An anonymous reader quotes a report from ZDNet: A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers. The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit. As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted. Computest researchers Daan Keuper and Thijs Alkemade earned themselves $200,000 for this Zoom discovery, as it was part of the Pwn2Own contest.

In a statement to Tom's Guide, Zoom thanked the Computest researchers and said the company was "working to mitigate this issue with respect to Zoom Chat." In-session Zoom Meetings and Zoom Video Webinars are not affected. "The attack must also originate from an accepted external contact or be a part of the target's same organizational account," Zoom added. "As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust."

Security researchers say APKPure, a widely popular app for installing older or discontinued Android apps from outside of Google's app store, contained malicious adware that flooded the victim's device with unwanted ads. From a report: Kaspersky Lab said that it alerted APKPure on Thursday that its most recent app version, 3.17.18, contained malicious code that siphoned off data from a victim's device without their knowledge, and pushed ads to the device's lock screen and in the background to generate fraudulent revenue for the adware operators. But the researchers said that the malicious code had the capacity to download other malware, potentially putting affected victims at further risk.

Apple knows that iMessage's blue bubbles are a big barrier to people switching to Android, which is why the service has never appeared on Google's mobile operating system. From a report: That's according to depositions and emails from Apple employees, including some high-ranking executives, revealed in a court filing from Epic Games as part of its legal dispute with the iPhone manufacturer. Epic argues that Apple consciously tries to lock customers into its ecosystem of devices, and that iMessage is one of the key services helping it to do so. It cites comments made by Apple's senior vice president of Internet Software and Services Eddie Cue, senior vice president of software engineering Craig Federighi, and Apple Fellow Phil Schiller to support its argument.

"The #1 most difficult [reason] to leave the Apple universe app is iMessage ... iMessage amounts to serious lock-in," was how one unnamed former Apple employee put it in an email in 2016, prompting Schiller to respond that, "moving iMessage to Android will hurt us more than help us, this email illustrates why." "iMessage on Android would simply serve to remove [an] obstacle to iPhone families giving their kids Android phones," was Federighi's concern according to the Epic filing. Although workarounds to using iMessage on Android have emerged over the years, none have been particularly convenient or reliable.

schwit1 shares a report from Ars Technica: Austrian privacy activist Max Schrems has filed a complaint against Google in France alleging that the US tech giant is illegally tracking users on Android phones without their consent. Android phones generate unique advertising codes, similar to Apple's Identifier for Advertisers (IDFA), that allow Google and third parties to track users' browsing behavior in order to better target them with advertising. In a complaint filed on Wednesday, Schrems' campaign group Noyb argued that in creating and storing these codes without first obtaining explicit permission from users, Google was engaging in "illegal operations" that violate EU privacy laws.

Noyb urged France's data privacy regulator to launch a probe into Google's tracking practices and to force the company to comply with privacy rules. It argued that fines should be imposed on the tech giant if the watchdog finds evidence of wrongdoing. "Through these hidden identifiers on your phone, Google and third parties can track users without their consent," said Stefano Rossetti, privacy lawyer at Noyb. "It is like having powder on your hands and feet, leaving a trace of everything you do on your phone -- from whether you swiped right or left to the song you downloaded." Last year, Schrems won a landmark case at Europe's highest court that ruled a transatlantic agreement on transferring data between the bloc and the US used by thousands of corporations did not protect EU citizens' privacy.

For the past few years, Google has been encouraging developers to write Android apps with Kotlin. The underlying OS still uses C and C++, though Google today announced Android Open Source Project (AOSP) support for Rust. From a report: This is part of Google's work to address memory safety bugs in the operating system: "We invest a great deal of effort and resources into detecting, fixing, and mitigating this class of bugs, and these efforts are effective in preventing a large number of bugs from making it into Android releases. Yet in spite of these efforts, memory safety bugs continue to be a top contributor of stability issues, and consistently represent ~70% of Android's high severity security vulnerabilities."

