bounties for Discovering Data Abuses by Apps
Google is not only offering rewards for finding security bugs. It is trying to crack down on apps which steal user data as well. Recently, the company launched its Developer Data Protection Reward Program (DDPRP) which offers similar rewards for developers who uncover data abuse by apps.
The types of data abuse that the program is looking for are apps which collect and sell user data in a way which is against Google’s privacy policies. For example, this could be an app which collects data from users’ contact books such as metadata showing who they called and when, without protecting this as sensitive data.
It would also cover apps which violate rules about permissions, such as an app which does have access to SMS permissions, but uses this to collect data about users’ SMS messages to sell on to third parties. Alternatively, it would cover an app which asks for permission to access contact data and then reuses that data for an unrelated app.
To see more details of exactly what kinds of data abuse qualify for the program, you can look on the DDPRP website. As with the bug bounty program, any app on the Play Store with more than 100 million installs is eligible.
The Rewards on Offer for Discovering Bugs
There are cash rewards on offer for both the bug bounty and the data abuse programs. The amount paid out for any one report depends on the severity of the issue. It also depends on the quality of the report submitted to Google.
The rewards for the Google Play Security Reward Program range from $5,000 to $20,000 for remote code execution bugs, from $1,000 to $3,000 for theft of insecure private data, and from $1,000 to $3,000 for access to protected app components. In addition, there are bonuses for disclosing the vulnerabilities to the apps developers in a responsible way. This gives the developers the opportunity to patch the issue.
The rewards for the Developer Data Protection Reward Program range from $100 to $1000. To claim the reward, you will need to submit a report. You should write information on which data policy was violated, how data was abused, and a list of times when the app violated the policies.
Earn Cash by Hunting Security Vulnerabilities
Google’s bug bounty and data abuse bounty programs give you the chance to earn money. They also let you help to improve the security of apps distributed through the Play Store. If you’re interested in more bug hunting opportunities, you can check out other companies’ programs too. For some examples, see our list of awesome bug bounty programs for earning pocket money.