Stop messing with our code – Google Project Zero

A Google Project Zero engineer has scolded Samsung, suggesting alterations to Android’s Linux kernel has actually made Galaxy devices more vulnerable.

While making some adjustments to Android code downstream is relatively common, rarely has Google come out in opposition. In a blog post, Jann Horn of Project Zero examined the modifications made by Samsung coming to the conclusion the firm would be better off using existing security features in the Android code.

“In my opinion, some of the custom features that Samsung added are unnecessary, and can be removed without any loss of value,” said Horn.

“That I was able to reuse an infoleak bug here that was fixed over a year ago shows, once again, that the way Android device branches are currently maintained is a security problem. While I have criticized some Linux distributions in the past for not taking patches from upstream in a timely manner, the current situation in the Android ecosystem is worse.

“Ideally, all vendors should move towards using, and frequently applying updates from, supported upstream kernels.”

In this example, Horn found a mistake in the code for the Samsung Galaxy A50. This is a single case, but as Horn states, it is very common for code to be added to the Android kernel code downstream for additional features.

In February, Samsung added an additional security features known as PROCA. Horn was able to figure out what PROCA does, perhaps limits the impact of threats already inside the security perimeters but suggests it would be more effective to add more attention to preventing access in the first place. Horn suggests this code does in fact create more issues than it does solve.

What is worth noting is that this is hardly surprising. Google wants Android to be seen as perfect. The less modifications made to Android code the more influential it becomes, so it will of course reprimand those who try to improve on what it classes as perfection. But then again, the Google engineers might have a point.

Many have tried to replicate the success of Android as a mobile operating system, including Samsung, but all have failed. Only Apple’s iOS is an alternative, though it is not a direct comparison considering only Apple uses it. If no-one is able to replicate the product, why should they be able to improve on it with their own modifications?

Essential’s attempt to reinvent the wheel has predictably failed

When Android creator Andy Rubin started a new company, big things were expected, however it now appears the ideas were far too glorious to have any basis in reality.

Essential has announced it has taken its ideas as far as it can, and it will now cease operations.

In years gone, Rubin was known as a revolutionary. The founder and creator of Android was held in high esteem, with a reputation which grew each year the operating system become more dominant in the mobile world. This was the enthusiasm which was placed in Essential, but it has been a disastrous journey.

The company was founded in 2015, with funding from Playground Global, and in 2017 Rubin revealed the company was working on a new smartphone which was dubbed the Essential Phone. The delivery of this device was full of chaos thanks to the Meltdown and Spectre vulnerabilities, supply shortage, a customer data leak and accusations of trade secrets theft. But this was only the beginning of the disaster.

Despite the rocky start, it was reported that Amazon, Tencent and Foxconn had invested in the company in August, valuing it at more than $1 billion. The belief was there, but it wasn’t until October 2018 that Rubin teased the world with the launch of another device, known as Project GEM. Unfortunately the world had to wait a year for any more information, and it was not good.

The device attempted to reinvent the shape of the smartphone, creating a device which was much slimmer. The smartphone was also designed to be more of a voice-interface device, a novel idea but perhaps miles ahead of what is technically capable or what the consumer wants.

This is the issue which Essential seems to have been facing. Rubin tried to invent a device which he believed was revolutionary rather than listening to what the consumer wants. Sometimes you have to ignore popular opinion to redefine an industry, Henry Ford famously said “if I was to listen to my customers, I would be breeding faster horses”, but this is not one of those cases.

Video consumption and mobile gaming are two of the biggest trends of the mobile world today, especially for the younger generations, those more likely to spend the big bucks on devices. However, Rubin’s devices ignore these trends, not offering enough screen real estate for such content to be relevant.

Essential’s vision got in the way of understanding what the consumer actually wants, and now the company will soon be non-existent. This should perhaps be a lesson to the innovators in Silicon Valley; revolutionary ideas have to be built on the realities of today.

Huawei builds the case for its own OS ecosystem

If US-Chinese tensions continue to remain as they are today, a separate Huawei mobile operating system looks to be a certainty but being competitive with Android is not a simple task.

Building the OS, which will be known as Harmony, is the simple part of the venture. In fairness, nailing the science and experience is anything but simple, but the complexities pale in comparison to the realities of building the supporting ecosystem and credibility. This is where Huawei will struggle, but today it has set out an interesting case at a London Huawei Developer Day.

“Today’s announcement concerning our Huawei Mobile Services offering, highlights our ongoing commitment and support for UK and Irish businesses and developers,” said Anson Zhang, MD of Huawei UK’s consumer business.

“In recent years we have grown significantly and owe our success to the consumers and partners who have chosen and believed in us. As a sign of that support and commitment to the UK and Irish market, we have announced our £20 million investment plan to recognise and incentivise our partners; so that jointly we can build an outstanding ecosystem together.”