The company believes that memory-safe languages, like Rust, are the "most cost-effective means for preventing memory bugs" in the bootloader, fastboot, kernel, and other low-level parts of the OS. Unlike C and C++, where developers manage memory lifetime, Rust "provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership and runtime checks to ensure that memory accesses are valid." Google has been working to add this support to AOSP for the past 18 months. Performance is equivalent to the existing languages, while increasing the effectiveness of current sandboxing and reducing the overall need for it. This allows for "new features that are both safer and lighter on resources." Other improvements include data concurrency, a more expressive type system, and safer integer handling.

The developers behind Niagara Launcher, a popular third-party home screen replacement app, have found new evidence in the Android 12 preview documentation, which suggests that Google is adding a new device search API in Android 12 that will let third-party launchers offer a similar universal search feature. XDA Developers reports: [T]he feature will give third-party launchers "access to the centralized AppSearch index maintained by the system." It further highlights that the AppSearch index is a search library for managing structured data featuring: A fully offline on-device solution; A set of APIs for applications to index documents and retrieve them via full-text search; APIs for applications to allow the System to display their content on the system UI surfaces; and Similarly, APIs for applications to allow the System to share their content with other specified applications. This feature will essentially provide a native alternative to universal search apps like Sesame, giving users the option to search for almost anything on their device in an instant.

An anonymous reader quotes a report from Ars Technica: It sounds like this custom Google SoC-powered Pixel is really going to happen. Echoing reports from about a year ago, 9to5Google is reporting that the Pixel 6 is expected to ship with Google's custom "Whitechapel" SoC instead of a Qualcomm Snapdragon chip. The report says "Google refers to this chip as 'GS101,' with 'GS' potentially being short for 'Google Silicon.'" It also notes that chip will be shared across the two Google phones that are currently in development, the Pixel 6 and something like a "Pixel 5a 5G." 9to5 says it has viewed documentation that points to Samsung's SLSI division (Team Exynos) being involved, which lines up with the earlier report from Axios saying the chip is "designed in cooperation with Samsung" and should be built on Samsung's 5nm foundry lines. 9to5Google says the chip "will have some commonalities with Samsung Exynos, including software components."

XDA Developers says it can corroborate the report, saying, "According to our source, it seems the SoC will feature a 3 cluster setup with a TPU (Tensor Processing Unit). Google also refers to its next Pixel devices as 'dauntless-equipped phones,' which we believe refers to them having an integrated Titan M security chip (code-named 'Citadel')." A "3 cluster setup" would be something like how the Snapdragon 888 works, which has three CPU core sizes: a single large ARM X1 core for big single-threaded workloads, three medium Cortex A78 cores for multicore work, and four Cortex A55 cores for background work. The Pixel 6 should be out sometime in Q4 2021, and Pixel phones always heavily, heavily leak before they launch. So I'm sure we'll see more of this thing soon. "I think the biggest benefit we'll see from a Google SoC is an expanded update timeline," writes Ron Amadeo. "Android updates go a lot smoother when you get support from the SoC manufacturer, but Qualcomm abandons all its chips after the three-year mark for major updates. This lack of support makes updates significantly harder than they need to be, and today that's where Google draws the line at updates."

"Beyond easier updates, I don't know that we can expect much from Whitechapel," adds Amadeo, noting that lots of Android manufacturers have made their own chips but none of them have been able to significantly beat Qualcomm. "It's hard to be bullish on Google's SoC future when the company doesn't seem to be making the big-money acquisitions and licensing deals that Apple, Qualcomm, and Samsung are making. But at least it's a start."

The U.S. Supreme Court ruled that Alphabet's Google didn't commit copyright infringement when it used Oracle's programming code in the Android operating system, sparing Google from what could have been a multibillion-dollar award. From a report: The 6-2 ruling, which overturns a victory for Oracle, marks a climax to a decade-old case that divided Silicon Valley and promised to reshape the rules for the software industry. Oracle was seeking as much as $9 billion. The court said Google engaged in legitimate "fair use" when it put key aspects of Oracle's Java programming language in the Android operating system. Writing for the court, Justice Stephen Breyer said Google used "only what was needed to allow users to put their accrued talents to work in a new and transformative program." Each side contended the other's position would undercut innovation. Oracle said that without strong copyright protection, companies would have less incentive to invest the large sums needed to create groundbreaking products. Google said Oracle's approach would discourage the development of new software that builds on legacy products.

