In the past three years or so, Google has ramped up Android updates and security patches to third-party vendors. The efforts like Project Treble, Project Mainline have helped OEMs pull up their sock in terms of updates. Some have certainly had their users feel the changes while others are still laggards.
But the company is now introducing a new measure to help manage security issues specific to Android OEMs. That is the newly announced Android Partner Vulnerability Initiative (APVI).
APVI will be the company’s initiative to discover flaws in software not written by the company.
Ultimately Google hopes APVI will add an extra layer of security to third-party software shipped by Android partners. APVI will also provide transparency to users about issues discovered in third-party Android software from OEMs.
Google says the initiative has already helped address flaws in third-party Android software, including Permission Bypass, credential leak, and over-privileged apps.
The company didn’t mention specific affected Android manufacturers in the launch blog post. However, a post in the Chromium bug tracker details specific OEMs and the discovered flaw.
For instance, the tracker says Transsion (Tecno, Infinix, and itel) had PHX browser vulnerabilities. Huawei’s software had issues with unsecured backups, Vivo and Oppo had a sideloading flaw, and MediaTek had a problem with the command queue driver.
Google notified affected vendors, and most have already patched the flaws.
For a long time, Google has provided various platforms for security researchers to report flaws in Android source code and popular third-party Android apps. Android source code flaws have the potential to affect all devices running the OS.
Such flaws are fixed through the regular monthly security updates, which MUST be adopted by OEMs. But until this point, Google didn’t actively monitor what happens outside the Android Open Source Project (AOSP) based code.
“The APVI aims to close this gap, adding another layer of security for this targeted set of Android OEMs,” the company said.