Western security advisers are warning delegates at the COP27 climate summit not to download the host Egyptian government's official smartphone app, amid fears it could be used to hack their private emails, texts and even voice conversations. From a report: Policymakers from Germany, France and Canada were among those who had downloaded the app by November 8, according to two separate Western security officials briefed on discussions within these delegations at the U.N. climate summit.

Other Western governments have advised officials not to download the app, said another official from a European government. All of the officials spoke on the condition of anonymity to discuss international government deliberations. The potential vulnerability from the Android app, which has been downloaded thousands of times and provides a gateway for participants at COP27, was confirmed separately by four cybersecurity experts who reviewed the digital application for POLITICO. The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users' emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO's technical review of the application, and two of the outside experts.

Google is bringing its VPN access to desktop today. Google One subscribers on Premium plans (2TB or higher) can now download VPN apps for Windows and macOS, allowing users in 22 countries to mask their IPs on desktop and reduce online trackers. From a report: While Google is expanding its VPN service, it still comes with the same restrictions as Android and iOS. You'll only be able to use the service in one of the supported countries, and you won't be able to use Google's VPN freely to avoid geo-restrictions on live sports or other streaming video. Much like Apple's iCloud Plus VPN service, the Google One VPN won't let you assign an IP address from a different country manually. Instead, Google assigns you an IP in the region you're connecting from.

A new article from Wired calls Rust "the 'viral' secure programming language that's taking over tech."

"Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can't come soon enough...." [A] growing movement to write software in a language called Rust is gaining momentum because the code is goof-proof in an important way. By design, developers can't accidentally create the most common types of exploitable security vulnerabilities when they're coding in Rust, a distinction that could make a huge difference in the daily patch parade and ultimately the world's baseline cybersecurity....

[B]ecause Rust produces more secure code [than C] and, crucially, doesn't worsen performance to do it, the language has been steadily gaining adherents and now is at a turning point. Microsoft, Google, and Amazon Web Services have all been utilizing Rust since 2019, and the three companies formed the nonprofit Rust Foundation with Mozilla and Huawei in 2020 to sustain and grow the language. And after a couple of years of intensive work, the Linux kernel took its first steps last month to implement Rust support. "It's going viral as a language," says Dave Kleidermacher, vice president of engineering for Android security and privacy. "We've been investing in Rust on Android and across Google, and so many engineers are like, 'How do I start doing this? This is great'...."

By writing new software in Rust instead, even amateur programmers can be confident that they haven't introduced any memory-safety bugs into their code.... These types of vulnerabilities aren't just esoteric software bugs. Research and auditing have repeatedly found that they make up the majority of all software vulnerabilities. So while you can still make mistakes and create security flaws while programming in Rust, the opportunity to eliminate memory-safety vulnerabilities is significant....

"Yes, it's a lot of work, it will be a lot of work, but the tech industry has how many trillions of dollars, plus how many talented programmers? We have the resources," says Josh Aas, executive director of the Internet Security Research Group, which runs the memory-safety initiative Prossimo as well as the free certificate authority Let's Encrypt. "Problems that are merely a lot of work are great."
Here's how Dan Lorenc, CEO of the software supply-chain security company Chainguard, explains it to Wired. "Over the decades that people have been writing code in memory-unsafe languages, we've tried to improve and build better tooling and teach people how to not make these mistakes, but there are just limits to how much telling people to try harder can actually work.

"So you need a new technology that just makes that entire class of vulnerabilities impossible, and that's what Rust is finally bringing to the table."

Linux magazine explores how to breath fresh life into old Android devices: Every mobile device needs its own Android build because of numerous drivers that are not available in the source code. The need to maintain every version of Android for every mobile device means that many manufacturers eventually stop supporting updates. Often, smartphones or tablets that still work perfectly can no longer be used without worry because the manufacturer has simply ceased to offer bug fixes and security updates....

The LineageOS project, the successor to the CyanogenMod project, which was discontinued in 2016, proves that it is not impossible to keep these devices up-to-date. Unpaid volunteers at LineageOS do the work that many manufacturers do not want to do: They combine current Android releases with the required device-specific drivers.

The LineageOS project (Figure 1) provides Android systems with a fresh patch status every month for around 300 devices. The builds are released weekly, unless there is a problem during the build. The Devices page on the LineageOS Wiki provides the details of whether a LineageOS build is available for your smartphone or tablet....