This week the lead consumer technology writer for The New York Times urged readers to switch their browser from Chrome, Safari, or Microsoft Edge to a private browser.

"For about a week, I tested three of the most popular options — DuckDuckGo, Brave and Firefox Focus. Even I was surprised that I eventually switched to Brave as the default browser on my iPhone." Firefox Focus, available only for mobile devices like iPhones and Android smartphones, is bare-bones. You punch in a web address and, when done browsing, hit the trash icon to erase the session. Quitting the app automatically purges the history. When you load a website, the browser relies on a database of trackers to determine which to block.

The DuckDuckGo browser, also available only for mobile devices, is more like a traditional browser. That means you can bookmark your favorite sites and open multiple browser tabs. When you use the search bar, the browser returns results from the DuckDuckGo search engine, which the company says is more focused on privacy because its ads do not track people's online behavior. DuckDuckGo also prevents ad trackers from loading. When done browsing, you can hit the flame icon at the bottom to erase the session.

Brave is also more like a traditional web browser, with anti-tracking technology and features like bookmarks and tabs. It includes a private mode that must be turned on if you don't want people scrutinizing your web history. Brave is also so aggressive about blocking trackers that in the process, it almost always blocks ads entirely. The other private browsers blocked ads less frequently....

In the end, though, you probably would be happy using any of the private browsers... For me, Brave won by a hair. My favorite websites loaded flawlessly, and I enjoyed the clean look of ad-free sites, along with the flexibility of opting in to see ads whenever I felt like it. Brendan Eich, the chief executive of Brave, said the company's browser blocked tracking cookies "without mercy."

"If everybody used Brave, it would wipe out the tracking-based ad economy," he said.

Count me in.

Google today announced a series of policy updates for apps distributed through the Play Store. The most impactful sees Google limit most developers from seeing which Android apps are installed on your device. From a report: As part of its ongoing work to restrict the use of high risk/sensitive permissions, Google is limiting what apps can use the QUERY_ALL_PACKAGES permission that "gives visibility into the inventory of installed apps on a given device." This applies to apps that target API 30+ on devices running Android 11 and newer. Enforcement was originally meant to occur earlier, but delayed in light of COVID-19.

Microsoft has shut down its Cortana app for iOS and Android. From a report: It's the latest in a series of moves to end support for Cortana across multiple devices, including Microsoft's own Surface Headphones. The Cortana app for iOS and Android is no longer supported, and Microsoft has removed it from both the App Store and Google's Play Store.

An anonymous reader quotes a report from The Record by Recorded Future: Academic research published last week looked at the telemetry traffic sent by modern iOS and Android devices back to Apple and Google servers and found that Google collects around 20 times more telemetry data from Android devices than Apple from iOS. The research, conducted by Professor Douglas J. Leith from Trinity College at the University of Dublin, analyzed traffic originating from iOS and Android devices heading to Apple and Google servers at various stages of a phone's operation... [...] The study unearthed some uncomfortable results. For starters, Prof. Leith said that "both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this [option]." Furthermore, "this data is sent even when a user is not logged in (indeed even if they have never logged in)," the researcher said.

But while the Irish researcher found that Apple tends to collect more information data types from an iOS device, it was Google that collected "a notably larger volume of handset data. During the first 10 minutes of startup the Pixel handset sends around 1MB of data is sent to Google compared with the iPhone sending around 42KB of data to Apple," Prof. Leith said. "When the handsets are sitting idle the Pixel sends roughly 1MB of data to Google every 12 hours compared with the iPhone sending 52KB to Apple i.e., Google collects around 20 times more handset data than Apple." In response to the findings, a Google spokesperson said: "This research outlines how smartphones work. Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways. This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently." The Android maker also disputed the paper's methodology, which they claim under-counted iOS' telemetry volume by excluding certain types of traffic, which Google believes resulted in skewed results that found Android devices collecting 20 times more data than iOS.

