On 13th September 2016 Google announced an Android app security challenge, “Project Zero ”, that will reward its winner up to $200,000 for successfully exploiting one or more unidentified vulnerabilities from Android app security testing.
According to Google, though they already have vulnerability and Android app security testing reward programs in place, it is usually such contests that have resulted in the discovery of high quality and unique security bugs in the past. Unlike usual contests that last for a day or two, this contest will last for 6 months from the date of its announcement. Participants can submit their entries till 14th of March, 2017.
The contest aims to find a bug chain or vulnerability that acquires remote code execution on a number of Android devices by only knowing the email address and phone number of the device.
In case an entry consists of multiple exploits, Google has asked the participant researchers to report every link in the bug chain in the Android issue tracker during the course of exposing the flaw, rather than saving the bugs and reporting the bug chain altogether. Also, a participant doing Android app security analysis should submit the bug report as soon as it is discovered, as only the first one to report a particular bug will be given the credit. Participant researchers also need to be able to hack a Nexus 5X and Nexus 6P phone running any current version of android.
Unlike contests in the past, exploits and vulnerabilities submitted by the researchers from Android app security testing will be made public. Each participant will have to write and submit complete description of how the exploit works. Each exploit, along with the explanation will be published on Project Zero blog. Exploit techniques of all winning submissions and Android app security issues will also be published on the blog.
The first and second prize will be awarded $200,000 and $100,000 respectively, whereas other winners will get $50,000. Google says the motivation behind the contest is to get information about how the bugs work and how Android app security measures can be dodged. It also hopes to fix lethal bugs before any users are affected.
The Prize Zero Project was announced a week after the announcement of Pwn2Own 2016 by Trend Micro. The Pwn2Own contest, of which google was a co-sponsor until last year, will run on the 26th and 27th of October, 2016 in Tokyo.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.