The Google Play Security Reward Program is designed to compensate the contributions of security researchers who invest time and effort into helping Google to built and design apps on Google Play that are secure. Every Google apps is included in the scheme and all app developers are encourage by Google to take part.
From the start of September 2019, Google has announced that it’s making big changes to the program. The biggest change is that security researchers will be able to claim rewards for cyber vulnerabilities relating to applications that were not developed by Google itself. The extension is to all apps in Google Play with 100 million or more installs, according to Forbes.
One of the reasons behind this move is because Google is struggling to keep Android malware out of its Play Store. This places Google in contrast to Apple, The Register notes, where the iOS store is much more closely regulated and less prone to offering apps containing a malicious code.
Discussing the issue with Digital Journal, Will LaSala, Director of Security Services, Security Evangelist at OneSpan sees the move as a positive one: “This is a great step in the right direction from Google. It will ensure that more vulnerabilities are discovered and resolved by security researchers, as opposed to cybercriminals who could cause serious damage, and/or sell their information to other criminals.”
However, LaSala does offer a note of caution: “as the scope only includes rewards for apps in Google Play with 100 million or more installs, there are still a number of apps that could contain bugs or vulnerabilities for criminals to exploit.”
On this basis he urges consumers, businesses and developers to tread carefully: “this should be another reminder that mobile devices are untrusted and potentially hostile environments, and they should take the appropriate steps to ensure their apps are adequately secured.”
To overcome potential risks, LaSala recommends that users of Play: “install advanced security technologies such as application shielding and runtime protection to monitor for and take action on malware and other attacks that may attempt to interfere with and exploit their apps.”
He also recommends that: “applications should be implementing intelligent risk based step-up authentication which would allow the application to detect if someone other than the user is attempting to access the app and step up authentication levels accordingly.”