Apple echoed its rival's response. "The report conflates a number of items in relation to different services and misunderstands how personal location data is protected," an Apple spokesperson told The Record. "Apple is not collecting data that can be associated with individuals without a user's knowledge or consent."

Additional information about the findings can be found here (PDF).

This week Swedish developer Daniel Stenberg posted a remarkable reflection on the 23rd anniversary of his command-line data tool, cURL: curl was adopted in Red Hat Linux in late 1998, became a Debian package in May 1999, shipped in Mac OS X 10.1 in August 2001. Today, it is also shipped by default in Windows 10 and in iOS and Android devices. Not to mention the game consoles, Nintendo Switch, Xbox and Sony PS5.

Amusingly, libcurl is used by the two major mobile OSes but not provided as an API by them, so lots of apps, including many extremely large volume apps bundle their own libcurl build: YouTube, Skype, Instagram, Spotify, Google Photos, Netflix etc. Meaning that most smartphone users today have many separate curl installations in their phones.

Further, libcurl is used by some of the most played computer games of all times: GTA V, Fortnite, PUBG mobile, Red Dead Redemption 2 etc.

libcurl powers media players and set-top boxes such as Roku, Apple TV by maybe half a billion TVs.

curl and libcurl ships in virtually every Internet server and is the default transfer engine in PHP, which is found in almost 80% of the world's almost two billion websites.

Cars are Internet-connected now. libcurl is used in virtually every modern car these days to transfer data to and from the vehicles.

Then add media players, kitchen and medical devices, printers, smart watches and lots of "smart"; IoT things. Practically speaking, just about every Internet-connected device in existence runs curl.

I'm convinced I'm not exaggerating when I claim that curl exists in over ten billion installations world-wide...

Those 300 lines of code in late 1996 have grown to 172,000 lines in March 2021.
Stenberg attributes cURL's success to persistence. "We hold out. We endure and keep polishing. We're here for the long run. It took me two years (counting from the precursors) to reach 300 downloads. It took another ten or so until it was really widely available and used." But he adds that 22 different CPU architectures and 86 different operating systems are now known to have run curl.

In a later blog post titled "GitHub Steel," Stenberg also reveals that GitHub gave him a 3D-printed steel version of his 2020 GitHub contribution matrix — accompanied by a friendly note. "Please accept this small gift as a token of appreciation on behalf of all of us here at GitHub, and everyone who benefits from your work."

Medium's tech site OneZero reports on "Rest of World" [dot org], which they call "a news site dedicated to telling technology stories about what's happening outside of North America and Europe," but founded as a nonprofit by the daughter of former Google CEO Eric Schmidt: Sophie Schmidt: We have big intractable problems in the tech and society category: misinformation, disinformation, surveillance, privacy, you name it. We're creating panels, and commissions, and we're shaking our fists at big platforms and saying, "Please fix it." And it feels a little bit helpless. But the thing that's not coming up is that every other country in the world is also dealing with it in slightly different ways.

What if the solutions to our problems lie in the sharing of those experiences, and ideas, and learnings? Expanding the dataset. It's honestly baffling. We have billions of people in the world all using technology all the time. I think the last data I saw said there's almost 5 billion people online. And depending on how you count Western versus non-Western, something like 80% of all humans live outside of the Western bubble. That means that you have almost an infinite number of parallel experiments, playing out simultaneously all around us just outside of you. So, why aren't we comparing experiences...?
Some of the interview's highlights:

• On the topic of emotion recognition software, a Rest of World senior editor points out "it's basically junk science. It's not based on any fundamental facts about human behavior... There's a lot of companies across China who are trying to use this faulty science for a number of different applications."

• The senior editor argues that our conception of the social credit score in China was off. "Some of the Chinese researchers I talked to were like, 'We got this idea from you. I have no idea why you guys are so upset about it.'"

• The senior editor agrees Clubhouse might change the way that politics works globally. "But I think the second option, which we're already seeing glimmers of, is that it's going to get banned in more places. And the places where it doesn't get banned, it's going to be very closely surveilled."

