> How does that work? Is the submission farmed out to a 3rd party as part of the verification process, and proactively checked? Or is it reactive, similar to a bug bounty?
Bug Bounty. Person finds vuln in popular app. Person submits vuln to Google. Vuln gets reported to developer. Person gets paid.
> Are there people out there making their living running apks in desktop simulators looking for issues?
Most of them use tools, I think. I don't know stats on any individual who is making bank off this but given four figure payouts per issue I could definitely believe somebody living in eastern europe or whatever is making bank on this.
> I always wondered about the economics of checking huge quantities of arbitrary code (well, bytecode) for vulnerabilities, even for a 30% cut (which is probably 0 for 99% of apps, right? I would expect a power law distro). Kinda sounds like Google solved this by running the apks through something like a CI/CD gauntlet and then...hoping for the best.
I'm not sure it is just hope. I don't know how that team works specifically, but I know that they aren't just saying "hey we hope it works" in their reviews with leadership.
> Here's an idea: instead of charging 30%, you should waive that if the dev team agrees to vet 5 other apps for you, over time, especially the open source ones.
If you think that Google's policy enforcement and support is a kafkaesque nightmare now, could you imagine if your app was booted off Play because some other devs working at some company you've never heard of decided your app was bad? How would Google evaluate the quality of these investigations? With only five apps you don't have enough volume to develop a reputation so Google would either be forced to repeat all of the investigations or simply have zero oversight over the process.
>could you imagine if your app was booted off Play because some other devs working at some company you've never heard of decided your app was bad?
I would assume they'd give a reason for booting the app, which could be verified by Google and the author. I would imagine the more likely error mode would be simply clicking "okay" without actually looking at the code at all. You know, like some devs do with code reviews!
Bug Bounty. Person finds vuln in popular app. Person submits vuln to Google. Vuln gets reported to developer. Person gets paid.
> Are there people out there making their living running apks in desktop simulators looking for issues?
Most of them use tools, I think. I don't know stats on any individual who is making bank off this but given four figure payouts per issue I could definitely believe somebody living in eastern europe or whatever is making bank on this.
> I always wondered about the economics of checking huge quantities of arbitrary code (well, bytecode) for vulnerabilities, even for a 30% cut (which is probably 0 for 99% of apps, right? I would expect a power law distro). Kinda sounds like Google solved this by running the apks through something like a CI/CD gauntlet and then...hoping for the best.
I'm not sure it is just hope. I don't know how that team works specifically, but I know that they aren't just saying "hey we hope it works" in their reviews with leadership.
> Here's an idea: instead of charging 30%, you should waive that if the dev team agrees to vet 5 other apps for you, over time, especially the open source ones.
If you think that Google's policy enforcement and support is a kafkaesque nightmare now, could you imagine if your app was booted off Play because some other devs working at some company you've never heard of decided your app was bad? How would Google evaluate the quality of these investigations? With only five apps you don't have enough volume to develop a reputation so Google would either be forced to repeat all of the investigations or simply have zero oversight over the process.