I recommend the LineageOS project as the first port of call for anyone who wants to protect an older smartphone or tablet that is no longer maintained and doesn't receive Google security patches. The LineageOS derivatives LineageOS for MicroG and /e/OS make it even easier to enjoy a Google-free smartphone without too many restrictions.
The article also describes how to use TWRP to flash a manufacturer-independent recovery system (while also creating a restoreable backup of the existing system) as an alternative to LineageOS's own recovery tools.

And it even explains how to unlock the bootloader — although there may be other locks set up separately by the manufacturer. "Some manufacturers require you to register the device to unlock it, and then — after telling you that the warranty is now void — they hand over a code. Others refuse to unlock the device altogether."

Thanks to Slashdot reader DevNull127 for submitting the article.

According to a new report, almost half of Android-based mobile phones used by U.S. state and local government employees are running outdated versions of the operating system, exposing them to hundreds of vulnerabilities that can be leveraged for attacks. From a report: These statistics come from a report by cybersecurity firm Lookout, based on an analysis of 200 million devices and 175 million applications from 2021 to H2 2022. The report additionally warns of a rise in all threat metrics, including attempted phishing attacks against government employees, reliance on unmanaged mobile devices, and liability points in mission-critical networks. Outdated versions of mobile operating systems allow attackers to exploit vulnerabilities that can be used to breach targets, run code on the device, plant spyware, steal credentials, and more. For example, last week, Apple released iOS 16.1, fixing an actively exploited zero-day memory corruption flaw used by hackers against iPhone users to achieve arbitrary code execution with kernel privileges.

Lookout reports that ten months after iOS 15 had been made available to users, 5% of federal government employees and 30% of state and local government devices were running older versions of the operating system. The situation is much worse for Android, as ten months after the release of version 12, approximately 30% of federal devices and almost 50% of state and local government devices still needed to upgrade to the latest versions, thus remaining vulnerable to bugs that can be exploited in attacks. It should be noted that Android 13 is the latest version of the operating system, but it was released after the first half of 2022, from which this data was collected.

Much of the Windows world has yet to adopt Microsoft's latest desktop operating system more than a year after it launched, according to figures for October collated by Statcounter. From a report: Just 15.44 percent of PCs across the globe have installed Windows 11, meaning it gained 1.83 percentage points in a month. This compares to the 71.29 percent running Windows 10, which fell marginally from 71.88 percent in September. Windows 7 is still hanging on with a tenuous grip, in third place with 9.61 percent, Windows 8.1 in fourth with 2.45 percent, plain old Windows 8 with 0.69 percent, and bless its heart, Windows XP with 0.39 percent because of your extended family. In total, Windows has almost 76 percent of the global desktop OS market followed by OS X with 15.7 percent and Linux with 2.6 percent. Android comprised 42.37 percent of total operating system market share, with Windows trailing on 30.11 percent, iOS on 17.6 percent, OS X on 6.24 percent, and Linux on 1.04 percent.

An anonymous reader quotes a report from 9to5Google: Google is preparing to shut down the dedicated Street View app on Android, keeping the feature in Google Maps. Google's Street View is an easy way to get a 360-degree look at almost any given street on the planet, perfect for getting a sense of your next travel destination or simply exploring the world from the comfort of home. While the Google Maps app has long offered an easy way to hop into Street View, there has also been a dedicated Street View app on Android and iOS.

This standalone app served two distinct groups of people -- those who wanted to deeply browse Street View and those who wanted to contribute their own 360 imagery. Considering the more popular Google Maps app has Street View support and Google offers a "Street View Studio" web app for contributors, it should be no surprise to learn that the company is now preparing to shut down the Street View app.

In the latest update, version 2.0.0.484371618, Google has prepared a handful of deprecation/shutdown notices for the Street View app. These notices are not yet visible in the app today, but our team managed to enable them. In the notice, Google confirms that the Street View app is set to shut down on March 31, 2023, encouraging users to switch to either Google Maps or Street View Studio. However, one feature that is being fully shut down with the Street View app's demise is that of "Photo Paths." First launched last year, Photo Paths were intended as a way to let nearly anyone with a smartphone contribute simple 2D photos of a road or path that had not yet been documented by Street View. Unlike every other feature of the Street View app, there is no replacement for Photo Paths on the web app or Google Maps app.