• Schmidt is proud of their follow-up on OKash, an African mobile-lending company partially owned by Opera that was accused of predatory loans through Android apps. "We did some digging and the Filipino SEC had banned, I think, 24 similar types of apps just a few months before that. And those ones were inspired by something that came out of China.
  
  "...the things that can happen outside of regulated environments tell us what the limits of tech are. They tell us what tech can be."

An anonymous reader quotes a report from 9to5Google: Smartphones have already obviated single-purpose gadgets like point-and-shoot cameras and MP3 players. Google today announced the Android Ready SE Alliance to make sure new phones have the underlying hardware to eventually replace car/home keys and wallets. "Emerging user features" -- digital keys, mobile driver's license (mDL), national ID, ePassports, and eMoney solutions (wallets) -- require two things. The first is tamper-resistant hardware, like the Pixel's Titan M chip, which makes possible tamper-resistant key storage for Android apps (to store data) called StrongBox. "All these features need to run on tamper-resistant hardware to protect the integrity of the application executables and a user's data, keys, wallet, and more," writes Google in a blog post. "Most modern phones now include discrete tamper-resistant hardware called a Secure Element (SE)."

Google has determined that "SE offers the best path for introducing these new consumer use cases in Android." To "accelerate adoption," the company and partners (Giesecke+Devrient, Kigen, NXP, STMicroelectronics, and Thales) today announced the Android Ready SE Alliance. Besides phones, StrongBox is also available for Wear OS, Android Auto Embedded, and Android TV. Google says it's currently focusing on digital car keys, mobile driver's license, and other identity credentials, with unnamed "Android OEMs adopting Android Ready SE for their devices."

Security researchers say a powerful new Android malware masquerading as a critical system update can take complete control of a victim's device and steal their data. From a report: The malware was found bundled in an app called "System Update" that had to be installed outside of Google Play, the app store for Android devices. Once installed by the user, the app hides and stealthily exfiltrates data from the victim's device to the operator's servers. Researchers at mobile security firm Zimperium, which discovered the malicious app, said once the victim installs the malicious app, the malware communicates with the operator's Firebase server, used to remotely control the device. The spyware can steal messages, contacts, device details, browser bookmarks and search history, record calls and ambient sound from the microphone, and take photos using the phone's cameras. The malware also tracks the victim's location, searches for document files and grabs copied data from the device's clipboard. The malware hides from the victim and tries to evade capture by reducing how much network data it consumes by uploading thumbnails to the attacker's servers rather than the full image. The malware also captures the most up-to-date data, including location and photos.

Amazon has scrapped a plan to use new high-tech surveillance cameras to verify whether its delivery drivers are wearing face masks on the job. From a report: The internet retail giant is in the process of installing the cameras -- which will use artificial intelligence to identify driver drowsiness, distracted driving and other risky behavior -- in its vast fleet of Amazon-branded delivery vans in the U.S., a move Amazon says is aimed at improving safety. In a recent training video for drivers, Amazon listed one previously unreported form of driver behavior it planned to use the cameras to check for -- "face mask compliance" -- according to an image of the video viewed by The Information. But after receiving questions from The Information about the plan, Amazon said it would no longer use the cameras to make sure drivers are wearing masks. The company said it made the change because its policy doesn't require drivers to wear face masks when they are alone in their vans.

Sustainable smartphone manufacturer Fairphone has gotten Google's certification for its Android 9 update for the Fairphone 2. The Verge reports: Getting certification for a nearly three-year-old version of Android doesn't sound that impressive until you realize that it's running on a phone originally released five years ago when it ran Android 5. The roll-out of the software starts today, and will continue until April 18th, Fairphone says. It's a length of support that's basically unheard of among Android phone manufacturers. Although Fairphone 2 owners aren't going to be able to enjoy the latest Android 11 features, the more important thing is that they're running a version of Android that's still officially supported. Google's latest Android security bulletin from this month includes multiple fixes for security issues in Android 9. "To get Google certification for Android 9 for Fairphone 2 just as we hit five years of support for the smartphone is a huge achievement for Fairphone," says CEO of Fairphone Eva Gouwens. "In order to get certification, we had to pass approximately 477,000 Google tests." "We want to show the industry that this kind of thing is possible, that a smartphone doesn't have to be discarded after 2-3 years, we can prolong it's lifespan," the CEO added.