Irrelevant as to whether Huawei has the best phones on the planet and the smoothest running OS, if there are no compatible games in the app store, few consumers are going to have an interest in purchasing the device. Huawei has to engage the developer community and convince them it is in their interest to make a third version of the app on top of efforts for Android and iOS.

Back in September, Huawei said it would be investing $1.5 billion to build-out its developer ecosystem. At today’s event, Zhang highlighted £20 million would be set aside specifically for the UK, while any developer which can publish its app on the Huawei App Gallery before January 31 would be entitled to a £20,000 incentive payment.

This is perhaps the most important and difficult job for Huawei over the coming months. The company does not have the same scale, or credibility, as its OS competitors in Apple or Google. It might well claim to have 600 million users worldwide currently, 4 million alone in the UK, but how many of these users are engaging Huawei by choice?

Your correspondent has a Huawei Mate 20 device, and presumably is one of the 4 million Huawei Mobile Services users in the UK, but the Google Play Store, YouTube, Chrome and Gmail are still used exclusively over the Huawei alternatives. Google’s services are not on new Huawei devices, and at the moment, that would certainly stop your correspondent from buying any Huawei products in the future.

This is the chicken and egg situation in play. Huawei needs to convince both the consumer and the developer ecosystem to put faith in it. Consumers will not come without apps and apps will not be developed without consumers. Some might, but nothing in comparison to the scale of the Google app ecosystem.

And so, the Huawei pitch begins, and there some very good ideas.

The first interesting idea presented by Huawei is the idea of more intelligent contextualisation. The different segments in the ecosystem are linked, allowing for a recommendation engine to offer more interesting results. If a user is a big Terminator fan, for example, the video store will recommend relevant titles, but then the music store will factor in this preference and the app store will start pushing first-person shooting games up the listings. It is taking context one step further, which does sound appealing.

Another idea to improve user acquisition is to develop customisable themes and backgrounds for the user which can be linked to apps and content. Jaime Gonzalo, VP Consumer Mobile Services, highlighted there are between 4,000 and 6,000 new apps published each month. To cut through this digital noise, there needs to be a more intelligent approach to user engagement and acquisition.

One very attractive point made by the team is the opportunity for scale which Huawei can offer. China is one of the most lucrative markets around for any app developer, and Huawei, as the telecom champion of China, can potentially offer access to the users in a way Google or Apple could not compete with. This is a very attractive carrot for the developer community.

Another final point on the business side, is the idea of local engagement. Huawei has said each market will have a local business development and operational team to aid the local developer community. Gonzalo claims to be the only business which can offer this USP, demonstrating the importance of this initiative.

Huawei is throwing money at the situation, almost making the creation of a deep developer ecosystem a loss-leader, because it recognises how critical it is to ensure the consumer business survives internationally. This might sound like a dramatization of the status quo, but as long as Huawei remains on the US Entity List, and banned from working with Google, its device business is in a very precarious position.

Looking at the more technical side, Andreas Zimmer, who works in strategy team, highlighted there are currently 24 software development kits (SDK) available for developers in the ecosystem, with plans to launch more in the coming months. Interesting enough, Zimmer claims only one is needed to make the very simple translation from Android and into the Huawei developer ecosystem.

The majority of the SDKs are as one would expect, but there were a couple which Zimmer wanted to push forward for attention.

Firstly, the Machine Learning SDK. This kit allows developers to integrate new AI components into the app, such as face detection, landmark recognition, emotion detection or object detection. Another Zimmer pushed forward was the Awareness kit. This SDK allowed the app to have greater contextual awareness, for example, understanding what time of the day it was, whether a headset is plugged in or the location of the user.

Both of these SDKs are very useful for enthusiastic and creative developers, but the question remains is whether Huawei has done enough to convince the developer community.

The Huawei consumer business is facing a serious threat. If it wants to continue to be an international brand, the Harmony OS needs to work and for this to happen, it needs to be embraced by the developer community. Consumers are tied to Android today, and it will take a serious swing for Huawei to crack this dominance in the Western markets.

Huawei’s OS will almost certainly be a success in its domestic Chinese market, and others were there are strong political ties. But the Huawei ambition is bigger than simply being a dominant domestic champion. As long as the US remains hostile to China and Huawei stays on the Entity List, the international future of the consumer business relies on the success of Harmony OS and the developer ecosystem.

Huawei promises to launch P40 with Google service replacement, reports say

Huawei has told the media that P40, the company’s next flagship smartphone will be launched with its own mobile service suite but will be built on Android 10 instead of its own HarmonyOS.

Richard Yu, CEO of Huawei Technologies Consumer Business Group, told a group of journalists from the French media that the company’s next flagship smartphone, the P40 (and likely P40 Pro), will be launched at the end of March 2020 at a special event in Paris. The exact date is yet to be announced. Yu promised the media representatives, who were on a press tour to the company’s headquarters in Shenzhen, that the phone will be in a design never seen before (“jamais vu”), with improved photography quality, better performance, and boosted automation.

