Google knows that exploits make it through the app development process and could be lurking in some of the most popular apps on the Google Play Store, waiting for a nefarious hacker to take advantage. To help weed out these vulnerabilities, Google has launched the Google Play Security Reward Program. Developers of popular apps are invited to opt-in to the program and if they do, Google will pay out up to$1,000 for bugs found in those apps.
Google writes, "Developers of popular Android apps are invited to opt-in to the program, which will incentivize security research in a bug bounty model. The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem."
The way the program works is that the hacker has to identify the vulnerability of an app and report it to the developer via the appropriate vulnerability disclosure process. The app dev will then work with the hacker to patch the vulnerability, after which the hacker can request a reward from the Google Play Security Reward Program.
Google notes that the Android Security team will issue additional rewards to the hacker for improving overall Google Play security. The rules stipulate that all vulnerabilities must be reported directly to the app developer first. Not all apps qualify, with Google writing, "Only developers who have expressed a commitment to fixing bugs which are disclosed to them have been invited to the program. It is the responsibility of each developer to respond and fix bugs in a timely manner."
Google has partnered with HackerOne for this program and as such, HackerOne's rules have to be followed as well. The first person who submitted the vulnerability gets the reward. Google does say that the reward is $1,000, but also notes that "reward amounts are at our discretion."
There are limits to the scope of the reward program, "For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher."
"This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission."
Some of the major apps that are participating in the program right now include Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder. Other apps could be added, and you can check the source below for new apps. Google Play has a big problem with nefarious apps, and recently, the Android.Sockbot exploit was discovered in apps with large install bases.