Quartz’ Keith Collins:
Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?
Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.
Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.
Quartz observed the data collection occur and contacted Google, which confirmed the practice.
Google claimed they weren’t doing anything with the data received from Android devices, and says they’ll stop doing it (at the end of the month) now that they’ve been caught by Quartz.
I’m not sure why anyone should trust Google’s word about what they were doing with this information when they explicitly use location information to target ads and were pulling this shit with no way for a user to disable it.
You can bet that companies like Google (photos), Facebook and their subsidiaries such as Instagram, and Twitter, also scrape location information whenever you upload photos to their services by reading the EXIF data attached to every photo. You can download apps like Metapho on iOS to remove the EXIF information from your photos before you share them.
Yesterday, Gizmodo reported that Uber had been granted an entitlement for their iOS app that allowed them to capture an image of an iPhone’s screen at any time, even when the Uber app was not the active app on the phone. This is a big deal, because users don’t typically expect than an iPhone app that is not active might have the ability to eavesdrop on anything they are doing.
I have long felt that the sandboxing infrastructure on both iOS and Mac should be used to more accurately convey to users specifically what the apps they install are capable of doing. Currently the sandboxing system is used primarily to identify to Apple what a specific app’s privileges are. The requested entitlements are used to inform Apple’s decision to approve or reject an app, but the specific list of entitlements is not easily available to users, whose security is actually on the line.
This is absolutely fucking ridiculous. Fuck Uber. Apple should be ashamed for working with them at any level. Allowing an app to covertly record your screen without any prompting is exactly the kind of thing that Apple’s iOS app review process should prevent.
Uber claims they didn’t do anything wrong with this ability, the security researchers told Gizmodo that they didn’t detect anything going on with this code.
There are companies that are less trustworthy than Uber, but few have the opportunity to be as evil on such a large scale. Enabling them to do anything more than operate at a basic level on your platform is a mistake. At this point Apple should block them entirely and attempt to help the Taxi industry to reform and compete with Uber. Not that Apple would ever would, but still that would be the best thing to come out of this. The next best thing would be the improvements to the entitlement system that Jalkut suggests.
I wouldn’t even bother to wonder what Uber are doing on Android, where security is a fucking joke and carriers are still selling devices running ancient versions of that operating system that are affected by dozens of security vulnerabilities. This is especially true for pay-as-you-go phones sold cheaply at places like Walmart, Target, and so on. Those carriers and stores are endangering their customers by continuing to sell these devices.
Finally, Android on the iPhone
You heard me. The holy war is over, brethren. At Tendigi, we’ve designed and built a case that allows iPhone devotees to sample the best Mountain View has to offer. Join me as I outline the steps taken to achieve this feat, as well as the numerous pitfalls encountered along the way.
Okay, that sounds interesting. I’d love some straightforward method of being able to try out modern versions of Android without having buy Android hardware.
It must have been extremely complicated to get this done in software!
I ended up having to port (or outright build) the following components for Android:
screenstreamer: A daemon I wrote that connects to the usbmuxd service, transmitting the screen’s contents to the iPhone and emulating touch events on the Android side. This is where the magic happens. While there are many ways to capture the screen on Android, I achieved the best performance by connecting to the SurfaceFlinger service and reading screenshots from it. For more information, see this header file and this presentation. The droidVncServer repository on GitHub also contains some helpful pointers.
Are you kidding me? This is the equivalent of VNC streaming a Windows 10 desktop to an Android phone and saying that you got Windows 10 to run on an Android phone. The “Final product” image is a thick ass backpack that contains off-the-shelf Android hardware strapped onto an iPhone and looks like crap. If this were from a 14 year old at a school science fair that would be incredible.
To that end, today we’re launching a portal for podcasters to start uploading their shows to Google Play Music before we open up the service to listeners.
