An anonymous reader quotes a report from Ars Technica: Privacy-focused search site DuckDuckGo has added yet another way to prevent more of your data from going to advertisers, opening its App Tracking Protection for Android to beta testers. DuckDuckGo is positioning App Tracking Protection as something like Apple's App Tracking Transparency for iOS devices, but "even more powerful." Enabling the service in the DuckDuckGo app for Android (under the "More from DuckDuckGo" section) installs a local VPN service on your phone, which can then start automatically blocking trackers on DDG's public blocklist. DuckDuckGo says this happens "without sending app data to DuckDuckGo or other remote servers."

Google recently gave Android users some native tools to prevent wanton tracking, including app-by-app location-tracking approval and a limited native ad-tracking opt-out. Apple's App Tracking Transparency asks if users want to block apps from accessing the Identifier for Advertisers (IDFA), but apps can still use the largest tracking networks across many apps to better profile app users. Allison Goodman, senior communications manager for DuckDuckGo, told Ars Technica that App Tracking Protection needs Android's VPN permission so it can monitor network traffic. When it recognizes a tracker from its blocklist, it "looks at the destination domain for any outbound request and blocks them if they are in our blocklist and the requesting app is not owned by the same company that owns the domain." Goodman added that "much of the data collected by trackers is not controlled by [Android] permissions," making App Tracking Protection a complementary offering.

Netflix has introduced a new account management page called "Manage Access and Devices" that gives users the ability to remove access privileges from specific devices. The feature is available on the web and in the streaming service's Android and iOS apps. Ars Technica reports: Previously, users could see a list of devices that had recently accessed their accounts, and they could revoke access to all devices simultaneously, but they could not revoke access on a case-by-case basis. Each item in the list of devices will include an IP address-based location, a device type, and the user profile that most recently accessed Netflix from that device.

Netflix describes it as a security feature, in that it's useful to users who don't share their passwords at all. For example, you now have a way to clean up after yourself if you stayed at an Airbnb and signed into your Netflix account on the smart TV there but forgot to sign out before you left. Further, the page could help you identify if someone has gained access to your account via a compromised password.

An anonymous reader quotes a report from Ars Technica: It has been over a year now since a US District Court ruled that Apple did not violate antitrust law by forcing iOS developers (like plaintiff and Fortnite-maker Epic Games) to use its App Store and in-app payments systems. But that doesn't mean the case is settled, as both sides demonstrated Monday during oral arguments in front of the 9th Circuit Court of Appeals. The hearing was full of arcane discussion of legal standards and procedures for reviewing the case and its precedents, as well as input from state and federal governments on how the relevant laws should be interpreted. In the end, though, the core arguments before the appeals court once again centered on issues of walled gardens, user lock-in, and security versus openness in platform design.

In defending Apple's position, counsel Mark Perry argued that the company's restraints on iOS app distribution were put in place from the beginning to protect iPhone users. Based on its experience managing software security and privacy on Macs, Apple decided it "did not want the phone to be like a computer. Computers are buggy, they crash, they have problems. They wanted the phone to be better." If the Mac App Store was the equivalent of a lap belt, the iOS App Store, with its costly human review system, is "a six-point racing harness," Perry said. "It's safer. They're both safe, but it's safer." While Epic argued that the iPhone's walled garden "only keeps out competition," Perry shot back that "what's kept out by walled gardens is fraudsters and pornsters and hackers and malware and spyware and foreign governments..." Providing superior user safety, Perry said, is a key "non-price feature" that helps set the iPhone apart from its Android-based competition. Users who want the more open system that Epic is fighting for can already buy an Android phone and choose from a variety of App Stores, Perry said. By doing so, though, those users "open themselves up to more intrusion" compared to an iPhone, he argued. Those kinds of "pro-competitive" security features Apple offers with its App Store restrictions legally outweigh the "minor anti-competitive effects" iOS app developers face on the platform, Perry said.

