Google is creating a new Android security team. The company is hiring a Security Engineering Manager to lead a special team that will “perform application security assessments against highly sensitive, third party Android apps on Google Play.”
The team will be responsible for identifying vulnerabilities in third-party apps and provide remediation guidance to developers of such apps. According to a ZDNetreport, the new team’s immediate focus will include the likes of COVID-19 contact tracing apps and election-related apps. Other such sensitive apps will follow soon, the report cites Sebastian Porst, Software Engineering Manager for Google Play Protect, as saying.
Google’s new Android security team will essentially do what independent security researchers are doing through the Google Play Security Reward Program (GPSRP). The GPSRP is a bug bounty program that pays security researchers for finding bugs in Android apps. Google pays the researchers on behalf of the app developers.
However, this program only pays for bugs discovered in apps with over 100 million users. Additionally, the so-called sensitive apps are also usually exempted from this program. With its new team, Google is now taking the onus of finding bugs in such Android apps on itself.
Having a dedicated internal team for finding bugs in apps will allow the company to quickly spot apps that might slip under the radar. The new team will also work closely with other existing Android security teams. Those include teams that work on app scanning and Google Play operations. They will jointly work on finding new and creative ways to prevent bug-ridden apps from hitting the Play Store.
“Security Engineers work hands-on with network equipment and actively monitor our systems for attacks and intrusions. You also work with software engineers to proactively identify and fix security flaws and vulnerabilities,” Google’s job listing reads.
Google to create a dedicated team for finding bugs in Android apps
Google Play Store, or Android in general, has been often called out for its security vulnerabilities. Every few weeks, we see Google taking down several malware-ridden apps from the store. The fact that such apps are easily bypassing Google’s security scans is worrisome and the company surely knows that.
It has been taking measures to improve the overall security of the Android mobile operating system. The formation of a new security team is another work on that front. Last week, Google launched the Android Partner Vulnerability Initiative (APVI) program aimed at improving the security of Android smartphones from other OEMs.
“Definitely a good move,” said a mobile malware analyst about Google’s latest effort. “Finding security issues with serious impact isn’t that easy and requires a lot of time and experience.”