Google Launches App Security Team

Google is creating a dedicated security team to hunt for bugs in "sensitive" Android apps. It will concentrate on the nature of the app rather than how widely its used.

The new team will working in a different way to Google's existing program that offer bounties to independent security researchers who spot bugs in apps from the Google Play Store. To get the most "bang for its buck," that program only covers apps which have more than 100 million downloads.

While it's logical enough to prioritize those apps as the number of people affected by a security breach will be highest, it doesn't take account of how sensitive the data handled by an app is, not how important the app's task.

Elections And COVID Apps Affected

Rather than change the rules for independent researchers, Google is advertising for somebody to head a dedicated in-house team. Among its tasks is to: "perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers."

According to Google, some of the subjects of apps which will come under the new team include elections and COVID-19 contact tracing. (Source: zdnet.com)

In both cases, the consequences of a security breach would be serious, not only for the individuals concerned but because of a potential loss of functionality in the app. Both topics are mainly organized at a national or state level and so any one app is unlikely to reach the 100 million user mark.

Hardware Issues Also Traced

Google is also tackling security problems on Android devices themselves. It's launched a program called the Android Partner Vulnerability Initiative. Under the program, Google will look for problems with specific devices manufactured by third parties.

Until now Google has mainly only gone public with problems that affect Android itself. Now it's going to disclose bugs that affect particular manufacturers. As well as keeping users in the loop, the program could also put pressure on manufacturers to fix problems more quickly. (Source: bleepingcomputer.com)

What's Your Opinion?

Is it a good move for Google to launch this dedicated team for sensitive apps? Should it lower the threshold on the bounty program for independent researchers? If you use an Android device, do you feel confident about its protection against new threats?