Android

Android New Partnership Initiative Improves third-Party Security

Google has started a new program with which the company is tackling security vulnerabilities of its partners. Android OEMs are now basically getting help from Google to make their devices more secure.

So far it has been the case that Android security updates only fix those vulnerabilities that are directly in the Android code. With the newly founded initiative, Google is now expanding this – and is now also looking for vulnerabilities at third-party providers and helping to rectify them. According to the announcement in the Android blog, the Android partners will soon be able to benefit from this, which will primarily benefit end-users XDA Developers also reported.

“Google’s Android Security & Privacy Team launched the Android Partner Vulnerability Initiative (APVI) to manage security issues specifically for Android OEMs,” said Program Manager Kylie McRoberts and Security Engineer Alec Guertin. “The APVI was developed to promote corrective action and to provide users with transparency about problems that we have discovered at Google and that affect device models that are shipped by Android partners, i.e. by hardware manufacturers such as Vivo, Oppo or Huawei.

Other security programs

Vulnerabilities that Google discovered outside of the code based on the Android Open Source Project (AOSP) and that affect only a small subset of Android OEM devices, however, were not previously disclosed through a public program, and that is now about to change. The new program complements existing Google initiatives that deal with Android security, such as the Android Security Rewards Program (ASR) and the Google Play Security Rewards Program (for third-party applications).

“The APVI has already addressed a number of security issues, thereby improving the protection of users from bypassing permissions, executing code in the kernel, credential leaks, and creating unencrypted backups,” said Google. The security gaps that Google discovered as part of the AVPI, as well as information about problems that have already been disclosed, are published on https://bugs.chromium.org/p/apvi/.