Google and Samsung camera app vulnerabilities exposed

Research by application security specialist Checkmarx has revealed that the camera apps on Google and Samsung smartphones can be hacked.

The findings were published in a blog post by the company, having previously been shared with Google and Samsung to give them a chance to patch the vulnerabilities before the whole world found out about them. So while this isn’t sensational news, because the vulnerability no longer exists, it’s still good PR for Checkmarx and a general Android security wake up call.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” said a statement from Google in the blog. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.” The Indian government must have been disappointed.

Specifically it was found that third party apps could exploit the app permission system, through which new apps ask for your permission to access certain smartphone functions. A loophole allowed apps, once they had got permission to access the camera, to give remote control of the camera to baddies, thus allowing them to record what you’re up to.

“In doing so, our researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off,” said the blog. “Our researchers could do the same even when a user was is in the middle of a voice call… Of course, a video also contains sound. It was interesting to prove that a video could be initiated during a voice call. We could easily record the receiver’s voice during the call and we could record the caller’s voice as well.”

Google undermines US carrier RCS initiative by launching its own

Less than a month after the four US MNOs announced a joint RCS initiative for Android, Google has decided to launch its own.

Google was conspicuously absent from the announcement of the Cross Carrier Messaging Initiative by AT&T, Verizon, T-Mobile US and Sprint last month. Considering it was all about championing RCS on Android you have to assume there had been some dialogue between the operators and Google, but the omission of the latter from the press release indicated progress had been slow.

Now, having not done anything significant about RCS in the US for over a decade, Google has suddenly found the motivation to upgrade all SMS messaging on Android to RCS. In a brief blog post Sanaz Ahari, Product Management Director at Google, explained all the cool new things US Android users will now be able to do via the text function. It could almost have been a CCMI press release.

It’s hard to see this as anything other than a direct attempt to undermine the nascent CCMI project. The US operators saw Google’s RCS apathy as an opportunity to add some value themselves, so Google acted quickly to pull the rug out from under them. It could be that some of the features operators reckon they’re able to uniquely offer, such as keeping user data out of Google’s hands, might still give them an advantage, but this looks like a major setback for them.

Android beat Windows mobile because of antitrust distraction – Bill Gates

Bill Gates has suggested if it wasn’t for the costly and prolonged antitrust lawsuit in 1998, Microsoft would be the dominant player in the mobile OS world not Google.

This lawsuit, which lasted roughly three years, proved to undermine the Microsoft dominance on the technology world. With the playing-field levelled for competition, Microsoft gradually fell back into the chasing peloton, though founder Bill Gates suggested there was a much bigger impact for the business.

“There’s no doubt that the antitrust lawsuit was bad for Microsoft, and we would have been more focused on creating the phone operating system,” said Gates at the DealBook Conference in New York. “Instead of using Android today, you would be using Windows Mobile.

“We were so close. I was just too distracted that I screwed that up because of the distraction. We were just three months too late with the release that Motorola would have used on a phone. It’s a winner take all matter for sure, now no-body here has ever heard of Windows Mobile, but oh well.”

Some might dismiss Gates’ proclamation, the OS did launch after all and was not in the same league as Android, though it is an interesting idea.

If Microsoft had not been spending so much time defending its PC software business, more attention and investment could have been directed to the mobile OS. The transition from home computer to the smartphone was after all one of the contributing factors to Microsoft’s decline from power.

Interestingly enough, Gates also claims that if he hadn’t had to defend the business in such an intense antitrust case, he wouldn’t have retired so early.

While Microsoft is now recapturing its dominant position, thanks to a focus on the cloud computing segment, it spent years lurking in the shadows as an also-ran in the technology segment. This was still a very profitable company, but it had fallen from the dizzy heights of the 80s and 90s. The world moved from the home computer to mobile, and Microsoft was slow to react.

On the other side of the equation, Google acquired Android and entered the mobile world. This is perhaps one of the smartest bits of business ever, as Google reportedly acquired Android for as little as $50 million. Without this OS, Google would not have dominated the mobile world and would not be anywhere near as profitable as it is today.

Gates might be exaggerating with his claims here, though the world certainly look a lot different if Microsoft had won the mobile OS race.

Google forms alliance with some Android security specialists

The App Defense Alliance brings together Google, ESET, Lookout, and Zimperium to combat baddies on Android.

