An anonymous reader quotes a report from Ars Technica: Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What's different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn't yet available. In the coming months, all of that should be ironed out, though.

Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack. Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or -- in the absence of biometric capabilities -- the PIN that's associated with the token. What's more, hardware tokens use FIDO's Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. "Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography)," said Andrew Shikiar, FIDO's executive director and chief marketing officer. "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and -- very significantly -- allows the service provider to start retiring passwords as a means of account recovery and re-enrollment."

In other words: "Passkeys just trade WebAuthn cryptographic keys with the website directly," says Ars Review Editor Ron Amadeo. "There's no need for a human to tell a password manager to generate, store, and recall a secret -- that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."

If you're eager to give passkeys a try, you can use this demo site created by security company Hanko.

While many people in California felt a moderate earthquake Tuesday, some smartphone users actually got a heads-up before it happened thanks to technology developed at the University of California, Berkeley. Axios reports: Researchers at Berkeley released an app called MyShake that can offer a brief earthquake warning by detecting the signals of an earthquake just before they are felt. Think of it like how you can see lightning before you hear thunder. The app works on both iPhone and Android, but Google announced in 2020 it would implement Berkeley's technology directly into Android, allowing far more people to benefit.

As often happens after an earthquake, people turned to Twitter after the Magnitude 5.1 quake. But some reported getting the alert first. "Got the earthquake alert on my Android phone a few seconds before I felt it," Google's Dieter Bohn said in a tweet. Google CEO Sundar Pichai also tweeted about getting the alert.

India's antitrust watchdog has hit Google with $113 million fine for abusing the dominant position of its Google Play Store and ordered the firm to allow app developers to use third-party payments processing service for in-app purchases or for purchasing apps, the second such penalty on the Android-maker in just as many weeks in its largest market by users. From a report: The Competition Commission of India, which opened the probe into Google in late 2020, said mandating developers to use Google's own billing system for paid apps and in-app purchases through Play Store "constitutes an imposition of unfair condition" and thus violates provisions of the nation's competition act. The regulator -- which interviewed several industry players including Paytm, Zomato, Info Edge, Samsung, Vivo, Xiaomi, Microsoft and Realme as part of the investigation -- said that Google not using its billing system for its own apps such as YouTube amounts to "imposition of discriminatory conditions."

"Google is giving Apple a taste of its own medicine," reports Business Insider, arguing that the latest update to Android's messaging app "is going to make texting between iPhone and Androids even more annoying than it already is." [Alternate URL] The updates are great if you're an Android user. Google Messages' new features include the ability to reply to individual messages, star them, and set reminders on texts. But these features and some other updates to Messages are RCS-enabled, meaning they're not going to be very compatible with SMS, which is the texting standard that iMessage switches to when messaging someone without an iPhone. iPhones exchange messages using iMessage, Apple's proprietary messaging system, but revert to SMS when texting an Android.

One feature that's part of Google's payback to Apple is that now, when Messages users react to an SMS text with an emoji, iPhone users will get a text saying the other person reacted to their text with a description of whatever emoji the person used. It's similar to when iMessage users react to an SMS text, with the recipient getting a "so and so loved" message instead of seeing the heart emoji reaction.... In August, Android launched a page on its website calling Apple out for refusing "to adopt modern texting standards when people with iPhones and Android phones text each other." The page has buttons that take users to Twitter to tweet at Apple to "stop breaking my texting experience. #GetTheMessage" with a link to Android's page urging Apple to "fix texting."

"We would much prefer that everybody adopts RCS which has the capability to support proper reactions," Jan Jedrzejowicz, Google Messages product manager, said in a briefing before the Messages updates were announced. "But in the event that's not possible or hasn't happened yet, this feels like the next best thing." Recently, Apple CEO Tim Cook said he doesn't get a lot of feedback from iPhone users that Apple needs to fix messaging between iPhones and Androids. Apple doesn't have much incentive to do so, either. In legal documents from a 2021 lawsuit between Epic Games and Apple, an Apple executive said "Moving iMessage to Android will hurt us more than help us."