[...] Apple's Perry argued that Epic presented "no data or empirical evidence" to show that users felt locked in to Apple's app ecosystem. Epic failed to commission the usual survey that would show users were worried about switching costs or information costs in a case like this, Perry said, a "failure of proof" that he said obviates all other technical legal claims. At the same time, Perry said Epic carefully "crafted a market definition only fitting Google and Apple" in arguing its case and has not been able to bring in other developers to support a class action. Epic "didn't want to pick a fight with the consoles, didn't want to pick a fight with Microsoft," he said, despite similarities in the "walled garden" approaches in those markets. The three-judge appeals panel betrayed little as to which arguments it favored during Monday's hearing, offering pointed questions for both sides. A ruling in the appeals case is expected sometime next year.

Google has paid out $70,000 to a security researcher for privately reporting an "accidental" security bug that allowed anyone to unlock Google Pixel phones without knowing its passcode. From a report: The lock screen bypass bug, tracked as CVE-2022-20465, is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device's data without having to enter the lock screen's passcode. Hungary-based researcher David Schutz said the bug was remarkably simple to exploit but took Google about five months to fix.

Schutz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android's operating system's lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schutz described how he found the bug accidentally, and reported it to Google's Android team.

In a post to /r/reddit, Reddit announced that it began rolling out a feature that will allow users to mute specific communities that contain content they don't want to see. Ars Technica reports: If you mute a subreddit using this feature, posts from it won't show up in your notifications, home feed recommendations, or Popular, Reddit's feed of the most upvoted content from across its various communities. Later, Reddit plans to apply muting to other places like "All" and "Discover." Muting a community won't stop you from being able to visit or post it, though. You can mute up to 1,000 communities and tweak your muted list at any time in Settings. The report notes that this new muting feature is only available in Reddit's iOS and Android apps for now. For updates on availability, Reddit directs users to their changelog feed.

Google says it has evidence that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities found in newer Samsung smartphones. From a report: The vulnerabilities, discovered in Samsung's custom-built software, were used together as part of an exploit chain to target Samsung phones running Android. The chained vulnerabilities allow an attacker to gain kernel read and write privileges as the root user, and ultimately expose a device's data. Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain targets Samsung phones with a Exynos chip running a specific kernel version. Samsung phones are sold with Exynos chips primarily across Europe, the Middle East, and Africa, which is likely where the targets of the surveillance are located.

Stone said Samsung phones running the affected kernel at the time include the S10, A50, and A51. The flaws, since patched, were exploited by a malicious Android app, which the user may have been tricked into installing from outside of the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity, and access the rest of the device's operating system. Only a component of the exploit app was obtained, Stone said, so it isn't known what the final payload was, even if the three vulnerabilities paved the way for its eventual delivery.

Google today announced it's expanding its user choice billing pilot, which allows Android app developers to use other payment systems besides Google's own. The program will now become available to new markets, including the U.S., Brazil and South Africa, and Bumble will now join Spotify as one of the pilot testers. From a report: Google additionally announced Spotify will now begin rolling out its implementation of the program starting this week. The company had first announced its intention to launch a third-party billing option back in March of this year, with Spotify as the initial tester. Since then, the program has steadily expanded. Last month, for example, Google invited other non-game developers to apply for the user choice billing program in select markets, including India, Australia, Indonesia, Japan and the European Economic Area (EEA). The company also introduced a similar policy for developers in the EEA region in July, but the new guidelines raised the commission discount from 3% to 4% for developers who opted in. With today's expansion, user choice billing will be made available to 35 countries worldwide. Google says it's been working with Spotify to help develop the experience and now the streaming music service will begin to put the new features into action in supported markets. The experience could still change over time, Google warned, as this is still the early days of the pilot test.

Western security advisers are warning delegates at the COP27 climate summit not to download the host Egyptian government's official smartphone app, amid fears it could be used to hack their private emails, texts and even voice conversations. From a report: Policymakers from Germany, France and Canada were among those who had downloaded the app by November 8, according to two separate Western security officials briefed on discussions within these delegations at the U.N. climate summit.

Other Western governments have advised officials not to download the app, said another official from a European government. All of the officials spoke on the condition of anonymity to discuss international government deliberations. The potential vulnerability from the Android app, which has been downloaded thousands of times and provides a gateway for participants at COP27, was confirmed separately by four cybersecurity experts who reviewed the digital application for POLITICO. The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users' emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO's technical review of the application, and two of the outside experts.