Translated from Google-speak: The Google Play Music app for Android (and iOS) is going to download podcasts to Google servers and rehost them on their own servers. Podcast publishers will only have access to listener metrics for Google Play Music listeners through Google’s interface. Google will also insert extra ads around the podcasts that aren’t from, and won’t benefit, the podcast publisher:
Google reserves the right to show display (image) ads alongside podcast content. Google will not insert any pre-roll ads before podcast content starts or mid-roll ads during a given podcast episode. Google reserves the right to serve post-roll video or audio ads after podcast content. Google Play Music does not provide direct payment or revenue share for podcast content.
Today, podcast publishers put up an RSS feed that anyone can use. It’s an open standard that any client can download one of these RSS feeds, get a list of episodes, and download them. Publishers interpret the one metric that matters, downloads, and use that in addition to occasional surveys of their listening audience to sell ads to advertisers if they choose to run advertising. If Google Play Music becomes the way that most people listen to podcasts it will destroy the open standard and increase the number of advertisements that people are forced to listen to. This is not good.
Dan Goodin writing for Ars about newly published vulnerabilities:
There’s a new round of Stagefright vulnerabilities that allows attackers to execute malicious code on more than one billion phones running ancient as well as much more recent versions of Google’s Android operating system.
Stagefright 2.0, as it’s being dubbed by researchers from security firm Zimperium, is a set of two bugs that are triggered when processing specially designed MP3 audio or MP4 video files. The first flaw, which is found in the libutils library and is indexed as CVE-2015-6602, resides in every Android version since 1.0, which was released in 2008. The vulnerability can be exploited even on newer devices with beefed up defenses by exploiting a second vulnerability in libstagefright, a code library Android uses to process media files. Google still hasn’t issued a CVE index number for this second bug.
When combined, the flaws allow attackers to used booby-trapped audio or video files to execute malicious code on phones running Android 5.0 or later. Devices running 5.0 or earlier can be similarly exploited when they use the vulnerable function inside libutils, a condition that depends on what third-party apps are installed and what functionality came preloaded on the phone.
It is always the wrong time to be an Android user.
Attack code that allows hackers to take control of vulnerable Android phones finally went public on Wednesday, as developers at Google, carriers, and handset manufacturers still scrambled to distribute patches to hundreds of millions of end users.
The critical flaws, which reside in an Android media library known as libstagefright, give attackers a variety of ways to surreptitiously execute malicious code on unsuspecting owners’ devices. The vulnerabilities were privately reported in April and May and were publicly disclosed only in late July. Google has spent the past four months preparing fixes and distributing them to partners, but those efforts have faced a series of setbacks and limitations.
Can Apple ship that switching app for Android before stagefright gets patched in the majority of devices?
Will anybody even be able to find it in the Google play store among the scam apps that claim to support iMessage and make your Android device have an iOS-style (but terribly implemented) home screen?
Rightfully scathing article from Vice’s Motherboard’s Lorenzo Franceschi-Bicchierai:
I’ve been antagonistic with Apple products ever since I was a teenager, when Apple used to try to shove its apps down my throat (cough iTunes cough) whenever I just wanted to watch a movie trailer on Quicktime. I never liked Apple’s walled garden and “we-control-everything” approach, and I particularly disliked Apple fanboys’ dumb “oh my god there’s a new iThing coming out” reverence and hysteria.
So when the original iPhone came out a few years ago, I swore in multiple heated discussions with friends and strangers that I’d never buy an iPhone. Since then, I’ve only owned Android phones. First a few HTC ones, now a Sony phone.
Well, I’m sick of it. And I’m ready to go to the dark side.
I love the Android users in the comments chiming in that rooting a device and installing a custom ROM is a reasonable thing to do for Android devices that receive no updates from their carriers and manufacturers.
The ability for devices to receive updates in a timely fashion is critical to having even the vaguest hint of security in our post-Snowden revelations world. Windows 10‘s silent update mechanism is a great step in that direction for end-user security. Google even does it for their Chrome browser. Everybody else needs to get on board with it.
In his double-feature review of the HTC Droid Incredible and the Sprint EVO Andy Ihnatko summed it up perfectly when he said:
Working with any user interface developed by Google is like making out with Mister Spock. The company rarely demonstrates any sort of a working understanding of what the Humans respond to and doesn’t show any real desire to learn.