The fragmentation of the Android ecosystem not only brings difficulties to developers but also the inability of the version to be updated in a timely manner and the inability to repair the vulnerability in time will also affect the experience of end-users.
For example, many Android devices have not been updated since they were released, and Google will release security updates every month to fix vulnerabilities in the Android system itself.
Failure to update and fix vulnerabilities for a long time will naturally bring potential security threats, but Google is now unable to completely change this fragmented dilemma.
Another problem is that the software pre-installed by some manufacturers has loopholes. This kind of problem that only affects specific brands is also risky, so Google plans to change it.
Google recently announced the launch of the Android Partner Vulnerability Initiative as a supplement to the Android Security Reward Program and the Google Play Security Reward Program.
The Vulnerability Initiative mainly targets the pre-installed software of Android device manufacturers. The pre-installed software here only refers to the manufacturer’s supporting application software in the firmware.
For example, some manufacturers’ built-in browsers, backup and recovery and data synchronization tools, Google security team, and external security researchers will conduct research.
When the vulnerability is discovered, the manufacturer will be notified in time and urged to repair it. If the manufacturer completes the repair, the detailed report of the vulnerability will be published together with the repair patch.
If the manufacturer still does not fix the vulnerability within 90 days, the vulnerability will be disclosed. Google hopes to use this method to urge manufacturers to fix the vulnerability in time.
At present, the Android Partner Vulnerability Initiative has announced the first batch of ten security vulnerabilities, of which eight have been fixed and two have not been fixed.