Are hardware makers doing enough to keep Android phones secure?

For all the good of Android’s open-source approach, one of the clear and consistent downsides is that the onus to issue software updates falls on the manufacturer. That can mean frustration for those waiting for the latest and greatest feature updates — and in some cases, it can put your phone at risk with delayed or missed security updates. A pair of researchers at Security Research Labs recently shared a study with Wired highlighting some of these risks. The team’s findings are the result of testing 1,200 Android handsets from all the major manufacturers over the course of two years, examining whether manufacturers had offered the security patches as advertised. According to SRL, missed security patches were discovered on a wide range of different handsets across manufacturers. Sony and Samsung were both flagged as having missed some security patches — in some cases in spite of reporting that they were up to date. “It’s almost impossible for the user to know which patches are actually installed,” one of the researchers told the site. Xiaomi, Nokia, HTC, Motorola and LG all made the list, as well, while TCL and ZTE fared the worst in the study, with, on average, not having installed more than four of the patches they claimed to have installed on a given device. In a statement provided to TechCrunch, Google pointed to the importance of various different means used to secure the Android ecosystem. The company believes that the SRL findings might not tell the full story when it comes to keeping devices secure. “We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem,” the company writes. “We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.” The company also pointed us to this year in review post, which sheds a bit more light on the matter.

Google I/O 2017: What to Expect

Thousands of software and hardware developers will descend on the Googleplex to hear about the company's latest products. Here's what they might be.

Foursquare Swarm (for Android)

Foursquare's Swarm is a compelling take on life- and location-logging, with a reworked interface and a welcome simplification of features.

The 100 Best Android Apps of 2017

These are the essential Android apps you need, whether you're outfitting the latest Pixel phone or plugging along with a much older device.

Google’s new Android App Bundles promise to make apps radically smaller

Google today announced Android App Bundles, a new tool for developers that will make apps radically smaller. The trick here is that developers can now say which of their apps’ assets should be included for a given device so there’s no need to ship every visual asset for every screen size and support for every language to every user, for example — something many developers do today. That can result in install files that can sometimes be more than 50 percent smaller than before. As Google’s Stephanie Cuthbertson told me, large download sizes are often an issue for users in developing countries, but elsewhere, too, users often balk at installing large apps. “Apps are targeting more countries than over, they have more features than ever,” she told me. “But we know the larger apps are, the fewer installs they get.” To enable this new feature, Google rearchitected its whole app serving stack. As Cuthbertson noted, that was a major project. Since the Android team had been toying with this idea for a while, though, most of the Android platform was ready for this change. So while the standard APK format isn’t going to change, every user now essentially gets a somewhat personalized file when hitting the Install button in Google Play. Google says it trialed this service with some of its own apps already, including the YouTube and Google apps. A couple of other partners also tested it already; Microsoft, for example, saw a 23 percent file reduction for the LinkedIn app. Most of the hard work to enable this feature is handled by Google, but developers who want to make use of it do have to specify which assets and languages they want to ship to which users. As Cuthbertson noted, much of this was possible before, but it was hard to do for developers. Now, they can use the same development flow as before and only have to make some very minor changes to enable support for App Bundles. In addition to delivering the full app through an App Bundle, Google is also today introducing a related new tool: dynamic features. This essentially allows developers to make their apps modular. As Cuthbertson noted, that may be especially interesting to developers whose apps offer lots of features, some of which may only see usage by a very small number of users. For those users, developers can simply ship that feature on demand when they attempt to use it. Developers can start experimenting with these features in the latest canary release of Android Studio.

Secure communications service Wickr is rolling out new free features

Wickr, the secure communications service, is bringing new features to its free users. Already available to paying Wickr customers, users of Wickr’s “Me” service will also now be able to enjoy encrypted calling to protect against listening ears. The company is adding end-to-end encrypted calling along with encrypted and ephemeral voice messages and memo. These […]

Samsung’s Wemogee App Uses Emoji as Speech Therapy

You might think of emojis as a fun gimmick, but speech therapists see their potential to help patients who suffer from a neurological disorder called aphasia.

Insta360 One gets a massive upgrade with FlowState stabilization

One of the better 360-degree cameras out there just got a lot better: The Insta360 One, a standalone 4K 360 camera with a built-in iPhone or Android hardware connector now supports FlowState onboard stabilization. This provides much better automatic stabilization than the Insta360 One supported at launch, and enables a bunch of new editing and formatting features that really improve the value proposition of the $299 gadget. As you can see above, FlowState allows you to do a lot more with your footage after the fact, including creating smooth pans across footage for exporting to more standard vertical and wide-angle formats (since it’s very rare that people actually watch all that much true 360-degree footage). The changes make Insta360’s device a lot more like the Rylo camera in use, and more suitable for action sports and other adventure-friendly uses. Users can now add transition points in the mobile app to create dynamic camera angle changes, and also set object or person active tracking. There’s a hyper lapse feature that speeds up time for pulling more action out of even leisurely bike rides, and you can also take over manually to basically direct the experience as if you were shooting it in real time with a traditional video camera, including doing things like zooming. This update will be pushed out via the updated Insta360 app, and will require a firmware update for existing cameras. It’s a big upgrade for existing users, and a compelling reason to pick this up if you’re looking for something that’s easy to use, compatible with a range of mounts (it has a standard tripod screw mount in its base) and relatively affordable (cheaper than a GoPro Hero 6).

Full Android to Arrive in Cars Within 2 Years

Google wants automakers to install a full copy of the Android OS—not just Android Auto—in their cars to control windows, air conditioning, and more.

