Google Play Store Launches Bug Bounty Program to Protect Popular Android Apps

android-play-store-bug-bounty

Better late than never.

Google has finally launched a bug bounty program for Android apps on Google Play Store, inviting security researchers to find and report vulnerabilities in some of the most popular Android apps.

Dubbed “Google Play Security Reward,” the bug bounty program offers security researchers to work directly with Android app developers to find and fix vulnerabilities in their apps, for which Google will pay $1000 in rewards.

“The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem,” the technology giant says in a blog post published today.

Google has collaborated with bug bounty platform, HackerOne, to manage backend for this program, like submitting reports and inviting white-hat hackers and researchers.

White-hat hackers who wish to participate can submit their findings directly to the app developers. Once the security vulnerability has been resolved, the hacker needs to submit his/her bug report to HackerOne.

Google will then pay out a reward of $1,000 based on its Vulnerability Criteria, wherein, according to the company, more criteria may be added in the future, creating more scope for rewards.

“All vulnerabilities must be reported directly to the app developer first. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer.” HackerOne said. 

“For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof-of-concepts) that work on Android 4.4 devices and higher.”

It is an unfortunate truth that even after so many efforts by Google, malicious apps continuously somehow managed to fool its Play Store’s security mechanism and infect millions of Android users.

It’s notable that Google Play Security Reward program does not include finding and reporting fake, adware or malware apps available on Google play store, so the program will not affect the increase in malicious apps on Google’s app platform.

For now, a limited number of Android apps have been added to Google Play Security Reward Program, including Alibaba, Snapchat, Duolingo, Line, Dropbox, Headspace, Mail.ru and Tinder.

So what you are waiting for?

Roll up your sleeves and start hunting for vulnerabilities. For more details about Google Play Security Reward Program, visit HackerOne.

Source : THN

Indian hackers ‘pay back’ Pakistan for 26/11

A Pakistani government website hacked by Indian hacker.

Team Indian Black Hats hacked around ten Pakistani websites, including a high profile Pakistan government website.

A group of Indian hackers, calling themselves the Indian Black Hats have launched a symbolic cyber attack against Pakistan for the 26/11 Mumbai attacks, by hacking into two government sites and around 10 non-government domains on Thursday, the fourth anniversary of the terror attacks.

According to one of the hackers, the attack which began in the wee hours of Thursday was led by ‘team Indian Black Hats’, a group of like-minded hackers from across the country. The same team was in cyber space from 2011 to 2013 under the name Indian Cyber Devils, and after a brief lull with members continuing to be active with various other hackers’ groups, had revived itself from January 2015.

The websites that the Indian Black Hats hacked till evening on Thursday were www.csd.gov.pk and www.mona.gov.pk, while a variety of non-government domains, including www.metroshoes.com.pk, as well were hacked by the Black Hats. The “attack” was launched as a tribute to the martyrs of 26/11, they said, adding that the “payback” was still on.

Incidentally, a similar group, Mallu Cyber Soldiers, had earlier hacked several Pakistani government websites in retaliation to an attack by Pakistani hackers on the Kerala government’s website in September apart from mounting a cyber war of sorts against websites that allegedly were part of online prostitution rackets.

Mark Zuckerberg’s sister Randi quits Facebook to set up on her own

Facebook founder’s sister leaves social networking site to form company with no goal or employees – yet Anyone who saw the film The Social Network would have no way of knowing that Facebook founder Mark Zuckerberg has a sister. But now Randi Zuckerberg is generating headlines of her own – after six years working faithfully in her younger brother’s shadow as Facebook’s director of market development, she is jumping ship to set up an independent social media company.

The tech bloggers of Silicon Valley are rubbing their hands at the prospect of some sibling rivalry to follow on from the multiple lawsuits that the younger Zuckerberg – he’s 27, she’s 29 – has endured over the parentage of his wildly popular website.