Microsoft has decided the Windows Subsystem for Android (WSA) -- its offering that runs Android VMs which behave just like another application in Windows -- is sufficiently stable that it can be designated version 1.0 and made available to all. From a report: While it's lovely that Windows can now run Android VMs, Hendrixson's tweet needs a little parsing. The "50,000 apps" he mentions are only available from the Amazon.com app store -- not the larger Google Play digital tat bazaar. Google's apps aren't in the Amazonian store, nor are Microsoft's. I couldn't find Twitter, WhatsApp, Slack, any of the banks I use, or the Australian government apps I need to access services. In fact it's tough work to find apps other than games in the store -- and when a search term does bear fruit it delivers what look like knockoff apps that scream "here be dragons."

Amazon says over half a dozen hardware vendors have indicated that they cannot enter into a TV manufacturing relationship with the e-commerce group over fear of retaliation from Google, escalating tension with the search giant with whom it competes on several businesses. From a report: The revelation, officially shared by Amazon for the first time, was made by the company's unit in India to the Competition Commission of India as part the antitrust watchdog's years-long investigation into Google over claims that it abuses the dominant position in Android. Google does abuse its dominant position in Android, the regulator said Thursday in a statement, slapping a $162 million fine on Thursday.

India's antitrust watchdog fined Google $161.9 million on Thursday for anti-competitive practices related to Android mobile devices in "multiple markets" in a major setback for the search giant in the key overseas nation where it has poured billions of dollars over the past decade. From a report: The Competition Commission of India, which began investigating Google several years ago after complaints from local firms, said in its order that Google requiring device manufacturers to pre-install its entire Google Mobile Suite and mandating prominent placement of those apps "amounts to imposition of unfair condition on the device manufacturers" and thus was in "contravention of the provisions of Section 4(2)(a)(i) of the Act." It also ordered the Android-maker to not offer any incentives to smartphone makers to exclusively carry its search services.

What secrets does the inside of the Pixel Watch hold? iFixit -- Google's new repair partner -- tore down Google's first self-branded smartwatch to see exactly how this thing was put together. From a report: Like us, iFixit came away with strong "first generation" vibes. The good news is that it does not look impossible to replace the display. The usual bit of heat and prying pops the top off, but the less-than-ideal layout means you'll have to remove the battery, too, since the connector is buried under the soft battery pouch. A display replacement is a real concern here, considering the entire top half of the watch is glass. If you bang the watch against something or drop it, there's a good chance you'll shatter the all-glass corners. [...] iFixit took a good amount of time in the four-minute video to call Google's internal construction "ugly." After cracking open the front, iFixit's Sam Goldheart noted, "Right away, it's obvious we're in Android country. The silver battery pouch and Kapton tape are almost a shock after all our Apple teardowns," later adding that the welds holding together the haptic feedback buzzer were "kind of ugly."

A new report from The Information details more changes Google CEO Sundar Pichai's budget cuts are having across the company, with some divisions surviving and others getting ominous resource cuts. From a report: First, we have news that the hardware division, other than losing laptops, seems mostly safe. Google's biggest Android partner, Samsung, is in decline in many established markets, and Apple is hitting an all-time high in US market share last quarter. The report says Google views Apple as more of a problem than it has in the past, thanks to worries that regulators might shut down the usual multi-billion-dollar Google/Apple agreement to put Google Search on iPhones. If iPhones stop showing Google ads, the rise of Apple and fall of Samsung is one of the few things that could actually be a major problem for Google's revenue.