Google is bringing its VPN access to desktop today. Google One subscribers on Premium plans (2TB or higher) can now download VPN apps for Windows and macOS, allowing users in 22 countries to mask their IPs on desktop and reduce online trackers. From a report: While Google is expanding its VPN service, it still comes with the same restrictions as Android and iOS. You'll only be able to use the service in one of the supported countries, and you won't be able to use Google's VPN freely to avoid geo-restrictions on live sports or other streaming video. Much like Apple's iCloud Plus VPN service, the Google One VPN won't let you assign an IP address from a different country manually. Instead, Google assigns you an IP in the region you're connecting from.

A new article from Wired calls Rust "the 'viral' secure programming language that's taking over tech."

"Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can't come soon enough...." [A] growing movement to write software in a language called Rust is gaining momentum because the code is goof-proof in an important way. By design, developers can't accidentally create the most common types of exploitable security vulnerabilities when they're coding in Rust, a distinction that could make a huge difference in the daily patch parade and ultimately the world's baseline cybersecurity....

[B]ecause Rust produces more secure code [than C] and, crucially, doesn't worsen performance to do it, the language has been steadily gaining adherents and now is at a turning point. Microsoft, Google, and Amazon Web Services have all been utilizing Rust since 2019, and the three companies formed the nonprofit Rust Foundation with Mozilla and Huawei in 2020 to sustain and grow the language. And after a couple of years of intensive work, the Linux kernel took its first steps last month to implement Rust support. "It's going viral as a language," says Dave Kleidermacher, vice president of engineering for Android security and privacy. "We've been investing in Rust on Android and across Google, and so many engineers are like, 'How do I start doing this? This is great'...."

By writing new software in Rust instead, even amateur programmers can be confident that they haven't introduced any memory-safety bugs into their code.... These types of vulnerabilities aren't just esoteric software bugs. Research and auditing have repeatedly found that they make up the majority of all software vulnerabilities. So while you can still make mistakes and create security flaws while programming in Rust, the opportunity to eliminate memory-safety vulnerabilities is significant....

"Yes, it's a lot of work, it will be a lot of work, but the tech industry has how many trillions of dollars, plus how many talented programmers? We have the resources," says Josh Aas, executive director of the Internet Security Research Group, which runs the memory-safety initiative Prossimo as well as the free certificate authority Let's Encrypt. "Problems that are merely a lot of work are great."
Here's how Dan Lorenc, CEO of the software supply-chain security company Chainguard, explains it to Wired. "Over the decades that people have been writing code in memory-unsafe languages, we've tried to improve and build better tooling and teach people how to not make these mistakes, but there are just limits to how much telling people to try harder can actually work.

"So you need a new technology that just makes that entire class of vulnerabilities impossible, and that's what Rust is finally bringing to the table."

Linux magazine explores how to breath fresh life into old Android devices: Every mobile device needs its own Android build because of numerous drivers that are not available in the source code. The need to maintain every version of Android for every mobile device means that many manufacturers eventually stop supporting updates. Often, smartphones or tablets that still work perfectly can no longer be used without worry because the manufacturer has simply ceased to offer bug fixes and security updates....

The LineageOS project, the successor to the CyanogenMod project, which was discontinued in 2016, proves that it is not impossible to keep these devices up-to-date. Unpaid volunteers at LineageOS do the work that many manufacturers do not want to do: They combine current Android releases with the required device-specific drivers.

The LineageOS project (Figure 1) provides Android systems with a fresh patch status every month for around 300 devices. The builds are released weekly, unless there is a problem during the build. The Devices page on the LineageOS Wiki provides the details of whether a LineageOS build is available for your smartphone or tablet....

I recommend the LineageOS project as the first port of call for anyone who wants to protect an older smartphone or tablet that is no longer maintained and doesn't receive Google security patches. The LineageOS derivatives LineageOS for MicroG and /e/OS make it even easier to enjoy a Google-free smartphone without too many restrictions.
The article also describes how to use TWRP to flash a manufacturer-independent recovery system (while also creating a restoreable backup of the existing system) as an alternative to LineageOS's own recovery tools.

