Google has announced a new initiative to help improve the security of Android devices shipped by other manufacturers. Called Android Partner Vulnerability Initiative (AVPI), the program will publicly list the security vulnerabilities Google discovers on partner devices. The AVPI will “drive remediation and provide transparency to users” about security issues on their phones.
Google has several programs through which developers can report vulnerabilities to its security team. The Android Security Rewards Program (ASR) allows developers to report vulnerabilities in Android code while vulnerabilities in third-party Android apps can be reported through the Google Play Security Rewards Program.
Google then releases ASR reports in the Android Open Source Project (AOSP) based code through the Android Security Bulletins (ASB). The issues released in ASR reports could impact all Android devices and hence OEMs must adopt ASB changes before rolling out the current month’s Android security patch level (SPL).
The AVPI program now adds another layer of security for Android devices. As Google says, it previously didn’t have a clear way to process security issues discovered on partner devices outside of the AOSP code. These issues are usually “unique to a much smaller set of specific Android OEMs.”
The new initiative will offer an additional layer of security for this targeted set of Android OEMs. It will cover Google-discovered issues that could “potentially affect the security posture of an Android device or its user”. Those include a wide range of issues that impact device code and are not serviced or maintained by Google.
Google launches Android Partner Vulnerability Initiative
The AVPI program is already live and has processed a number of security issues so far. A list of issues discovered under this program is available publicly here. As you can see on the list, Google has disclosed security issues that affected devices from ZTE, Vivo, OPPO, Huawei, and more.
Google has also provided some examples of issues they have helped detect and fix under the AVPI program. Those include vulnerabilities in a third-party pre-installed over-the-air (OTA) update solution. Another Google-discovered issue had a popular third-party web browser, that comes pre-installed on many devices, leaking login credentials. The app apparently used a weak algorithm (DES) and a known, hardcoded key. Google has reported the issue to the developer and a fix has been released.
Android doesn’t have the reputation of being the safest mobile platform but Google does try very hard to make it safe enough for users. The AVPI program is another initiative in this regard. Hopefully, it’ll go a long way in improving the security of Android devices.