Previously by-invitation only, we opened up Chrome's Fuzzer Program to submissions from the public. The program allows researchers to run fuzzers at large scale, across thousands of cores on Google hardware, and receive reward payments automatically.
On the product side, we saw amazing contributions from Android researchers all over the world, less than a year after Android launched its VRP. We also expanded our overall VRP to include more products, including OnHub and Nest devices.
We increased our presence at events around the world, like pwn2own and Pwnfest. The vulnerabilities responsibly disclosed at these events enabled us to quickly provide fixes to the ecosystem and keep customers safe. At both events, we were able to close down a vulnerability in Chrome within days of being notified of the issue.
Stories that stood out
As always, there was no shortage of inspiring, funny, and quirky anecdotes from the 2016 year in VRP.
We met Jasminder Pal Singh at Nullcon in India. Jasminder is a long-time contributor to the VRP, but this research is a side project for him. He spends most of his time growing Jasminder Web Services Point, the startup he operates with six other colleagues and friends. The team consists of: two web developers, one graphic designer, a developer for Android and iOS respectively, one Linux administrator, and a Content Manager/Writer. Jasminder’s VRP rewards fund the startup. The number of reports we receive from researchers in India is growing, and we’re growing the VRP’s presence there with additional conference sponsorships, trainings, and more.
Jasminder (back right) and his team
Jon Sawyer worked with his colleague Sean Beaupre from Streamlined Mobile Solutions, and friend Ben Actis to submit three Android vulnerability reports. A resident of Clallam County, Washington, Jon donated their $8,000 reward to their local Special Olympics team, the Orcas. Jon told us the reward was particularly meaningful because his son, Benji, plays on the team. He said: “Special Olympics provides a sense of community, accomplishment, and free health services at meets. They do incredible things for these people, at no cost for the athletes or their parents. Our donation is going to supply them with new properly fitting uniforms, new equipment, cover some facility rental fees (bowling alley, gym, track, swimming pool) and most importantly help cover the biggest cost, transportation.”
VRP researchers sometimes attach videos that demonstrate the bug. While making a great proof-of-concept video is a skill in itself, our researchers raised it to another level this year. Check out this video Frans Rosén sent us. It’s perfectly synchronized to the background music! We hope this trend continues in 2017 ;-)
Researchers’ individual contributions, and our relationship with the community, have never been more important. A hearty thank you to everyone that contributed to the VRP in 2016 — we’re excited to work with you (and others!) in 2017 and beyond.
For this reason if you are developing code intended to connect to a Google property, we still recommend you include a wide set of trustworthy roots. Google maintains a sample PEM file at (https://pki.goog/roots.pem) which is periodically updated to include the Google Trust Services owned and operated roots as well as other roots that may be necessary now, or in the future to communicate with and use Google Products and Services.
ASI now notifies developers of 26 potential security issues. To make this
process more transparent, we introduced a new page where
developers can find information about all these security issues in one place.
This page includes links to help center articles containing instructions and
additional support contacts. Developers can use this page as a resource to learn
about new issues and keep track of all past issues.
Developers can also refer to our security best
practices documents and security
checklist, which are aimed at improving the understanding of general
security concepts and providing examples that can help tackle app-specific
issues.
In Android Security, we're constantly working to better understand how to make
Android devices operate more smoothly and securely. One security solution
included on all devices with Google Play is Verify apps.
Verify apps checks if there are Potentially Harmful Apps (PHAs) on your device.
If a PHA is found, Verify apps warns the user and enables them to uninstall the
app.
But, sometimes devices stop checking up with Verify apps. This may happen for a
non-security related reason, like buying a new phone, or, it could mean
something more concerning is going on. When a device stops checking up with
Verify apps, it is considered Dead or Insecure (DOI). An app with a high enough
percentage of DOI devices downloading it, is considered a DOI app. We use the
DOI metric, along with the other security systems to help determine if an app is
a PHA to protect Android users. Additionally, when we discover vulnerabilities,
we patch Android devices with our security update system.
This blog post explores the Android Security team's research to identify the
security-related reasons that devices stop working and prevent it from happening
in the future.
Flagging DOI Apps
To understand this problem more deeply, the Android Security team correlates app
install attempts and DOI devices to find apps that harm the device in order to
protect our users.
With these factors in mind, we then focus on 'retention'. A device is considered
retained if it continues to perform periodic Verify apps security check ups
after an app download. If it doesn't, it's considered potentially dead or
insecure (DOI). An app's retention rate is the percentage of all retained
devices that downloaded the app in one day. Because retention is a strong
indicator of device health, we work to maximize the ecosystem's retention rate.
Therefore, we use an app DOI scorer, which assumes that all apps should have a
similar device retention rate. If an app's retention rate is a couple of
standard deviations lower than average, the DOI scorer flags it. A common way to
calculate the number of standard deviations from the average is called a
Z-score. The equation for the Z-score is below.
N = Number of devices that downloaded the app.
x = Number of retained devices that downloaded the app.
p = Probability of a device downloading any app will be retained.
In this context, we call the Z-score of an app's retention rate a DOI score. The DOI score indicates an app has a statistically significant lower retention rate if the Z-score is much less than -3.7. This means that if the null hypothesis is true, there is much less than a 0.01% chance the magnitude of the Z-score being as high. In this case, the null hypothesis means the app accidentally correlated with lower retention rate independent of what the app does.
This allows for percolation of extreme apps (with low retention rate and high number of downloads) to the top of the DOI list. From there, we combine the DOI score with other information to determine whether to classify the app as a PHA. We then use Verify apps to remove existing installs of the app and prevent future installs of the app.
Difference between a regular and DOI app download on the same device.
Results in the wild
Among others, the DOI score flagged many apps in three well known malware
families— Hummingbad,
Ghost
Push, and Gooligan.
Although they behave differently, the DOI scorer flagged over 25,000 apps in
these three families of malware because they can degrade the Android experience
to such an extent that a non-negligible amount of users factory reset or abandon
their devices. This approach provides us with another perspective to discover
PHAs and block them before they gain popularity. Without the DOI scorer, many of
these apps would have escaped the extra scrutiny of a manual review.
The DOI scorer and all of Android's anti-malware work is one of multiple layers
protecting users and developers on Android. For an overview of Android's
security and transparency efforts, check out our page.
PS: Warning! Self-serving Google notice ahead… We’re hiring! We believe that most security researchers do what they do because they love what they do. What we offer is a place to do what you love—but in the open, on real-world problems, and without distraction. Please reach out to us if you’re interested.