Yu also confirmed that the phone will be built on Android 10 with Huawei’s customised user interface, EMUI. This is consistent with the company’s earlier announcement that its own operating system, HarmonyOS, will not be powering smartphones or tablets in 2020. Instead it will be used on other connected devices, including smart TVs and wearables.

Meanwhile, the Indian newspaper The Economic Times quoted Charles Peng, the CEO of the Huawei and Honor brands in India in Huawei’s Consumer Business Group, as saying that P40 will come equipped with Huawei Mobile Services (HMS), in place of Google Mobile Services (GMS). Both brands from Huawei as well as Oppo, another Chinese smartphone maker, were reported to have approached app developers to make the top apps in India available for HMS as well as for Oppo’s own Color OS.

“We have our own HMS and are trying to build a mobile ecosystem. Most of the key apps such as navigation, payments, gaming and messaging will be ready soon.” Peng told The Economic Times. Frandroid, a French media outlet, noted that HMS should be ready at the same time as the launch of P40.

The Economic Times reported that Huawei offers developers up to $17,000 for making their apps available for HMS, supported by Huawei’s $1 billion global fund the company announced earlier this year. Oppo’s coffer “to develop a “new intelligent service ecosystem” is reported to amount to $143 million.

It is worth highlighting that having the most popular third-party apps in a certain market (India, China, for example) available for HMS is different from bypassing GMS. The core Google services and APIs, including Chrome browser, YouTube and YouTube Music, Play Store, Google Drive, Duo, Gmail, Maps, as well as Movies and TV, are optimised to work with the Android operating system. Most importantly, there is Google’s fundamental “search” capability that powers everything else.

Developing its own operating system as well as an overall mobile ecosystem has long been on Huawei’s card. As Ren Zhengfei, Huawei’s founder, told media earlier, the work, as well as in-house chipset development capability, started long before Huawei ran afoul of the US government. However, the company has learned it the hard way that such tasks are more difficult than building a nice phone. Richard Yu had to renegade on his own promises more than once. Shortly after Huawei was put on the Identify List Yu said that the company’s own operating system would be able to power its new smartphones by the end of this year or the beginning of next. That has now been officially denied when HarmonyOS’s positioning was clarified. Yu also said, prior to the launch of P30 in September that there would be a workaround solution to load GMS on the new smartphone. That did not happen either.

Consumers may also find Huawei’s narrative less than convincing. As IDC’s Navkender Singh put it to The Economic Times, “There will be a breakdown of the conversation that Huawei or Honor devices will have OS and app store issue. It is going to be very tough for Huawei/Honor to sell the phone based on their own suite.”

Huawei remains defiant in face of Android threat

In a recent interview Huawei Founder Ren Zhengfei brushed off the effect of a ban on working with Google on his company’s smartphone fortunes.

Chatting to CNN Ren said he didn’t think it would be a problem to overtake Samsung as the world’s number one smartphone vendor, even without access to Google services, it would just take a bit longer. He didn’t seem to say how much longer, however. The plan is still to get as many apps as possible to create versions of themselves that will work on Huawei’s own mobile platform thus getting rid of the need to work with Google.

Apparently some US companies, including Microsoft, have already received licenses to do business with Huawei, but not Google yet. So it’s reasonable and right for Huawei to continue to seek smartphone OS autonomy, but Ren’s bluster is unconvincing. He even had the nerve to imply that when Huawei’s OS is up and running it would go back to Google even if it could, but it’s hard to imagine anyone willingly choosing Huawei’s equivalent over the original.

Elsewhere a similar tune was coming from Huawei smartphone sub-brand Honor. According to Livemint one of its senior execs moaned about not being able to use Android, which isn’t strictly true as it’s the Google services that will be with-held, and talked tough about Huawei’s alternative platform. While we’ve got no problem with Huawei continuing to fight its corner, surely it doesn’t really believe anyone would buy a phone that runs its adaptation of Android when the real deal is available.

Google and Samsung camera app vulnerabilities exposed

Research by application security specialist Checkmarx has revealed that the camera apps on Google and Samsung smartphones can be hacked.

The findings were published in a blog post by the company, having previously been shared with Google and Samsung to give them a chance to patch the vulnerabilities before the whole world found out about them. So while this isn’t sensational news, because the vulnerability no longer exists, it’s still good PR for Checkmarx and a general Android security wake up call.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” said a statement from Google in the blog. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.” The Indian government must have been disappointed.

Specifically it was found that third party apps could exploit the app permission system, through which new apps ask for your permission to access certain smartphone functions. A loophole allowed apps, once they had got permission to access the camera, to give remote control of the camera to baddies, thus allowing them to record what you’re up to.

