Google Launched Android Partner Vulnerability Initiative Covering Third-Party OEMs

Proceeding further with managing Android security, Google has recently announced the launch of the Android Partner Vulnerability Initiative (APVI). Under this program, Google will cover the security bugs affecting third-party OEMs.

Google’s Android Partner Vulnerability Initiative

In a recent blog post, Google has shared details about its newly launched program Android Partner Vulnerability Initiative (APVI).

According to Google’s Program Manager Kylie McRoberts, and Security Engineer Alec Guertin, the new program will address issues affecting third-party vendors.

Google’s Android OS is an open-source program available as Android Open Source Project (AOSP) that different OEMs incorporate within their devices.

However, these OEMs wrap up the Android code in their own skin thus taking over how the OS functions in their devices. These additive actions include the device UI, placement of pre-installed apps, and the timeframe for the device to receive system updates.

Although, Google regularly releases updates for its Android OS fixing different vulnerabilities. However, some issues continue to persist within the codes of OEMs that Google previously didn’t include.

Thus, to “close this gap”, Google came up with APVI.

As explained in their post,

All Android partners must adopt ASB changes in order to declare the current month’s Android security patch level (SPL). But until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP code that are unique to a much smaller set of specific Android OEMs. The APVI aims to close this gap, adding another layer of security for this targeted set of Android OEMs.

Enhanced Android OEM Security

Elaborating further on its initiative, Google highlighted various security issues affecting the
OEMs. The tech giant collaborated with the OEMs to remediate such flaws.

Some of these include permission bypass, credential leak, and over-privileged apps. These issues did not affect AOSP, but the codes of respective OEMs.

In the future, this practice will continue under the APVI addressing bugs that could potentially affect Android users. Details of such disclosures are available at https://bugs.chromium.org/p/apvi/.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients