Every month, Android manufacturers release security patches to protect devices from the latest issues. With the Android Partner Vulnerability Initiative (AVPI), Google will now detail problems it has discovered on partner devices.
With this program, the Android Security & Privacy team wants to “drive remediation and provide transparency to users.” There was previously no “clear way to process Google-discovered security issues outside of AOSP code that are unique to a much smaller set of specific Android OEMs.”
These vulnerabilities are in device code that Google is not responsible for — differing from Android Security Bulletins, but “could potentially affect the security posture of an Android device or its user.”
In announcing AVPI, Google detailed some of the vulnerabilities it has discovered and partners have since addressed:
- In some versions of a third-party pre-installed over-the-air (OTA) update solution, a custom system service in the Android framework exposed privileged APIs directly to the OTA app. The service ran as the system user and did not require any permissions to access, instead checking for knowledge of a hardcoded password.
In these cases, Google made OEMs aware of the issue and provided guidance on how to address, or reached out to the app developer.
FTC: We use income earning auto affiliate links. More.