An anonymous reader quotes a report from Android Authority: It's been five years since the advent of the eSIM card on smartphones, and yet the computer in our pockets is still tied down to a plastic tab that hasn't changed all that much since its debut in 1991. What gives? [...] An eSIM-enabled phone can store multiple SIM cards on the device. It makes switching networks as simple as switching your Wi-Fi network, and that's anything but convenient for mobile operators. For users in areas with spotty connectivity or rural networks, easier switching to alternative operators means loss of business for major players like Verizon or AT&T. In markets like India, dual-wielding SIM cards for better data, voice, or preferential rates are exceptionally common. Taking away the friction involved in changing physical SIM cards carries the risk of losing a customer, and it's no secret that operators have been dragging their feet to avoid that.

Theoretically, setting up an eSIM on any network should be as straightforward as pointing your camera at a QR code and activating a line. In practice, that's rarely true. Verizon's support page suggests that Android users need to call up a support desk to activate an eSIM. iPhone users have it slightly easier and can directly add the line to the phone through Verizon's website. Meanwhile, Vodafone requires you to install an app. Finally, the likes of Airtel India ask you to play a game of the fastest finger first by requiring an SMS response within 60 seconds to proceed with adding an eSIM to your line. None of these are as simple as just popping out a tray and plopping in your SIM card.

Meanwhile, as internet-based calling, texting, and video messaging become the norm, carriers are left with increasingly few add-ons to increase revenues. Tack on sky-high spectrum prices for resources like 5G and eSIMs become even less enticing to carriers. Tangential features like premium-priced international roaming plans are yet another profit driver that eSIMs circumvent. When done right, getting started with an international eSIM can be a simple two to three-click process to get you onboarded and ongoing. My colleague Rita and I have had a fantastic experience with travel eSIM services like Airalo. When I tried out Airalo earlier this year, the process took just a few taps indicating that there was no real reason for eSIMs to be complicated. However, for most operators, that just isn't the case. While hard to quantify, this needless friction has certainly hampered consumer perception of eSIMs.

Nearly six years after the Pebble smartwatch was purchased by Fitbit and discontinued, a new Pebble app for Android has been released by the Rebble Alliance, a group that has kept Pebble viable for its users since Fitbit shut down Pebble's servers in mid-2018," writes Ars Technica's Kevin Purdy. "Pebble version 4.4.3 makes the app 64-bit so it can work on the mostly 64-bit Pixel 7 and similar Android phones into the future. It also restores a caller ID function that was hampered on recent Android versions." From the report: Most notably, the app is "signed using the official Pebble keys," with Google Fit integration maintained, but isn't available through Google's Play Store. Google acquired Fitbit for $2.1 billion, making it the steward of Pebble's remaining IP and software pieces. Katharine Berry, a key Rebble coder and leader, works on Wear OS at Google and was one of the first to tweet news of the new update, "four years after 4.4.2." That was the last Play Store update to the Pebble app from Pebble developers, one that freed up many of the app's functions to be replaced by independent servers.

That's exactly where Rebble picked up, providing web services to Pebble watches, including (for paying subscribers) voice dictation. But those services still relied on the core Pebble app to connect the watch and smartphone. If Android did make the leap to a 64-bit-only OS, it could have left Pebble/Rebble users in the lurch. Berry's post on r/pebble offers "thanks to Google for providing us with one last update!" This is, to be sure, not the typical outcome of products that have been acquired by Google, even if second-hand.

According to Protocol, Amazon and Google have struck a deal in recent months that allows Fire TV models to be produced by Android TV partners. From the report: As a result of that deal, Amazon has been able to work with a number of consumer electronics companies -- including not only TCL, but also Xiaomi and Hisense -- to vastly expand the number of available smart TVs running Fire TV OS. All of these companies were previously barred from doing so under licensing terms imposed by Google. The agreement may also alleviate some of the pressure Google has been feeling as regulators around the world have investigated its Android platform. However, some experts are skeptical a singular deal will address the overarching concerns with Google's operation and licensing of Android to third parties.

The deal between Amazon and Google resolves a yearslong dispute over licensing restrictions Google imposes on hardware manufacturers that make Android-based phones, TVs, and other devices. In order to gain access to Google's officially sanctioned version of Android as well as the company's popular apps like Google Maps and YouTube, manufacturers have to sign a confidential document known as the Android Compatibility Commitment. The ACC prevents manufacturers from also making devices based on forked versions of Android not compatible with Google's guidelines. The ACC, which was previously known as the Anti-Fragmentation Agreement, had long been an open secret in industry circles. Its full impact on the smart TV space became public when Protocol reported terms of the agreement in March of 2020 and outlined how the policy effectively barred companies like TCL from making smart TVs running any forked version of Android, including Amazon's Fire TV OS.

