While APVI aims to provide transparency at driving remediation on security issues discovered by Google that affect any phone model that is shipped by Android partners.
The program will also alert users of the security vulnerabilities in their Android phones manufactured by third-party companies, with all the detected security issues made available on Google’s catalog, and tips on how to migitage against those vulnerabilities.
How APVI will improve Android OEM devices' security
APVI targets Google-discovered security issues on Android that could potentially affect the security of any device running Android or its user and it's aligned to ISO/IEC 29147:2018 Information technology, which security techniques include vulnerability disclosure recommendations.
Also, the initiative covers issues impacting device code which is not particularly serviced or maintained by Google; it aims to close the security gap, by adding another layer of security for targeted set of Android OEMs. This is perhaps the first time Google is providing a clear way to process Google-discovered security issues outside the AOSP code that can impact a much smaller set of specific Android OEMs.
The company had earlier made it possible to report vulnerabilities in Android code through the Android Security Rewards Program (ASR), and vulnerabilities in third-party Android apps via the Google Play Security Rewards Program, and also, releases ASR reports in Android Open Source Project (AOSP) based code via the Android Security Bulletins (ASB).
How APVI Protects Android users
APVI has currently processed several security issues that affect Android users, including protection against permissions bypasses, code execution in the kernel, and credential leaks, among others.
Google is working hard to incorporate industry-leading security features with the partnership of developers and device OEMs to keep the Android ecosystem secure and safe for users.