According to the report, Google views itself as the solution to this problem. As a hedge against what the report calls the "further decline" of Samsung, Google is "doubling down" on its investment in Pixel hardware. Google is apparently doing this by "moving product development and software engineering staff working on features for non-Google hardware to work on Google-branded devices." The goal here is to not spend more money, so Google is apparently sacrificing partner devices to focus on the Pixel division. So what projects are seeing cuts? Google TV is one, with the report saying: "Executives also have discussed moving some product managers working on Google TV software for television sets" to Wear OS and the Pixel Tablet. This is the only OS called out as specifically receiving less OS development. A lot of this report seems to focus on cuts to Google Assistant's support for specific form factors, which is strange since Google Assistant is more or less the same on every platform. The whole point of the Assistant is one reliable, predictable voice assistant that lives everywhere, and it's not clear what platform-specific support needs to be done other than whipping up an app that can receive audio and read back results.

Mark Zuckerberg, writing in a Facebook post: WhatsApp is far more private and secure than iMessage, with end-to-end encryption that works across both iPhones and Android, including group chats. With WhatsApp you can also set all new chats to disappear with the tap of a button. And last year we introduced end-to-end encrypted backups too. All of which iMessage still doesn't have.

An anonymous reader quotes a report from XDA Developers: As it turns out, the Google Pixel 7 series appears to be the first set of Android smartphones that only support 64-bit applications. [Android expert Mishaal Rahman first reported the news.] Rahman later corrected himself to say that it's a 64-bit Zygote but a 32-bit and 64-bit userspace, not a 64-bit only build of Android 13 as initially reported. This certainly lends credence to the claim that the Google Pixel tablet may come with a 64-bit only build of Android 13, though.

What this means is that for any apps that don't have 64-bit libraries, you won't be able to install them. This includes older versions of apps such as Jetpack Joyride and even older, completely defunct apps like Flappy Bird. It's not as if Tensor G2 doesn't support it either -- its three different cores all support AArch32 execution. Google could have enabled 32-bit support as they have done in its previous smartphones. Listing the Android Binary Interfaces (ABI) returns that there is nothing present for "armeabi-v7a" or "armeabi". "arm64-v8a" support is listed, but as per the Android documentation, it only supports the AArch64 instruction set.

What does this mean, and does it have any benefits? Most benefits won't really be visible to consumers, as these improvements are primarily found in heightened security, better performance, and reduced processing cost thanks to the lack of additional ABIs. All apps on the Google Play Store have had to have 64-bit support since August 2019, and the company stopped serving 32-bit apps that don't have any 64-bit support last year.

schwit1 shares a blog post from Signal, the popular instant messaging app: In the interest of privacy, security, and clarity we're beginning to phase out SMS support from the Android app. You'll have several months to export your messages and either find a new app for SMS or tell your friends to download Signal.

[...] To give some context, when we started supporting SMS, Signal didn't exist yet. Our Android app was called TextSecure and the Signal encryption protocol was called Axolotl. Almost a decade has passed since then, and a lot has changed. In this time we changed our name, built iOS and desktop apps, and grew from a small project to the most widely used private messaging service on the planet. And we continued supporting the sending and receiving of plaintext SMS messages via the Signal interface on Android. We did this because we knew that Signal would be easier for people to use if it could serve as a homebase for most of the messages they were sending or receiving, without having to convince the people they wanted to talk to to switch to Signal first. But this came with a tradeoff: it meant that some messages sent and received via the Signal interface on Android were not protected by Signal's strong privacy guarantees.

We have now reached the point where SMS support no longer makes sense. For those of you interested, we walk through our reasoning in more detail below. In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app. You will have several months to transition away from SMS in Signal, to export your SMS messages to another app, and to let the people you talk to know that they might want to switch to Signal, or find another channel if not.

Google has approved Donald Trump's Truth Social app for release in its Play Store, opening up a key distribution channel for the social network ahead of US midterm elections. Bloomberg reports: Google had previously declined to distribute the app, saying it needed to address the fact that it hosted violent threats and other content that goes against Google's standards. Google, which is owned by Alphabet Inc., confirmed on Wednesday that Truth Social was now available. Truth Social has agreed to take down content that violates Google's policies, Google said.

