Rightly or wrongly Android has a reputation among some security professionals as an unsafe platform, this is something Google has tried very hard to combat with initiatives like Google Play Protect, Project Mainline for easier updating, Android Security Rewards Program and Google Play Security Rewards Program. However, try as they might Google does not control the vast majority of Android hardware and apps.
To this end Google has today announced their Android Partner Vulnerability Initiative (APVI), a program where Google will follow international best practices for security and privacy disclosure, for issues they detect with partner hardware, software and services. Effectively, Google is now publicly policing their own partner’s privacy and security.
The new program has already detected, disclosed and assisted partners to close security vulnerabilities, as can bee seen on the public tracker published today. Google Provided three examples of issues they have helped detect and fix, including an OTA update system that provided access to privileges APIs without user consent, another example had a popular pre-installed web browser leaking login credentials and the third outlined apps that were granted privileges they did not need.
The overwhelming majority of the current disclosures listed happens to be with Chinese based partners. It’s unclear if that is just coincidence or if Google is specifically focusing on the Chinese OEMs who churn out a staggering number of devices that are sold across the international stage.
Overall we think this is a good move, whether it’s seen as Google naming and shaming partners or policing their own ecosystem, or even as window dressing to hide Androids security issues doing something is much better than doing nothing.