The Android Developers Blog has today released some interesting statistics about the state of Android security in 2018. Jason Wolonz and Mayank Jain of the Android Security & Privacy Team took to the blog to share with us that the Android and Google Play security reward programs have now paid out over 3 million dollars to security researchers.
The Android security rewards program is responsible for most of this sum as it has been around the longest being introduced three years ago. This year alone they received more than 470 qualifying reports from researchers and the pay per researcher has gone up 23% on average.
There were no payouts given for the highest valued reward of a remote exploit that can compromise Google TrustZone, a feature google uses on its Pixel devices to prevent a phone from decrypting data if the Verified Boot process detects the OS has been modified, and adds a waiting period in between guessing a users pin that would lead to it taking 4 entire years to test every 4 digit pin pattern.
More than 99 researches contributed fixes and they were paid an average of $2600 per reward and $12,500 per researcher. This average was certainly brought up however by Guang Gong who received over $105,000 dollars as a reward for his submission of a remote exploit chain.
The Google Play Security reward program was a little less impressive but it’s still a very important addition to android security. The program was debuted last October and in almost a year it has paid out more than $100,000 in rewards for over 30 vulnerabilities, which had they not been caught could have lead to apps accessing sensitive data and remotely executing dangerous code.
The security team also thanked device manufacturers for keeping a majority of their devices updated to Android security updates from the previous 90 days and cited over 250 devices from popular brands such as Huawei, Samsung, OnePlus and Xiaomi.
You can check out their full blog post in the source below. Let us know what you think in the comments!