And it even explains how to unlock the bootloader — although there may be other locks set up separately by the manufacturer. "Some manufacturers require you to register the device to unlock it, and then — after telling you that the warranty is now void — they hand over a code. Others refuse to unlock the device altogether."

Thanks to Slashdot reader DevNull127 for submitting the article.

According to a new report, almost half of Android-based mobile phones used by U.S. state and local government employees are running outdated versions of the operating system, exposing them to hundreds of vulnerabilities that can be leveraged for attacks. From a report: These statistics come from a report by cybersecurity firm Lookout, based on an analysis of 200 million devices and 175 million applications from 2021 to H2 2022. The report additionally warns of a rise in all threat metrics, including attempted phishing attacks against government employees, reliance on unmanaged mobile devices, and liability points in mission-critical networks. Outdated versions of mobile operating systems allow attackers to exploit vulnerabilities that can be used to breach targets, run code on the device, plant spyware, steal credentials, and more. For example, last week, Apple released iOS 16.1, fixing an actively exploited zero-day memory corruption flaw used by hackers against iPhone users to achieve arbitrary code execution with kernel privileges.

Lookout reports that ten months after iOS 15 had been made available to users, 5% of federal government employees and 30% of state and local government devices were running older versions of the operating system. The situation is much worse for Android, as ten months after the release of version 12, approximately 30% of federal devices and almost 50% of state and local government devices still needed to upgrade to the latest versions, thus remaining vulnerable to bugs that can be exploited in attacks. It should be noted that Android 13 is the latest version of the operating system, but it was released after the first half of 2022, from which this data was collected.

Much of the Windows world has yet to adopt Microsoft's latest desktop operating system more than a year after it launched, according to figures for October collated by Statcounter. From a report: Just 15.44 percent of PCs across the globe have installed Windows 11, meaning it gained 1.83 percentage points in a month. This compares to the 71.29 percent running Windows 10, which fell marginally from 71.88 percent in September. Windows 7 is still hanging on with a tenuous grip, in third place with 9.61 percent, Windows 8.1 in fourth with 2.45 percent, plain old Windows 8 with 0.69 percent, and bless its heart, Windows XP with 0.39 percent because of your extended family. In total, Windows has almost 76 percent of the global desktop OS market followed by OS X with 15.7 percent and Linux with 2.6 percent. Android comprised 42.37 percent of total operating system market share, with Windows trailing on 30.11 percent, iOS on 17.6 percent, OS X on 6.24 percent, and Linux on 1.04 percent.

An anonymous reader quotes a report from 9to5Google: Google is preparing to shut down the dedicated Street View app on Android, keeping the feature in Google Maps. Google's Street View is an easy way to get a 360-degree look at almost any given street on the planet, perfect for getting a sense of your next travel destination or simply exploring the world from the comfort of home. While the Google Maps app has long offered an easy way to hop into Street View, there has also been a dedicated Street View app on Android and iOS.

This standalone app served two distinct groups of people -- those who wanted to deeply browse Street View and those who wanted to contribute their own 360 imagery. Considering the more popular Google Maps app has Street View support and Google offers a "Street View Studio" web app for contributors, it should be no surprise to learn that the company is now preparing to shut down the Street View app.

In the latest update, version 2.0.0.484371618, Google has prepared a handful of deprecation/shutdown notices for the Street View app. These notices are not yet visible in the app today, but our team managed to enable them. In the notice, Google confirms that the Street View app is set to shut down on March 31, 2023, encouraging users to switch to either Google Maps or Street View Studio. However, one feature that is being fully shut down with the Street View app's demise is that of "Photo Paths." First launched last year, Photo Paths were intended as a way to let nearly anyone with a smartphone contribute simple 2D photos of a road or path that had not yet been documented by Street View. Unlike every other feature of the Street View app, there is no replacement for Photo Paths on the web app or Google Maps app.

