Skip to main content

Android Partner Vulnerability Initiative lists OEM security issues that Google discovered

Every month, Android manufacturers release security patches to protect devices from the latest issues. With the Android Partner Vulnerability Initiative (AVPI), Google will now detail problems it has discovered on partner devices.

With this program, the Android Security & Privacy team wants to “drive remediation and provide transparency to users.” There was previously no “clear way to process Google-discovered security issues outside of AOSP code that are unique to a much smaller set of specific Android OEMs.”

These vulnerabilities are in device code that Google is not responsible for — differing from Android Security Bulletins, but “could potentially affect the security posture of an Android device or its user.”

In announcing AVPI, Google detailed some of the vulnerabilities it has discovered and partners have since addressed:

  • In some versions of a third-party pre-installed over-the-air (OTA) update solution, a custom system service in the Android framework exposed privileged APIs directly to the OTA app. The service ran as the system user and did not require any permissions to access, instead checking for knowledge of a hardcoded password.
  • A popular web browser pre-installed on many devices included a built-in password manager for sites visited by the user. The interface for this feature was exposed to WebView through JavaScript loaded in the context of each web page. A malicious site could have accessed the full contents of the user’s credential store.

In these cases, Google made OEMs aware of the issue and provided guidance on how to address, or reached out to the app developer. 

The Android Partner Vulnerability Initiative list is available here. It joins the Android Security Rewards Program and the Google Play Security Rewards Program.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com