Google has been justifying these policies by pointing to the harmful consequences of Android fragmentation, positing that the rules assured developers and consumers that apps would run across all Android-based devices. However, the crux of Google's requirements is that they apply across device categories. By making a Fire TV-based smart TV, TCL would have effectively risked losing access to Google's Android for its smartphone business -- a risk the company, and many of its competitors that develop both smartphones and TVs, weren't willing to take. At the time, both Google and Amazon declined to comment on the dispute. However, Amazon was a lot more forthcoming when it talked to Indian regulators for a wide-ranging probe into Google's Android policies. "Given the breadth of the anti-fragmentation obligations, Amazon has also experienced significant difficulties in finding [original equipment manufacturer] partners to manufacture smart TVs running its Fire OS," the company's Indian subsidiary told regulators in a submission that was included in last week's report. Amazon told regulators that "at least seven" manufacturers had told the company they weren't able to make Fire TV-based smart TVs because of Google's restrictions.

"In several cases, the OEM has indicated that it cannot work with Amazon despite a professed desire to do so in connection with smart TVs," Amazon said in its submission. "In others, the OEM has tried and failed to obtain 'permission' from Google."

An anonymous reader shares a report: Microsoft is still struggling to learn what exactly it takes to be a successful Android manufactuer. The company's first self-branded Android phones, the dual-screened Surface Duo and Surface Duo 2, have tried to resurrect Microsoft's mobile ambitions after the death of Windows Phone. They leave a lot to be desired, though, and the first version went through some embarrassing fire sales. An ongoing knock against the devices has also been Microsoft's very slow OS updates. Unlike, say, Windows and Windows Update, Google's expensive and labor-intensive Android update process puts the responsibility for updates on the hardware seller, and a big part of being a good Android OEM is how quickly you can navigate this complicated process. Microsoft is proving to not be good at this.

This week, Microsoft announced the Surface Duo and Surface Duo 2 are finally getting Android 12L, an OS update that came out in March. That puts that company at a more than seven-month update time, which is worst-in-class for a flagship device, especially for one costing the $1,499 Microsoft is charging for the Duo 2. The company took a prolonged 14 months to ship Android 11 to the Surface Duo, so at least it's improving!

Samsung is starting to roll out a "Maintenance Mode" feature for its phones that's designed to keep your messages, photos, info, and accounts safe when you're getting your phone repaired. The Verge reports: According to Samsung's press release, Maintenance Mode basically creates a separate user account that will let someone access "core functions" of the phone without being able to see any of your data. That means a repair tech will still be able to test your phone, but you won't have to worry about them seeing anything they shouldn't. Once you get your phone back, you can unlock it to turn off Maintenance Mode, which will also undo anything that was done while the phone was being repaired (e.g., test photos will be erased, new apps will be uninstalled, and settings changes will be reversed).

Samsung says the feature will be "gradually rolling out over the next few months" to select phones running the Android 13-based One UI 5 -- if you want an idea of when your phone might be getting that update, check out this article. It'll also roll out to "more Galaxy devices" throughout next year. The company does warn, however, that the "timing of availability may vary by market, model and network provider," as updates can take a while to filter through carriers.

Chrome will no longer support Windows 7 nor Windows 8.1 upon the release of Chrome 110, currently scheduled to hit stable on February 7, 2023. From that point on, you'll need to be running at least Windows 10 to maintain access to new builds. Android Police reports: While Google won't be doing anything to stop users of older platforms from continuing to install and run earlier releases of Chrome, they'd be missing out on the latest critical security and usability enhancements.

An anonymous reader quotes a report from Ars Technica: Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What's different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn't yet available. In the coming months, all of that should be ironed out, though.

Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack. Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or -- in the absence of biometric capabilities -- the PIN that's associated with the token. What's more, hardware tokens use FIDO's Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. "Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography)," said Andrew Shikiar, FIDO's executive director and chief marketing officer. "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and -- very significantly -- allows the service provider to start retiring passwords as a means of account recovery and re-enrollment."

In other words: "Passkeys just trade WebAuthn cryptographic keys with the website directly," says Ars Review Editor Ron Amadeo. "There's no need for a human to tell a password manager to generate, store, and recall a secret -- that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."

If you're eager to give passkeys a try, you can use this demo site created by security company Hanko.

