Google Security Barb wire

Google’s Patch Reward Program Expands to Include Open Source Developers to Make Android More Secure

November 20, 2013 - Written By Cory McNutt

About a month ago Google kicked off their Patch Reward Program, designed to be pro-active in detecting and fixing security breaches. They pioneered this model with their Vulnerability Reward Program, and wanted to expand on it – offering cash rewards to those that demonstrated a viable fix to a problem Google was experiencing. They said that they would start on a conservative scope, but are now expanding the new program to include the following list of projects eligible for rewards of $500 – $3,133.70, although the reward panel may pay more depending on the complexity and impact of the patch:

  • All the open-source components of Android: Android Open Source Project
  • Widely used web servers: Apache httpd, lighttpd, nginx
  • Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
  • Virtual private networking: OpenVPN
  • Network time: University of Delaware NTPD
  • Additional core libraries: Mozilla NSS, libxml2
  • Toolchain security improvements for GCC, binutils, and llvm

That patch has to have a “significant and proactive impact on the security” in one of the following areas:

  • Improvements to privilege separation,
  • Memory allocator hardening,
  • Cleanups of integer arithmetics,
  • Systematic fixes for various types of race conditions,
  • Elimination of error-prone design patterns or library calls.

Android Security

Google wants to expand into the business enterprise market and in order for this to happen they must make security a number one priority – something they have always strived for, but naysayers have long criticized Android as vulnerable and Apple as so secure.  It may have something to do with the fact that the Android operating system controls over 80-percent of the worldwide devices and hackers go where the most targets are located.

Back in July, when it was discovered that there was a Master Key vulnerability, discovered by Bluebox Security, that affected almost every Android device out there, Google jumped on it immediately and provide a code fix for all manufacturers to implement. In October, speaking at the Gartner Symposium/ITxpo in Orlando, Google’s CEO, Eric Schmidt, made the unabashed statement that the Android platform was more secure than Apple’s iPhone – which drew a roomful of laughter, but Schmidt went on to defend his stance by reminding them of the new security features in Android 4.3 Jelly Bean:

  • Restricted Profiles
  • KeyChain enhancements
  • Android Keystore Provider
  • Restricted Setuid from Android Apps
  • Wi-Fi support for WPA2-Enterprise Networks
  • Verify Apps – works with Android 2.3 and higher, and scans apps for malware as you install them.
  • Lost Phone Finder – works for Android 2.2 and above.

Let us know in the comments or on Google+ if you feel that Android is secure and if Google is doing enough to make it secure.