Considering how huge and diverse the Android ecosystem is it’s surprising how few malware catastrophes it has had. Maybe that thanks in part to the work of companies like Lookout, that offer freemium security apps on the Play Store. Google has apparently decided to be a bit more proactive on the security front itself, but without undermining all the good work that has already been done, hence the creation of the App Defense Alliance.

Working closely with our industry partners gives us an opportunity to collaborate with some truly talented researchers in our field and the detection engines they’ve built,” blogged Dave Kleidermacher, VP, Android Security & Privacy. “This is all with the goal of, together, reducing the risk of app-based malware, identifying new threats, and protecting our users.”

The clever bit involves integrating the Google Play Protect detection systems with each partner’s scanning engines. This will result in several pairs of eyes having a close look at apps that are in the queue for publication on the Play store and, in theory, resuce the chances of any of them containing any moody code.

Judging by an interview Kleidermacher gave Wired, from Google’s perspective this is all about coordinating the security efforts of a bunch of previously autonomous players. What’s in it for the other partners isn’t so obvious. In the Wired article they said all the right things about being greater than the sum of their parts, but we wouldn’t be surprised if a bit of Google cash helped persuade them too.

Australia sues Google for misleading users over location data

The Australian Competition and Consumer Commission has taken Google to court over allegations that it misled consumers over the collection of their location data.

The ACCC reckons that from 2017 at the latest Google broke the law when it made on-screen representations to Android users that it alleges misled consumers about the location data Google collected or used when certain Google Account settings were enabled or disabled. In short the ACCC is claiming Google gave users insufficient information to ensure their location data wasn’t collected if they didn’t want it to be.

“We are taking court action against Google because we allege that as a result of these on-screen representations, Google has collected, kept and used highly sensitive and valuable personal information about consumers’ location without them making an informed choice,” said ACCC Chair Rod Sims.

The problem is that Android has multiple settings that need to be adjusted if you don’t want your location data collected and the ACCC is alleging that Google didn’t flag up all of them. That will have resulted in some consumers thinking their location data wasn’t being collected when it still was. At the very least it seems Google has been insufficiently clear in communicating with Android users about this stuff.

Underlying a lot of the current wave of litigation towards internet giants is the desire by regulators and governments to retrospectively address the personal data land grab that characterised the first decade or so of the modern mobile device. Free services such as Android and Facebook have always sought payment in kind through the collection of personal data but have usually been very opaque in the ways they have gone about it. Regulators are now trying to shut the stable door after the horse has bolted.

Microsoft gets into the Android smartphone game, or does it?

At an event devoted to its Surface device range Microsoft teased a new, dual-screen Android smartphone called the Surface Duo.

This is Microsoft’s first attempt at an Android phone and it gets its name from the fact that it has two screens, joined by a 360-degree hinge, i.e. not a foldy screen. Microsoft has yet to issue a formal press release on the launch, but there is a sparsely-populated product site and a video, which you can see below.

Panos Panay, Microsoft’s Chief Product Officer, did manage to have a chat with Wired, however, and he insisted it’s not a smartphone at all, despite it using the Android OS and enabling phone calls. Instead, Panos insists, it’s a ‘device’. The reason for this gadget semantics seems to be Microsoft’s hope that people will view the Duo as a completely new category.

There is some justification to this. In many respects the Duo is a miniature version of the Neo, which was also launched at the event. Microsoft is attempting to define and own the dual-screen device category, regardless of the size of those screens. As you can see from the second video below, the Neo does seem to introduce some novel features, but it runs on Windows with an Intel chip. Those options weren’t available for a smaller device, hence the ‘not quite a phone’ thing.

The reason we don’t know more is that neither the Duo nor the Neo are commercial devices yet, and won’t be for another year. As you would expect of Microsoft, they are positioned as mobile devices with an emphasis on productivity and the Neo certainly seems to offer some new ways of working on the road. Whether or not people will be willing to swap their existing smartphones for a smaller version of it is another matter entirely.

 

Google takes a step towards accessibility and personalisation

Google has announced the launch of Action Blocks, allowing users to customise commands for its personal assistant.

Based on a concept developed by one of its own software engineers, Lorenzo Caggioni, Action Blocks have initially been designed to aid users with cognitive disabilities. The feature allows users to build action commands which trigger a specific outcome. The outcome and the command can be customised to suit the individual user.

“The Action Block icon—for example, a photograph of a cab—triggers the corresponding Assistant command, like ordering a rideshare,” said Google’s Ajit Narayanan. “Action Blocks can be configured to do anything the Assistant can do, in just one tap: call a loved one, share your location, watch your favourite show, control the lights and more.”