The OnePlus 9 and OnePlus 9 Pro are OnePlus' newest smartphones powered by Qualcomm's latest Snapdragon 888 chipset. The flagship device is the OnePlus 9 Pro, featuring a 120Hz LPTO curved display, 8GB of RAM, 128GB storage, Hasselblad-branded cameras, and a starting price of $969. If that price is too much to stomach, the OnePlus 9 features slightly lower-end specs and a more affordable $729 starting price. The Verge has already called the OnePlus 9 Pro "the best Android alternative to Samsung." From the report: OnePlus spent much of its announcement talking about the cameras on the new phones, which have been developed in partnership with Hasselblad. OnePlus says the colors have been tuned to look more natural and that the ultrawide sensor on the 9 Pro and 9 is one of the biggest to ever ship on a smartphone. The ultrawide uses a 50-megapixel Sony IMX766 sensor that's 1/1.56" in size with an aperture of f/2.2. Meanwhile, the 9 Pro's main Sony IMX789 sensor has a resolution of 48 megapixels and is 1/1.43" in size. (The regular 9 has a Sony IMX689 sensor, but it has the same resolution of 48 megapixels.) Both have a 2-megapixel monochrome sensor and 16-megapixel selfie camera, but only the 9 Pro has an 8-megapixel telephoto.

As previously announced, the 9 Pro has a 1440p 120Hz curved display that makes use of LPTO technology to adjust its refresh rate between 1 and 120Hz based on the content being displayed on-screen, reducing power consumption by "up to 50 percent." OnePlus also claims it should feel more responsive to use in games that support its Hyper Touch technology. The screen has a maximum brightness of 1300 nits and supports HDR10+. Meanwhile, the OnePlus 9 has a flat rather than curved display. It's not LTPO, it's slightly less bright at 1,100 nits, and it's also lower resolution at 1080p. It's still got a refresh rate of 120Hz, however. Additionally, both phones support Warp Charge 65T, which OnePlus claims should be able to charge the phones' 4,500mAh batteries to 100 percent in under half an hour. The 9 Pro and 9 can also charge wirelessly at up to 50W and 15W, respectively. Both phones will go on sale on April 2nd, with preorders starting March 26th.

A company that makes an email app that helps users encrypt their emails paid for fake reviews in an attempt to get more people to download its products, according to leaked emails obtained by Motherboard. An anonymous reader shares a report: The CEO of pEp, a Luxembourg-based company that makes the pEp email encryption apps for Android and iOS, commissioned a marketing company to write fake reviews that he himself wrote in the summer of last year. Leon Schumacher asked the marketing company Mobiaso to post 40 five-star reviews in English, French, and German to the Google Play Store. Schumacher included an Excel spreadsheet that contained the specific text that he wanted Mobiaso to use. "Super easy privacy," one fake review said. "One of the best mail applications. I have never had problems and I suggest it all the time to friends," another said.

"Can we speed up today and do 12 ratings per day do 7 reviews per day (Please use the Texts below for the right countries (that I forwarded already per earlier e-mail)," Schumacher wrote in an email to Mobiaso. pEp, short for Pretty Easy Privacy, develops email encryption apps for both iOS and Android, where it has more than 10,000 installs, according to the stats on the Google Play Store. The company, through its foundation, also funded a new library to encrypt emails using PGP, the decades old technology that allows users to encrypt emails and other files. Mobiaso advertises "iOS reviews" and "Android installs" on its website. One of the services the company offers is App Store Optimization, or ASO, which includes fake reviews. The service has several price tiers, ranging from $160 to $450. Only the two most expensive tiers include fake reviews. "Each app developer/advertiser should remember that without a good ASO search optimization, your target audience wouldn't even find or open your app page," Mobiaso says.