But older business analysts wonder if this may not be the online equivalent of the great Dunkin’ Donuts rift of the 1950s, when one of the two original partners behind America’s most popular snackshops broke out on his own with the rival Mister Donut franchise. (They were later bought by the same corporate parent and reunited after close to 40 years.) More perplexed tech watchers wonder what Randi hopes to achieve that she hasn’t already done in one of the world’s most rapidly expanding companies. Her new outfit has a name, RtoZ Media, but no publicly defined goal, no employees and no fully functioning website – yet.

Randi is unlikely to be planning anything excessively controversial. She appears to have decided to have fun with her money and her instantly recognisable last name to branch out on her own, without doing anything to damage the Facebook brand she worked for so long to help establish.

“I’m proud of what I’ve done here … but I know I’ll be able to do just as much, or more, for Facebook once I’m on the outside,” she wrote in her resignation letter last week. She said her goal was “to launch my own innovative programming and work with media companies”, adding: “Facebook will clearly be a central element in all my projects.”

She might not have a reputation as a cutting-edge innovator like her brother, but Randi is no slouch. She, too, went to Harvard, graduating in psychology at about the time Mark was dropping out to focus full-time on the phenomenon he had unleashed. At first, she thought she would study to be a cantor – the singer who accompanies the rabbi in Jewish services – but changed her mind when it became clear there was an irresistible new family business to join.

In Silicon Valley, she has always had a reputation as someone unafraid to let her hair down and have a good time. A few years ago, she made a music video, celebrating the demise of the erstwhile Facebook rival Friendster with a tongue-in-cheek ditty called Valleyfreude.

She has sung periodically since, and written a column for Tina Brown’s online publication The Daily Beast. Her sense of fun is strictly of the non-scandalous variety, however: she has been with her husband, venture capitalist Brent Tworetzky, since they were both at Harvard. In her professional life, she has worked hardest to marry Facebook with numerous traditional media initiatives – broadcasting a presidential debate in 2008, bringing the World Economic Forum in Davos to Facebook’s global audience and launching Facebook Live, which she used to relay a town hall meeting held by President Barack Obama.

Does that qualify her as a high-flyer on a par with her brother or Steve Jobs? Not exactly. But it probably sets her up nicely as a high-profile consultant to the great and the good of corporate America, who want to understand how to integrate social media into their marketing and customer outreach plans.

Just a couple of days before she resigned, Randi argued at a round-table discussion hosted by Marie Claire magazine that the best way to police social networking sites was to oblige everyone to use their real names. That did not endear her to the more radical online community, which believes anonymity and identity-shifting are all part of the great experiment of the internet.

It did, however, send a reassuring message to conservatively inclined executives who might otherwise be nervous of embracing a communication tool over which they have limited control. She is likely to be talking to a lot of those people in the coming weeks and months.

Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack

HACKING APPLE’S IOS isn’t easy. But in the world of cybersecurity, even the hardest target isn’t impossible—only expensive. And the price of a working attack that can compromise the latest iPhone is apparently somewhere around $1 million.

On Monday, the security startup Zerodium announced that it’s agreed to pay out that seven-figure sum to a team of hackers who have successfully developed a technique that can hack any iPhone or iPad that can be tricked into visiting a carefully crafted web site. Zerodium describes that technique as a “jailbreak”—a term used by iPhone owners to hack their own phones to install unauthorized apps. But make no mistake: Zerodium and its founder Chaouki Bekrar have made clear that its customers include governments who no doubt use such “zero-day” hacking techniques on unwitting surveillance targets.

In fact, Bekrar tells that two teams of hackers had attempted to claim the bounty, which was announced in September with an October 31st deadline. Only one proved to have developed a complete, working iOS attack. “Two teams have been actively working on the challenge but only one has made a full and remote jailbreak,” Bekrar writes. “The other team made a partial jailbreak and they may qualify for a partial bounty (unconfirmed at this time).”

Bekrar confirmed that Zerodium plans to reveal the technical details of the technique to its customers, whom the company has described as “major corporations in defense, technology, and finance” seeking zero-day attack protection as well as “government organizations in need of specific and tailored cybersecurity capabilities.” Zerodium’s founder also notes that the company won’t immediately report the vulnerabilities to Apple, though it may “later” tell Apple’s engineers the details of the technique to help them develop a patch against the attack.

Source: Wired