October 5, 2020

Android Partner Vulnerability Initiative launched to help manage security issues

Android Partner Vulnerability Initiative launched to help manage security issues

Android Partner Vulnerability Initiative launched to help manage security issues

The Android Security and Privacy Initiative (APVI) was launched to help developers manage security issues specific to Android OEMs. 

“The APVI is designed to drive remediation and provide transparency to users about issues we have discovered at Google that affect device models shipped by Android partners,” the Android team wrote in a blog post.

The APVI covers Google-discovered issues that could potentially affect the security posture of an Android device or its user and is aligned to ISO/IEC 29147:2018 Information technology — Security techniques — Vulnerability disclosure recommendations, according to the company. 

It also covers a wide range of issues that are not serviced or maintained by Google and are handled by the Android Security bulletins. 

“The APVI has already processed a number of security issues, improving user protection against permissions bypasses, execution of code in the kernel, credential leaks and generation of unencrypted backups,” Google stated. 

This includes an issue in which some versions of a third-party pre-installed over-the-air (OTA) update solution, a custom system service in the Android framework exposed privileged APIs directly to the OTA app. Google worked with the impacted OEMs to make them aware of this security issue and provided guidance on how to remove or disable the affected code.

Another fixed issue included a credential leak, in which a  popular web browser pre-installed on many devices included a built-in password manager for sites visited by the user. It also helped discover a ‘checkUidPermission’ method in the ‘PackageManagerService’ class that was modified in the framework code for some devices to allow special permissions access to some apps.

Google also has a number of other security features to help keep the Android platform and ecosystem safe such as the ability to report vulnerabilities in Android code via the Android Security Rewards Program (ASR) or to report vulnerabilities in third-party Android apps through the Google Play Security Rewards Program. 

“Until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP code that are unique to a much smaller set of specific Android OEMs,” the team wrote. “The APVI aims to close this gap, adding another layer of security for this targeted set of Android OEMs.”