- Google is taking a closer look at external contributions to the Android Open Source Project (AOSP) to prevent security vulnerabilities and bugs from reaching AOSP.
- All external code contributions to AOSP now require approval from two Google reviewers.
- The review process helps sift through incoming code, identify beneficial contributions, and reduce security issues, without limiting who can contribute to the AOSP.
Most of the Android Open Source Project (AOSP) is licensed under the Apache 2.0 license, which means anyone can modify its code. It is this type of model that also allows AOSP to grow through internal and external contributions. Google developed a guide to help users understand how to contribute to AOSP code, and even used some of that content to create new features. However, one of the downsides of this approach is that it simultaneously gives bad actors an easy way to thwart the entire system. In response to security concerns, Google is increasing its monitoring of external contributions.
Android expert Mishaal Rahman explains that all external code contributions to AOSP will now require two Google reviewers to review and approve them before being submitted. The goal is to prevent security vulnerabilities and bugs embedded in code from reaching AOSP, without limiting the number of people who can submit code to AOSP. In fact, Rahman clarifies that non-Googlers are not blacklisted from contributing. Instead, external code will simply be subject to review, giving those directly affected the opportunity to determine whether it should be integrated. This is a more in-depth review process, but ultimately helps sift through incoming code, identify what would be most beneficial, and reduce security issues. At the time of writing, Google had not yet responded to requests for comment on the change.
The new requirement could avoid several vulnerability issues that Google has faced in the past. Last year, a bug residing within AOSP was discovered and blamed for creating a flaw that allowed hackers to bypass Android lock screens. David Schütz was the person responsible for detecting it and he received $70,000 from Google for reporting it.
Google notably has a bug bounty program called Vulnerability Rewards Program (VRP), launched in 2010. Since then, more than 11,000 bugs have been spotted by people who were looking for them in exchange for money. Google has paid millions of dollars to these sleuths over the years, but the review process may be less necessary.
If you feel the need to join the hunt, Google has gone so far as to create Bug Hunter University, which provides everything you need to get started. Some of the main areas where Google needs hunters are Google Cloud (Agent Assist), Android (apps), Google Apps Script Editor, and Bard. There is also a leaderboard where you can see how you stack up against other bug hunters, if you have a competitive side.