While this announcement has been geared around accessibility, the feature could be made applicable to every Google user.

Google has often preached it capabilities to personalise the experience for each user, and while this has been successful to date, this feature could take it up a level. With Action Block, the power of personalisation is put in the hands of the user. Each user will want their device to perform in a different way, and this is one step in that direction.

Right now, the commands are triggered by an icon on the desktop, though there is no reason why this can’t be blended with the voice user interface in the future.

Securing a ride home is a good example. The command could be set at ‘get me home’ which could trigger several different actions. One might be to launch Uber and order a taxi, another could be to open-up Google Maps and the navigation features. This is only one example, but if applied correctly, there is no reason why such triggers could not be applied to almost any feature on the phone. The voice user interface is one which is gathering momentum and it opens-up a plethora of new ways users can interact with devices and the digital economy.

The Action Block feature is currently in trial phase, though this is something which we very much like the look of. Firstly, Google is increasing accessibility of its services to those who are often ignored by society, and secondly, the idea could be developed into something which is applicable to everyone. There is potential to put personalisation into the hands of the user.

Backdoor to Google services closed for Huawei Mate 30

There was a brief glimmer of hope for Huawei users that Google services might have been an option for its latest smartphones, but the workaround has now been closed.

Yesterday on Medium, security researcher John Wu posted a way in which Google services could be downloaded to the latest range of Huawei devices. Many would have been searching for a way to get around the Huawei ban on using Google services, and while we suspect there will be some still out there, this one has at least been closed   .

Wu goes into some detail in his post, though through manually installing Google Mobile Services via an app called LZ Play, users were able to take advantage of an oversight. For a very brief period, some users were able to install Google applications such as Gmail, Maps and Google Pay on their devices, though this has now been removed.

Interestingly enough, this could open-up some uncomfortable questions for Huawei.

It might be deemed a suspect situation to download the app, which requests system-level access, though when you start to look at how it works, it becomes a little more nefarious. Wu suggests the app makes use of undocumented Huawei APIs which can somehow bypass Android’s security system.

To make the situation a bit more complicated, it is now very difficult to find LZ Play on the internet, aside from in news stories. There is one German company and a translated-page which the Google search engine is no-longer able to connect to. It does appear a lot of the traces of this app and the developer has been erased.

Perhaps this is a development US rule makers and Google should take a very close look at. How did an app developer manage to circumnavigate the security blocks which were put in place so easily? This is not proof of nefarious activity elsewhere, but it does indicate some are aware of the cracks in Google software.

Android moves to replace Google Pay music app with YouTube Music

Google wants to make YouTube the default audio app on Android in the hope of boosting its chances of competing with Spotify.

Right now the default Android audio app is Google Play Music, which does try to get users to upgrade to Google’s subscription streaming service, but doesn’t do a very good job of it and is mainly used as the interface for accessing locally stored audio files. Rather than overhaul the way that upsell is managed Google has decided to merge it with the YouTube Music app.

Music videos are arguably the most popular type of content on YouTube, with the top 30 most viewed individual videos dominated by music. YouTube monetizes those via serving ads on the video, but it would rather people paid upfront to its premium subscription service, that offers ad-free playback, background play on mobile devices (without it the music disappears if you switch to another app) and even downloading.

YouTube premium has plenty of features, but Spotify is the incumbent streaming music service, so Google has to do something special to topple it. As politicians, regulators and anti-trust authorities around the world are increasingly sensitive to, in Android Google has an incredible powerful platform for upselling its other digital products and services and it seems to have decided YouTube Premium needs the power of Android to give it critical mass.

YouTube Music is your personal guide through the complete world of music—whether it’s a hot new song, hard to find gem, or an unmissable music video,” says the announcement, tellingly published on the YouTube blog. “Music fans on Android phones can now easily unlock the magic of YouTube Music, which will come installed on all new devices launching with Android 10 (and Android 9), including the Pixel series.”

The announcement also made it clear that Google Play Music will no longer be preinstalled, which seems like a precursor to it being replaced entirely. You can still access locally stored files through YouTube Music, but on first inspection the user interface is inferior to Google Play Music, so the company may face some push-back from users on that. We’ll leave you with the top 5 music videos ever on YouTube, bafflingly headed by the entirely mundane Despacito. Contrastingly Gangnam Style has lost none of its kitsch, tongue-in-cheek charm.