14 DAY TRIAL // Google will begin warning users of non-Pixel Android phones of security vulnerabilities as part of the Android Partner Vulnerability Initiative (APVI).
Specifically launched to deal with security issues that are found on devices launched by other Android OEMs, this program is considered a new protection layer that lands on Google’s vast mobile ecosystem and which includes companies from all over the world.
“The APVI covers Google-discovered issues that could potentially affect the security posture of an Android device or its user and is aligned to ISO/IEC 29147:2018 Information technology -- Security techniques -- Vulnerability disclosure recommendations. The initiative covers a wide range of issues impacting device code that is not serviced or maintained by Google (these are handled by the Android Security Bulletins),” Google explains.
Vulnerability in popular browser
The search engine explains that security issues that would be included in this program have already been discovered, and one of the most important concerns a credential leak that was powered by a “popular web browser.” While Google doesn’t reveal the name of the app, it claims the browser comes pre-installed on many Android devices and it actually exposed users’ credentials.
“A popular web browser pre-installed on many devices included a built-in password manager for sites visited by the user. The interface for this feature was exposed to WebView through JavaScript loaded in the context of each web page. A malicious site could have accessed the full contents of the user’s credential store. The credentials are encrypted at rest, but used a weak algorithm (DES) and a known, hardcoded key. This issue was reported to the developer and updates for the app were issued to users,” the company explains.
Google says all security issues discovered by the company on non-Pixel phones would be published on this page, along with all information that is required to stay protected against possible exploits.