Hack, Patch, Repeat: Insider Tales from Android's Security Team
Maria Uretsky, Camillus Cai
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Android's attack surface is far larger than most researchers appreciate — it spans Google, AOSP, OEMs, carriers, chipset vendors, and third-party apps, all under a multi-party consent model enforced through Linux-level isolation and SELinux. The Android Vulnerability Rewards Program paid out $2.7 million in 2024 (with a single chain earning $265,000), and the Google security team uses that pipeline to fix bugs from the root — across Android TV, Auto, and Wear OS simultaneously. This talk walks through real VRP-submitted vulnerabilities, explains exactly where they live in the architecture, and gives researchers the map they need to find the next ones. ---
AI review
Android security engineers walking through the actual VRP bug classes they fixed in 2024, including a USB kernel info leak from an actively exploited chain — this is the kind of inside-out view of a major platform's security model that most researchers never get. The BFU/AFU distinction and the desync-from-persistence bugs are particularly underappreciated in the research community. Solid.