High level vulnerability within Google's play core library Special

Posted Sep 1, 2020 by Tim Sandle
Oversecured, an app security startup, helped identify and disclose an 8.8 out of 10 severity level vulnerability in Google’s Play Core library. This has prevented malicious apps from being downloaded and running on devices.
Google Android toys.
Google Android toys.
© Google
The actions taken prevented malicious apps within the same Android device from exploiting the vulnerability and stealing private information (i.e. passwords, credit card numbers) from inside the application. The vulnerability was noted by Oversecured constructing a proof-of-concept app using a few lines of code and tested the vulnerability on Google Chrome for Android.
Looking into this issue for Digital Journal, Casey Ellis, CTO and Founder of Bugcrowd, says that the case highlights the importance.
Ellis explains that: “The fast-acting measures of Oversecured represent just how critical security researchers are to making the virtual community a safer place. The severity of this vulnerability had the potential to devastate millions of users, as well as expose private information on apps within the device."
The researcher adds that the activity "emphasizes the necessity for Vulnerability Disclosure Programs, or VDPs, which establish an open line of communication between the community of security researchers and organizations."
This process allows actions to be taken, Ellis explains: "By doing so, researchers can proactively report such vulnerabilities and organizations can fix them - before they’re exploited by bad actors."
Responses also need to fast and consistent, Ellis adds: "While speed is the natural enemy of security, the best way to improve your organization’s security posture and beat attackers is by thinking like one. Even organizations with in-house security teams can benefit from the help of external security researchers, otherwise known as ethical hackers."
With the specific case Ellis says: "In this instance, having a VDP allowed Google to quickly address the vulnerability and avoid what could have been a detrimental database exposure for some of the most popular apps in the Android app store.”