An anonymous reader quotes a report from Android Authority: It's been five years since the advent of the eSIM card on smartphones, and yet the computer in our pockets is still tied down to a plastic tab that hasn't changed all that much since its debut in 1991. What gives? [...] An eSIM-enabled phone can store multiple SIM cards on the device. It makes switching networks as simple as switching your Wi-Fi network, and that's anything but convenient for mobile operators. For users in areas with spotty connectivity or rural networks, easier switching to alternative operators means loss of business for major players like Verizon or AT&T. In markets like India, dual-wielding SIM cards for better data, voice, or preferential rates are exceptionally common. Taking away the friction involved in changing physical SIM cards carries the risk of losing a customer, and it's no secret that operators have been dragging their feet to avoid that.

Theoretically, setting up an eSIM on any network should be as straightforward as pointing your camera at a QR code and activating a line. In practice, that's rarely true. Verizon's support page suggests that Android users need to call up a support desk to activate an eSIM. iPhone users have it slightly easier and can directly add the line to the phone through Verizon's website. Meanwhile, Vodafone requires you to install an app. Finally, the likes of Airtel India ask you to play a game of the fastest finger first by requiring an SMS response within 60 seconds to proceed with adding an eSIM to your line. None of these are as simple as just popping out a tray and plopping in your SIM card.

Meanwhile, as internet-based calling, texting, and video messaging become the norm, carriers are left with increasingly few add-ons to increase revenues. Tack on sky-high spectrum prices for resources like 5G and eSIMs become even less enticing to carriers. Tangential features like premium-priced international roaming plans are yet another profit driver that eSIMs circumvent. When done right, getting started with an international eSIM can be a simple two to three-click process to get you onboarded and ongoing. My colleague Rita and I have had a fantastic experience with travel eSIM services like Airalo. When I tried out Airalo earlier this year, the process took just a few taps indicating that there was no real reason for eSIMs to be complicated. However, for most operators, that just isn't the case. While hard to quantify, this needless friction has certainly hampered consumer perception of eSIMs.

Nearly six years after the Pebble smartwatch was purchased by Fitbit and discontinued, a new Pebble app for Android has been released by the Rebble Alliance, a group that has kept Pebble viable for its users since Fitbit shut down Pebble's servers in mid-2018," writes Ars Technica's Kevin Purdy. "Pebble version 4.4.3 makes the app 64-bit so it can work on the mostly 64-bit Pixel 7 and similar Android phones into the future. It also restores a caller ID function that was hampered on recent Android versions." From the report: Most notably, the app is "signed using the official Pebble keys," with Google Fit integration maintained, but isn't available through Google's Play Store. Google acquired Fitbit for $2.1 billion, making it the steward of Pebble's remaining IP and software pieces. Katharine Berry, a key Rebble coder and leader, works on Wear OS at Google and was one of the first to tweet news of the new update, "four years after 4.4.2." That was the last Play Store update to the Pebble app from Pebble developers, one that freed up many of the app's functions to be replaced by independent servers.

That's exactly where Rebble picked up, providing web services to Pebble watches, including (for paying subscribers) voice dictation. But those services still relied on the core Pebble app to connect the watch and smartphone. If Android did make the leap to a 64-bit-only OS, it could have left Pebble/Rebble users in the lurch. Berry's post on r/pebble offers "thanks to Google for providing us with one last update!" This is, to be sure, not the typical outcome of products that have been acquired by Google, even if second-hand.

According to Protocol, Amazon and Google have struck a deal in recent months that allows Fire TV models to be produced by Android TV partners. From the report: As a result of that deal, Amazon has been able to work with a number of consumer electronics companies -- including not only TCL, but also Xiaomi and Hisense -- to vastly expand the number of available smart TVs running Fire TV OS. All of these companies were previously barred from doing so under licensing terms imposed by Google. The agreement may also alleviate some of the pressure Google has been feeling as regulators around the world have investigated its Android platform. However, some experts are skeptical a singular deal will address the overarching concerns with Google's operation and licensing of Android to third parties.

