Android Hacks: Is Google's offer in Android hacking contest too small or non exploitable?

Google's Project Zero contest six months ago offered $200,000 bounty to any researcher who could remotely hack into an Android device with only the victim's phone number and email address disclosed. While researchers pointed out that the $200,000 price was too low for a remote exploit, as not a single person stepped up to the challenge.

Nonetheless, the exploit could have been saleable to other entities for a much higher price, If really there's any possibility to cracking the Android OS remotely.

So, could it be that the mobile operating system's strong security is likely the reason why the Prize contest failed to attract much interest?

To compromise an Android device, an attacker would need to gain root privileges and it would require multiple chain vulnerabilities to execute. It's rarely feasible to have full remote Android bugs made public, and perhaps this was the halting point for the researchers.

And the majority of Android bug chains begin with some user interaction, especially clicking a link, which was not allowed in the contest.

Albeit, the Project Zero Prize was intended to encourage participants to file partial bug chains in the Android bug tracker during the contest, even if a full chain was not completed.

Overall, the contest was perceived as a learning experience by Google, as it promises to put the lesson to use in it’s rewards programs and future contests.
Next Post »