Facebook, Google face first GDPR complaints over “forced consent”

After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation (GDPR), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four complaints relating to (certain) companies’ ‘take it or leave it’ stance when it comes to consent. The complaints have been filed on behalf of (unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android. Schrems argues that the companies are using a strategy of “forced consent” to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service. (And, well, Facebook claims its core product is social networking — rather than farming people’s personal data for ad targeting.) “It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’,” Schrems writes in a statement. “Facebook has even blocked accounts of users who have not given consent,” he adds. “In the end users only had the choice to delete the account or hit the “agree”-button — that’s not a free choice, it more reminds of a North Korean election process.” We’ve reached out to all the companies involved for comment and will update this story with any response. The European privacy campaigner most recently founded a not-for-profit digital rights organization to focus on strategic litigation around the bloc’s updated privacy framework, and the complaints have been filed via this crowdfunded NGO — which is called noyb (aka ‘none of your business’). As we pointed out in our GDPR explainer, the provision in the regulation allowing for collective enforcement of individuals’ data rights in an important one, with the potential to strengthen the implementation of the law by enabling non-profit organizations such as noyb to file complaints on behalf of individuals — thereby helping to redress the imbalance between corporate giants and consumer rights. That said, the GDPR’s collective redress provision is a component that Member States can choose to derogate from, which helps explain why the first four complaints have been filed with data protection agencies in Austria, Belgium, France and Hamburg in Germany — regions that also have data protection agencies with a strong record defending privacy rights. Given that the Facebook companies involved in these complaints have their European headquarters in Ireland it’s likely the Irish data protection agency will get involved too. And it’s fair to say that, within Europe, Ireland does not have a strong reputation for defending data protection rights. But the GDPR allows for DPAs in different jurisdictions to work together in instances where they have joint concerns and where a service crosses borders — so noyb’s action looks intended to test this element of the new framework too. Under the penalty structure of GDPR, major violations of the law can attract fines as large as 4% of a company’s global revenue which, in the case of Facebook or Google, implies they could be on the hook for more than a billion euros apiece — if they are deemed to have violated the law, as the complaints argue. That said, given how freshly fixed in place the rules are, some EU regulators may well tread softly on the enforcement front — at least in the first instances, to give companies some benefit of the doubt and/or a chance to make amends to come into compliance if they are deemed to be falling short of the new standards. However, in instances where companies themselves appear to be attempting to deform the law with a willfully self-serving interpretation of the rules, regulators may feel they need to act swiftly to nip any disingenuousness in the bud. “We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR,” writes Schrems. Only yesterday, for example, Facebook founder Mark Zuckerberg — speaking in an on stage interview at the VivaTech conference in Paris — claimed his company hasn’t had to make any radical changes to comply with GDPR, and further claimed that a “vast majority” of Facebook users are willingly opting in to targeted advertising via its new consent flow. “We’ve been rolling out the GDPR flows for a number of weeks now in order to make sure that we were doing this in a good way and that we could take into account everyone’s feedback before the May 25 deadline. And one of the things that I’ve found interesting is that the vast majority of people choose to opt in to make it so that we can use the data from other apps and websites that they’re using to make ads better. Because the reality is if you’re willing to see ads in a service you want them to be relevant and good ads,” said Zuckerberg. He did not mention that the dominant social network does not offer people a free choice on accepting or declining targeted advertising. The new consent flow Facebook revealed ahead of GDPR only offers the ‘choice’ of quitting Facebook entirely if a person does not want to accept targeting advertising. Which, well, isn’t much of a choice given how powerful the network is. (Additionally, it’s worth pointing out that Facebook continues tracking non-users — so even deleting a Facebook account does not guarantee that Facebook will stop processing your personal data.) Asked about how Facebook’s business model will be affected by the new rules, Zuckerberg essentially claimed nothing significant will change — “because giving people control of how their data is used has been a core principle of Facebook since the beginning”. “The GDPR adds some new controls and then there’s some areas that we need to comply with but overall it isn’t such a massive departure from how we’ve approached this in the past,” he claimed. “I mean I don’t want to downplay it — there are strong new rules that we’ve needed to put a bunch of work into into making sure that we complied with — but as a whole the philosophy behind this is not completely different from how we’ve approached things. “In order to be able to give people the tools to connect in all the ways they want and build committee a lot of philosophy that is encoded in a regulation like GDPR is really how we’ve thought about all this stuff for a long time. So I don’t want to understate the areas where there are new rules that we’ve had to go and implement but I also don’t want to make it seem like this is a massive departure in how we’ve thought about this stuff.” Zuckerberg faced a range of tough questions on these points from the EU parliament earlier this week. But he avoided answering them in any meaningful detail. So EU regulators are essentially facing a first test of their mettle — i.e. whether they are willing to step up and defend the line of the law against big tech’s attempts to reshape it in their business model’s image. Privacy laws are nothing new in Europe but robust enforcement of them would certainly be a breath of fresh air. And now at least, thanks to GDPR, there’s a penalties structure in place to provide incentives as well as teeth, and spin up a market around strategic litigation — with Schrems and noyb in the vanguard. Schrems also makes the point that small startups and local companies are less likely to be able to use the kind of strong-arm ‘take it or leave it’ tactics on users that big tech is able to use to extract consent on account of the reach and power of their platforms — arguing there’s a competition concern that GDPR should also help to redress. “The fight against forced consent ensures that the corporations cannot force users to consent,” he writes. “This is especially important so that monopolies have no advantage over small businesses.” Image credit: noyb.eu

HOT NEWS

- Advertisement -

RANDOM POSTS TODAY

White-Hat Crypto Hackers Ranked Up $32,150 in Rewards in 7 Weeks

Are you a malicious hacker looking for a path to redemption? It turns out that you can get paid for using your sweet...