“In doing so, our researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off,” said the blog. “Our researchers could do the same even when a user was is in the middle of a voice call… Of course, a video also contains sound. It was interesting to prove that a video could be initiated during a voice call. We could easily record the receiver’s voice during the call and we could record the caller’s voice as well.”

Google undermines US carrier RCS initiative by launching its own

Less than a month after the four US MNOs announced a joint RCS initiative for Android, Google has decided to launch its own.

Google was conspicuously absent from the announcement of the Cross Carrier Messaging Initiative by AT&T, Verizon, T-Mobile US and Sprint last month. Considering it was all about championing RCS on Android you have to assume there had been some dialogue between the operators and Google, but the omission of the latter from the press release indicated progress had been slow.

Now, having not done anything significant about RCS in the US for over a decade, Google has suddenly found the motivation to upgrade all SMS messaging on Android to RCS. In a brief blog post Sanaz Ahari, Product Management Director at Google, explained all the cool new things US Android users will now be able to do via the text function. It could almost have been a CCMI press release.

It’s hard to see this as anything other than a direct attempt to undermine the nascent CCMI project. The US operators saw Google’s RCS apathy as an opportunity to add some value themselves, so Google acted quickly to pull the rug out from under them. It could be that some of the features operators reckon they’re able to uniquely offer, such as keeping user data out of Google’s hands, might still give them an advantage, but this looks like a major setback for them.

Android beat Windows mobile because of antitrust distraction – Bill Gates

Bill Gates has suggested if it wasn’t for the costly and prolonged antitrust lawsuit in 1998, Microsoft would be the dominant player in the mobile OS world not Google.

This lawsuit, which lasted roughly three years, proved to undermine the Microsoft dominance on the technology world. With the playing-field levelled for competition, Microsoft gradually fell back into the chasing peloton, though founder Bill Gates suggested there was a much bigger impact for the business.

“There’s no doubt that the antitrust lawsuit was bad for Microsoft, and we would have been more focused on creating the phone operating system,” said Gates at the DealBook Conference in New York. “Instead of using Android today, you would be using Windows Mobile.

“We were so close. I was just too distracted that I screwed that up because of the distraction. We were just three months too late with the release that Motorola would have used on a phone. It’s a winner take all matter for sure, now no-body here has ever heard of Windows Mobile, but oh well.”

Some might dismiss Gates’ proclamation, the OS did launch after all and was not in the same league as Android, though it is an interesting idea.

If Microsoft had not been spending so much time defending its PC software business, more attention and investment could have been directed to the mobile OS. The transition from home computer to the smartphone was after all one of the contributing factors to Microsoft’s decline from power.

Interestingly enough, Gates also claims that if he hadn’t had to defend the business in such an intense antitrust case, he wouldn’t have retired so early.

While Microsoft is now recapturing its dominant position, thanks to a focus on the cloud computing segment, it spent years lurking in the shadows as an also-ran in the technology segment. This was still a very profitable company, but it had fallen from the dizzy heights of the 80s and 90s. The world moved from the home computer to mobile, and Microsoft was slow to react.

On the other side of the equation, Google acquired Android and entered the mobile world. This is perhaps one of the smartest bits of business ever, as Google reportedly acquired Android for as little as $50 million. Without this OS, Google would not have dominated the mobile world and would not be anywhere near as profitable as it is today.

Gates might be exaggerating with his claims here, though the world certainly look a lot different if Microsoft had won the mobile OS race.

Google forms alliance with some Android security specialists

The App Defense Alliance brings together Google, ESET, Lookout, and Zimperium to combat baddies on Android.

Considering how huge and diverse the Android ecosystem is it’s surprising how few malware catastrophes it has had. Maybe that thanks in part to the work of companies like Lookout, that offer freemium security apps on the Play Store. Google has apparently decided to be a bit more proactive on the security front itself, but without undermining all the good work that has already been done, hence the creation of the App Defense Alliance.

Working closely with our industry partners gives us an opportunity to collaborate with some truly talented researchers in our field and the detection engines they’ve built,” blogged Dave Kleidermacher, VP, Android Security & Privacy. “This is all with the goal of, together, reducing the risk of app-based malware, identifying new threats, and protecting our users.”

The clever bit involves integrating the Google Play Protect detection systems with each partner’s scanning engines. This will result in several pairs of eyes having a close look at apps that are in the queue for publication on the Play store and, in theory, resuce the chances of any of them containing any moody code.

Judging by an interview Kleidermacher gave Wired, from Google’s perspective this is all about coordinating the security efforts of a bunch of previously autonomous players. What’s in it for the other partners isn’t so obvious. In the Wired article they said all the right things about being greater than the sum of their parts, but we wouldn’t be surprised if a bit of Google cash helped persuade them too.