25 Oct 2017
Google is offering $1,000 to anyone who can hack its apps in the fight against cybercrime
Google is offering to pay a “bounty” of US$1,000 (£759) to anyone who can successfully hack one of the Android apps on its Play Store – Google’s rival to the Apple Store – in an attempt to locate and fix weak spots.
Firms outside the tech sphere are also increasingly turning to hackers for help. Lisa Shu, Assistant Professor of Organisational Behaviour at London Business School (LBS), said the threat of cybercrime gives bosses a strong business case for hiring hackers who can tighten their companies’ online defences.
“There is an argument for hiring true online security experts with the perspective needed to combat cybercriminals,” she said. “Organisations are looking in the right place if they want people with the expertise and competence to boost their online security.”
Google has partnered with the bug bounty platform HackerOne to reward individuals who find and help fix the most serious security flaws in some of its most widely used apps. Google already offers rewards of up to US$100,000 (£75,900) for hackers who find vulnerabilities in its Chrome browser.
Bug bounty programmes are a popular way for companies to reward hackers who find weak spots in their software and disclose them to developers so they can be fixed rather than exploited. “Given the magnitude of the stakes in blockchain and smart-contracts, bug bounties have become increasingly popular,” said Dr Shu.
“These bounty initiatives represent a proactive approach to cybersecurity,” she added. “They are excellent ways to incentivise experts to disclose vulnerabilities before they can be exploited by others with ill intentions. For the most part, these programmes attract recreational hackers, rather than those who would otherwise have malicious intent. Sites such as HackerOne even sponsor hacker leaderboards – creating a legitimate centralised hub that crowdsources expert knowledge to resolve complex forensic cybersecurity problems.
“Ethical problems typically arise when companies dismiss potential weaknesses in their existing systems. Through inviting hackers to expose cybersecurity vulnerabilities in return for bounties, companies are signalling their willingness to diagnose their blind spots.”
Google’s initiative comes just days after Dr Mathy Vanhoef, a computer science researcher at KU Leuven, published details of a WPA2 vulnerability that he calls KRACK (key reinstallation attack). According to Dr Vanhoef, the security protocol used in all modern wifi networks is broken and hackers could steal credit card numbers, passwords, chat messages, emails or photos from anyone using wifi. Experts have claimed this poses a huge risk to businesses.
Cybersecurity is on everyone’s radar yet a recent LBS survey found that executives are willing to gamble potential risk. In a poll of LBS US alumni, EMBA-Global executives, and Executive Education past participants, 40% of C-suite executives said they believed their company had sufficient cybersecurity resources, yet 93% thought their company remained vulnerable to an attack.
Julian Birkinshaw, Professor of Strategy and Entrepreneurship at LBS, said: “Leaders need to be certain of the measures being taken at their own firms or which attacks are most likely to occur – a big risk that jeopardises an entire organisation. Instead of externalising the problem, executives must play an active role in creating and implementing a cybersecurity strategy across the entire organisation.”
Companies are on high alert since corporate hacking scandals that have led to data leaks, damaged reputations and huge costs for the companies involved. Sony Pictures said in February 2015 that the fallout from hackers leaking sensitive emails cost the studio US$15 million (£11,310,000). But increasingly hackers are the heroes. Two such, Kyle Lovett and Jordan Wiens, were rewarded with one million air miles each for identifying flaws in United Airlines’ security system.
At present, the Google Play Security Reward Program is limited to Alibaba, Dropbox, Duolingo, Headspace, LINE, Snapchat and Tinder along with Google-developed Android apps available via Google Play. Third-party developer apps must be invited into the scheme. Hackers will work directly with the developer to identify and fix bugs before claiming the reward from Google.
Google is looking to find and destroy bugs that force apps to download or execute arbitrary code, trick apps into carrying out unauthorised financial transactions or force-open new webviews (browsers contained within mobile apps) that might be used for phishing. The Play Store has been criticised over perceived security issues.