Google today rolled out a new program that has been designed specifically to manage security issues specific to Android OEMs. The new Android Partner Vulnerability Initiative aims will make the best Android phones even more secure by remedying issues that affect device models made by OEMs.
Google has various programs that allow security researchers to report any security vulnerabilities. While vulnerabilities in Android code can be reported via the Android Security Rewards Program (ASR), issues in third-party Android apps can be submitted through the Play Security Rewards Program. Until now, however, there was no way to manage issues affecting only specific Android OEMs.
Google says the Android Partner Vulnerability Initiative is aligned to ISO/IEC 29147:2018 Information technology – security techniques – Vulnerability disclosure recommendations and covers issues impacting device code that it doesn’t service or maintain itself. The APVI has already helped process quite a few security issues, including credential leaks, generation of unencrypted backups, and execution of code in the kernel.
Google found a custom system service in the Android framework in some versions of a third-party pre-installed over-the-air (OTA) update solution, which enabled access to sensitive APIs such as enabling or disabling apps and granting app permissions. The service was found in the code base for many device builds across multiple OEMs. Google has made the OEMs aware of the issue and guided them on how they can remove the affected code. It also found a major security vulnerability in a popular web browser pre-installed on many devices, which could have allowed malicious sites to access the user’s saved passwords.
You can find more information on these issues and future disclosures here.