Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Announces Android Partner Vulnerability Initiative

Google on Friday announced the Android Partner Vulnerability Initiative (APVI), an effort aimed at improving patching of security issues specific to Android OEMs.

Google on Friday announced the Android Partner Vulnerability Initiative (APVI), an effort aimed at improving patching of security issues specific to Android OEMs.

Through the new initiative, the tech giant also expects to improve transparency around vulnerabilities identified by Google’s own researchers, but which impact device models coming from the company’s Android partners.

Google already provides security researchers with various programs through which they can report security issues, such as the Android Security Rewards Program (ASR), which is for reporting vulnerabilities in Android code, and the Google Play Security Rewards Program, for reporting bugs in popular third-party Android apps.

ASR reports that have a broad impact on Android-based devices are delivered to the Android Open Source Project (AOSP) base code, as part of the Android Security Bulletins (ASB), and all partners are required to adopt these security changes for their devices in order to be able to declare a specific month’s Android security patch level (SPL).

“But until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP code that are unique to a much smaller set of specific Android OEMs. The APVI aims to close this gap, adding another layer of security for this targeted set of Android OEMs,” Google explains.

All issues discovered within Google and which could potentially impact the security of an Android device are covered by the APVI. A variety of security bugs affecting code not maintained by Google are included here, the company says.

The initiative has already kicked off and various types of security issues have been processed, including permission bypass, code execution within the kernel, leak of credentials, and the generation of unencrypted backups.

As part of the program, Google-discovered vulnerabilities will be publicly disclosed on Google’s Chromium portal. Detailed information on issues that have already been disclosed is also found there.

Advertisement. Scroll to continue reading.

Related: Android’s September 2020 Patches Fix Critical System Vulnerabilities

Related: Chinese Drone Giant DJI Responds to Disclosure of Android App Security Issues

Related: Critical Bluetooth Vulnerability Exposes Android Devices to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.