Categories: Android / Developers / Mobile Apps


App security is paramount for app developers. Today’s apps handle huge amounts of personal information, including users’ locations, habits and even financial details. With major security threats like the recent Equifax breach making the news, we need to be paying even more attention to security.

Google agrees. In fact it’s just launched a “bug bounty” program for users who spot security issues in its apps. The program is in partnership with HackerOne and delivers monetary rewards to users who identify vulnerabilities. Users can enjoy a not-too-shabby $1k for spotting a potential threat.

Why a bounty program?

App developers now have an incentive to identify security threats.

A bounty program has two benefits. It rewards savvy security researchers. And it also encourages people to disclose vulnerabilities. The program incentivizes researchers to use their security hacking for good rather than be tempted to profit from it illegally.

The program runs in complement to Google’s ongoing emphasis on Android security. This includes monthly security updates to Android O and increased vetting in the Android store.

What’s the scope of the Google bounty program?

The program covers all apps offered on Google Play, and is open to app developers on an opt-in basis. The program also covers a few third-party apps, with more apps to roll on to the program over time.

Devs take a security researcher approach to identifying RCE (remote-code-execution) vulnerabilities on Android 4.4 devices and above. Basically, the aim is to identify RCE vulnerabilities that secretly let third parties run code on a user’s device.

These include things like downloading and executing code, manipulating a UI to make transactions or opening webview to make users vulnerable to phishing attacks.

How do app developers report on a bug?

App developers report bugs through Google or HackerOne.

First, security researchers identify and report a vulnerability in an app. They can do it through their regular reporting channels. They then work with the app developers to resolve the issue.

Once a researcher has resolved a vulnerability, they request their bounty, and the Android Security team delivers. Bounties are awarded on a sliding scale up to $1k.

Is there anything else we need to know?

Google is aware of potential conflicts of interest, so Google employees and Google Partners aren’t eligible to participate. Nor are those on sanctions lists or those from countries on sanctions lists.

Google is also pretty clear researchers must identify vulnerabilities using safe and legal approaches. That means not breaking laws or compromising data.

If you’re an app developer with some solid security skills, it might be time to step up to the plate and do your bit to help keep our apps as secure as possible. It’s worth it both for the app ecosystem—and your hip pocket.



Touchtap is a digital agency specializing in mobile-first development.We can build your mobile app for you.

Back to Posts