Google puts a bounty on buggy apps and bad data users

Google is making big moves to clean up the android world by putting a bug bounty on popular apps listed in its Play Market and by paying people to point out the apps mishandling user data.

Google will now pay out bounties for bugs and security issues discovered in apps distributed via the Google Play market which have been downloaded over 100 million times. This expansion of the Google Play Security Reward Program’s reach to over 435 apps is a huge increase from the previous eight enrolled apps.

Call in the bounty hunter for those buggy apps

Bug bounties are certainly not exclusive to Google. They are an integral part of quality assurance at many IT companies (including at Avira). This Google program has previously paid out $266,000 to hackers for their bug discoveries with an average payment of $1,000. The move comes on the heels of the discovery that CamScanner, a popular app on Google Play, had been distributing malware to unsuspecting users. While the app itself — with over 100 million downloads and 1.8 million positive reviews — was not malicious, a component from a third-party was being used for ad click fraud and other malicious activities.

Keep your hands off my data

Potentially more interesting is Google’s launch of the Developer Data Protection Reward Program. It is designed to “identify and mitigate data abuse issues in popular Android applications, OAuth projects, and Chrome extensions.” This quest for “data abuse issues” means getting people to directly report instances where data was sold, disclosed, or shared in a way that violates the Google conditions or is done without the user’s consent. Lucky bug hunters here can get up to $50,000 and the offending app might be removed from the Play store. Not all apps and extensions are covered. Apps in the Google Play store need to have over 100 million installs while Google APIs and extensions each need more than 50,000 users.

Launch of the Developer Data Protection Reward Program comes as technology companies are increasingly scrutinized for their treatment of private user data. Paying out rewards of $1,000 – the top bounty range – for identifying bad data use would be chump change in comparison to the political benefits of demonstrating a concern for proper data use and handling. According to the program webpage, total payout during the first month of the program was $5,500.

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.