Google clamps down on Android bugs
Search giant offers a bounty on third party vulnerabilities, as well as posting spike in HTTPS adoption.
Google has long been battling malware on Google Play, with mixed results - although given the scale of the task that’s not always surprising. However, the search giant has taken a positive step to combat the problem by establishing a new bug bounty - and it’s not even for their own software.
The company has set up the Google Play Security Reward Program to encourage security research into ‘popular Android apps’ available on Google Play. A reward of $1,000 will be given for issues that meet the criteria, and are reported following the rules set out by Google.
Apps that are involved at launch include Tinder, SnapChat, Dropbox and Alibaba – a full list is here: https://hackerone.com/googleplay
Of course, Google Play is one of the primary mobile malware targets on the planet, so there’s plenty of opportunity to expand the list or widen the scope if Google has money to burn.
In recent weeks alone, the Sockbot malware (designed to create botnets for DDoS attacks) made its way into more than seven apps, which in turn were downloaded between 600,000 and 2.6 million times, mainly by US consumers, according to Symantec. Meanwhile, Check Point recently identified 50 Google Play apps that were loaded with ExpensiveWall malware, and have been been downloaded at least 1 million times. The company said that the malware is designed to exploit premium SMS messages in order to defraud victims.
High-Tech Bridge has also been proactive in the mobile malware space, launching a new product to combat the ever-rising levels of mobile-targeted malware, a free online service called “Mobile X-Ray” designed to test mobile application security and privacy.
Ilia Kolochenko, CEO High-Tech Bridge, commented: “Unfortunately, most developers just don’t have enough resources, time or budget to properly test their mobile app before going to production. Today, the majority of large organizations and governments can be easily breached via their web and mobile (backend) applications. A particular risk comes from third-party applications, which are exploited by hackers to compromise your trusted third-party and get access to your data afterwards – cloudization, outsourcing and IT externalization aggravate this complicated challenge.”
High-Tech Bridge researchers found that existing Android applications were a mixed bag, with less than 30 per cent of applications following secure-coding best practices and guidelines, but with an astonishing 97 per cent having at least one OWASP Mobile Top Ten vulnerability. More than 63 per cent of applications have no or weak encryption when sending or receiving sensitive data, while around half of the applications tested contained hardcoded encryption keys, credentials or other sensitive data.
In better news, Google announced this week that Chrome HTTPS adoption has increased, with 64 per cent of Chrome traffic on Android now being encrypted, an uptick of 42 per cent from a year ago. Additionally, more than 75 per cent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 per cent on Mac and 67 per cent on ChromeOS a year ago. Windows traffic is up to 66 per cent from 51 per cent. Finally, 71 of the top 100 websites now have HTTPS enabled by default, up from 37 per cent just 12 months ago.
If you’ve recently implemented HTTPS then High-Tech Bridge’s SSL/TLS tool will check compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines, gratis.