- Google is increasing scrutiny of external contributions to the Android Open Source Project (AOSP) to prevent security vulnerabilities and bugs from entering AOSP.
- All external code contributions to AOSP now require approval by two Google reviewers.
- The review process helps discover incoming code, identify beneficial contributions, and mitigate security issues without limiting who can contribute to AOSP.
Most of the Android Open Source Project (AOSP) is licensed under Apache 2.0, which means anyone can modify its code. It is this type of model that allows AOSP to grow through both internal and external contributions. Google has developed a guide to help you understand how to contribute code to AOSP and use this material to build new features. However, a drawback of this approach is that it is an easy way to deny the entire system to bad actors at the same time. For security reasons, Google is increasing scrutiny of external contributions.
Android expert Mishal Rahman explains that all external code contributions to AOSP will now require two Google reviewers to review and approve them before submission. The goal is to prevent security vulnerabilities and bugs embedded in code from making it into AOSP — not to limit who can submit code to AOSP. In fact, Rahman specifies that non-Googlers are not blacklisted from contributing. Instead, external code will only be subject to review, giving those directly a chance to determine whether or not it should be integrated. This is a more thorough inspection process, but it ultimately helps to detect incoming codes, identify what will be most beneficial, and minimize security issues. At the time of writing, Google had not yet responded to requests for comment about the change.
The new requirement could prevent many of the issues surrounding vulnerabilities, which Google has faced in the past. Just last year, a bug residing in AOSP was discovered and found to create a flaw that allowed hackers to bypass the Android lock screen. David Schutz was the person responsible for finding it and received $70,000 from Google for the report.
Google in particular has a bug bounty program that was launched in 2010, known as the Vulnerability Rewards Program (VRP). Since then, more than 11,000 bugs have been found by people looking for them in exchange for cash. Google has paid millions of dollars to these detectives over the years, but perhaps the need for a review process is minimal.
If you’re feeling the urge to join the hunt, Google has even gone so far as to create Bug Hunter University, which provides everything you need to get started. Some of the main areas where Google needs hunters are Google Cloud (agent support), Android (applications), Google Apps Script Editor and Bard. There’s also a leaderboard where you can see how you stack up against other bug hunters, if you’ve got a competitive streak.