Devin Nunes, chief executive officer of Trump Media & Technology Group, said in a statement that the development represented "a significant milestone in our mission to restore free speech online." "It's been a pleasure to work with Google, and we're glad they helped us to finally bring Truth Social to all Americans, regardless of what device they use," Nunes said.

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the "Block connections without VPN," or "Always-on VPN," features is enabled. BleepingComputer reports: The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic. This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation. Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly. Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features. This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. "This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker. "This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy." In response to Mullvad's request, a Google engineer said this is the intended functionality and that it would not be fixed for the following reasons:

- Many VPNs actually rely on the results of these connectivity checks to function,
- The checks are neither the only nor the riskiest exemptions from VPN connections,
- The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and the case remains open.

Android Developers Blog: Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps. Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users' phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices.

Today's announcement is a major milestone in our work with passkeys, and enables two key capabilities: Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager. Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms. To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year. Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps affiliated with the same domain, and vice versa. The native API will give apps a unified way to let the user pick either a passkey or a saved password. Seamless, familiar UX for both passwords and passkeys helps users and developers gradually transition to passkeys.

For the end-user, creating a passkey requires just two steps: (1) confirm the passkey account information, and (2) present their fingerprint, face, or screen lock when prompted. Signing in is just as simple: (1) The user selects the account they want to sign in to, and (2) presents their fingerprint, face, or screen lock when prompted. A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device. Since passkeys are built on industry standards, this works across different platforms and browsers - including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

Epic Games and Match Group are looking to fortify their antitrust lawsuits against Google by adding new counts to their initial complaint, filed last year, which illustrate the lengths Google supposedly went to in order to dominate the Android app market. From a report: The companies on Friday filed a motion to amend their complaints in their cases against Google, which now allege that Google paid off business rivals not to start other app stores that would put them in competition with Google Play. This would be a direct violation of U.S. antitrust law known as the Sherman Act, the amended complaint states. [...] Now, Epic Games and Match Group are looking to add to their complaint with two new allegations specifying how Google had either paid or otherwise induced its potential competitors to agree to not distribute apps on Android in competition with the Play Store, including through their own competing app stores. Google, it says, had identified developers who were "most at risk...of attrition from Play" and then approached them with an offer of an agreement. The complaint now deems this a "per se" violation of Section 1 of the Sherman Act, which prohibits "every contract, combination in the form of trust or otherwise, or conspiracy, in restraint of trade or commerce among the several States, or with foreign nations," it says.

Samsung has confirmed the first third-party smart TV makers to ship with its Tizen operating system (OS), with several manufacturers preparing to launch Tizen-powered TVs this year across Europe and Australasia. From a report: Tizen, for the uninitiated, is a Linux-based OS hosted by the Linux Foundation for more than a decade, though Samsung has been the primary developer and driving force behind the project, using it across myriad devices, including smartwatches, kitchen appliances, cameras, smartphones and TVs.

Although Samsung has essentially abandoned Tizen in smartphones and smart watches, TVs have remained fertile ground for Tizen to flourish, chiefly due to the fact that Samsung is the biggest selling TV maker globally. But while recent figures from Dataxis show that Tizen's market share in 2020 was roughly one-third in terms of installation base, the number has been slowly creeping downward with the likes of Android TV and Roku edging upward.

Meta is warning Facebook users about hundreds of apps on Apple and Google's app stores that were specifically designed to steal login credentials to the social network app. From a report: The company says it's identified over 400 malicious apps disguised as games, photo editors, and other utilities and that it's notifying users who "may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials." According to Bloomberg, a million users were potentially affected. In its post, Meta says that the apps tricked people into downloading them with fake reviews and promises of useful functionality (both common tactics for other scam apps that are trying to take your money rather than your login info). But upon opening some of the apps, users were prompted to log in with Facebook before they could actually do anything -- if they did, the developers were able to steal their credentials.