The deal between Amazon and Google resolves a yearslong dispute over licensing restrictions Google imposes on hardware manufacturers that make Android-based phones, TVs, and other devices. In order to gain access to Google's officially sanctioned version of Android as well as the company's popular apps like Google Maps and YouTube, manufacturers have to sign a confidential document known as the Android Compatibility Commitment. The ACC prevents manufacturers from also making devices based on forked versions of Android not compatible with Google's guidelines. The ACC, which was previously known as the Anti-Fragmentation Agreement, had long been an open secret in industry circles. Its full impact on the smart TV space became public when Protocol reported terms of the agreement in March of 2020 and outlined how the policy effectively barred companies like TCL from making smart TVs running any forked version of Android, including Amazon's Fire TV OS.

Google has been justifying these policies by pointing to the harmful consequences of Android fragmentation, positing that the rules assured developers and consumers that apps would run across all Android-based devices. However, the crux of Google's requirements is that they apply across device categories. By making a Fire TV-based smart TV, TCL would have effectively risked losing access to Google's Android for its smartphone business -- a risk the company, and many of its competitors that develop both smartphones and TVs, weren't willing to take. At the time, both Google and Amazon declined to comment on the dispute. However, Amazon was a lot more forthcoming when it talked to Indian regulators for a wide-ranging probe into Google's Android policies. "Given the breadth of the anti-fragmentation obligations, Amazon has also experienced significant difficulties in finding [original equipment manufacturer] partners to manufacture smart TVs running its Fire OS," the company's Indian subsidiary told regulators in a submission that was included in last week's report. Amazon told regulators that "at least seven" manufacturers had told the company they weren't able to make Fire TV-based smart TVs because of Google's restrictions.

"In several cases, the OEM has indicated that it cannot work with Amazon despite a professed desire to do so in connection with smart TVs," Amazon said in its submission. "In others, the OEM has tried and failed to obtain 'permission' from Google."

An anonymous reader shares a report: Microsoft is still struggling to learn what exactly it takes to be a successful Android manufactuer. The company's first self-branded Android phones, the dual-screened Surface Duo and Surface Duo 2, have tried to resurrect Microsoft's mobile ambitions after the death of Windows Phone. They leave a lot to be desired, though, and the first version went through some embarrassing fire sales. An ongoing knock against the devices has also been Microsoft's very slow OS updates. Unlike, say, Windows and Windows Update, Google's expensive and labor-intensive Android update process puts the responsibility for updates on the hardware seller, and a big part of being a good Android OEM is how quickly you can navigate this complicated process. Microsoft is proving to not be good at this.

This week, Microsoft announced the Surface Duo and Surface Duo 2 are finally getting Android 12L, an OS update that came out in March. That puts that company at a more than seven-month update time, which is worst-in-class for a flagship device, especially for one costing the $1,499 Microsoft is charging for the Duo 2. The company took a prolonged 14 months to ship Android 11 to the Surface Duo, so at least it's improving!

Samsung is starting to roll out a "Maintenance Mode" feature for its phones that's designed to keep your messages, photos, info, and accounts safe when you're getting your phone repaired. The Verge reports: According to Samsung's press release, Maintenance Mode basically creates a separate user account that will let someone access "core functions" of the phone without being able to see any of your data. That means a repair tech will still be able to test your phone, but you won't have to worry about them seeing anything they shouldn't. Once you get your phone back, you can unlock it to turn off Maintenance Mode, which will also undo anything that was done while the phone was being repaired (e.g., test photos will be erased, new apps will be uninstalled, and settings changes will be reversed).

Samsung says the feature will be "gradually rolling out over the next few months" to select phones running the Android 13-based One UI 5 -- if you want an idea of when your phone might be getting that update, check out this article. It'll also roll out to "more Galaxy devices" throughout next year. The company does warn, however, that the "timing of availability may vary by market, model and network provider," as updates can take a while to filter through carriers.

Chrome will no longer support Windows 7 nor Windows 8.1 upon the release of Chrome 110, currently scheduled to hit stable on February 7, 2023. From that point on, you'll need to be running at least Windows 10 to maintain access to new builds. Android Police reports: While Google won't be doing anything to stop users of older platforms from continuing to install and run earlier releases of Chrome, they'd be missing out on the latest critical security and usability enhancements.