An anonymous reader quotes a report from Ars Technica: Google is clawing its way back into wearable relevance. Today the company took the wraps off what is officially its first self-branded smartwatch: the Pixel Watch. Google started revamping its wearable platform, Wear OS, in partnership with Samsung. While Wear OS 3, the new version of Google's wearable platform, technically launched with the Galaxy Watch 4 last year, this is the first time we'll be seeing an unskinned version on a real device. First up: prices. Google is asking a lot here, with the Wi-Fi model going for $349 and the LTE version clocking in at $399. The Galaxy Watch 4, which has a better SoC, and the Apple Watch SE, which has a way, way better SoC, both start at $250. Google is creating an uphill battle for itself with this pricing.

Google and Samsung's partnership means the Pixel Watch is running a Samsung Exynos 9110 SoC, with a cheap Cortex M33 co-processor tacked on for low-power watch face updates and 24/7 stat tracking. This SoC is a 10 nm chip with two Cortex A53 cores and an Arm Mali T720 MP1 GPU. If you can't tell from those specs, this is a chip from 2018 that was first used in the original Samsung Galaxy Watch. For whatever reason, Google couldn't get Samsung's new chip from the Galaxy Watch 4, an Exynos W920 (a big upgrade at 5 nm, dual Cortex A55s, and a Mali-G68 MP2 GPU). It's hard to understand why this is so expensive.

The display is a fully circular 1.6-inch OLED with a density of 320 ppi (that should mean around 360 pixels across). The only size available is 41 mm, the cover is Gorilla Glass 5, and the body is stainless steel in silver, black, or gold. It has 2GB of RAM, 32GB of eMMC storage, NFC, GPS, only 2.4 GHz Wi-Fi 802.11n support (Wi-Fi 4), and a 294 mAh battery. For sensors, you get SPO2 blood oxygen, heart rate, and an ECG sensor. It's water-resistant to 5 ATM, which means you're good for submersion, hand washing, and most normal water exposure. Usually 10 ATM is preferred for serious sports swimming, but the Apple Watch is 5 ATM, and Apple does all sorts of swimming promos. Google's black UI background does a good job of hiding exactly how large the display is in relation to the body, but a few screenshots reveal just how big the bezels are around this thing. They are big. Real big. Like, hard-to-imagine-we're-still-doing-this-in-2022 big. Other things to note: the watch bands are proprietary, it'll be able to charge to 50 percent in 30 minutes, will work with any Android phone running version 8.0 and newer, and features Fitbit integration.

"Unlike the Pixel 7, which is expanding to 17 markets, the Pixel Watch is only for sale in eight countries: the US, Canada, UK, Germany, France, Australia, Japan, and Taiwan," adds Ars. "The watch is up for preorder today and ships October 13."

Further reading: Google Unveils Pixel 7 and Pixel 7 Pro Smartphones

Alphabet's Google on Thursday said its new Pixel phones will deliver improved voice and camera features while bringing back facial recognition for unlocking the device as it seeks to better compete with Apple and Samsung Electronics. From a report: The company's Pixel 7 and 7 Pro devices offer more affordable prices than the dominant duo of the mobile market, coming in at $599 and $899, respectively, and introduce the second generation of Google's in-house Tensor chip. The 6.7-inch Pro version has an additional zoom camera, better display and more memory than the 6.3-inch Pixel 7.

Google's Pixel phones every year serve as the showcase for the company's latest Android software and artificial intelligence-based services, such as the Google Assistant. They demonstrate how Google hopes device-making partners will best use its operating system. Google continues developing its own hardware, which has only ever sold in small numbers, in part as insurance against missteps by Samsung, the only credible Apple rival in the US. Google AI shows up in the upgraded language-processing capabilities of its latest software. The Recorder app for voice memos can now automatically label different speakers in transcriptions, and transcriptions are also being added to audio messages in the new Pixels' messaging app.