While many people in California felt a moderate earthquake Tuesday, some smartphone users actually got a heads-up before it happened thanks to technology developed at the University of California, Berkeley. Axios reports: Researchers at Berkeley released an app called MyShake that can offer a brief earthquake warning by detecting the signals of an earthquake just before they are felt. Think of it like how you can see lightning before you hear thunder. The app works on both iPhone and Android, but Google announced in 2020 it would implement Berkeley's technology directly into Android, allowing far more people to benefit.

As often happens after an earthquake, people turned to Twitter after the Magnitude 5.1 quake. But some reported getting the alert first. "Got the earthquake alert on my Android phone a few seconds before I felt it," Google's Dieter Bohn said in a tweet. Google CEO Sundar Pichai also tweeted about getting the alert.

India's antitrust watchdog has hit Google with $113 million fine for abusing the dominant position of its Google Play Store and ordered the firm to allow app developers to use third-party payments processing service for in-app purchases or for purchasing apps, the second such penalty on the Android-maker in just as many weeks in its largest market by users. From a report: The Competition Commission of India, which opened the probe into Google in late 2020, said mandating developers to use Google's own billing system for paid apps and in-app purchases through Play Store "constitutes an imposition of unfair condition" and thus violates provisions of the nation's competition act. The regulator -- which interviewed several industry players including Paytm, Zomato, Info Edge, Samsung, Vivo, Xiaomi, Microsoft and Realme as part of the investigation -- said that Google not using its billing system for its own apps such as YouTube amounts to "imposition of discriminatory conditions."

"Google is giving Apple a taste of its own medicine," reports Business Insider, arguing that the latest update to Android's messaging app "is going to make texting between iPhone and Androids even more annoying than it already is." [Alternate URL] The updates are great if you're an Android user. Google Messages' new features include the ability to reply to individual messages, star them, and set reminders on texts. But these features and some other updates to Messages are RCS-enabled, meaning they're not going to be very compatible with SMS, which is the texting standard that iMessage switches to when messaging someone without an iPhone. iPhones exchange messages using iMessage, Apple's proprietary messaging system, but revert to SMS when texting an Android.

One feature that's part of Google's payback to Apple is that now, when Messages users react to an SMS text with an emoji, iPhone users will get a text saying the other person reacted to their text with a description of whatever emoji the person used. It's similar to when iMessage users react to an SMS text, with the recipient getting a "so and so loved" message instead of seeing the heart emoji reaction.... In August, Android launched a page on its website calling Apple out for refusing "to adopt modern texting standards when people with iPhones and Android phones text each other." The page has buttons that take users to Twitter to tweet at Apple to "stop breaking my texting experience. #GetTheMessage" with a link to Android's page urging Apple to "fix texting."

"We would much prefer that everybody adopts RCS which has the capability to support proper reactions," Jan Jedrzejowicz, Google Messages product manager, said in a briefing before the Messages updates were announced. "But in the event that's not possible or hasn't happened yet, this feels like the next best thing." Recently, Apple CEO Tim Cook said he doesn't get a lot of feedback from iPhone users that Apple needs to fix messaging between iPhones and Androids. Apple doesn't have much incentive to do so, either. In legal documents from a 2021 lawsuit between Epic Games and Apple, an Apple executive said "Moving iMessage to Android will hurt us more than help us."

Microsoft has decided the Windows Subsystem for Android (WSA) -- its offering that runs Android VMs which behave just like another application in Windows -- is sufficiently stable that it can be designated version 1.0 and made available to all. From a report: While it's lovely that Windows can now run Android VMs, Hendrixson's tweet needs a little parsing. The "50,000 apps" he mentions are only available from the Amazon.com app store -- not the larger Google Play digital tat bazaar. Google's apps aren't in the Amazonian store, nor are Microsoft's. I couldn't find Twitter, WhatsApp, Slack, any of the banks I use, or the Australian government apps I need to access services. In fact it's tough work to find apps other than games in the store -- and when a search term does bear fruit it delivers what look like knockoff apps that scream "here be dragons."

Amazon says over half a dozen hardware vendors have indicated that they cannot enter into a TV manufacturing relationship with the e-commerce group over fear of retaliation from Google, escalating tension with the search giant with whom it competes on several businesses. From a report: The revelation, officially shared by Amazon for the first time, was made by the company's unit in India to the Competition Commission of India as part the antitrust watchdog's years-long investigation into Google over claims that it abuses the dominant position in Android. Google does abuse its dominant position in Android, the regulator said Thursday in a statement, slapping a $162 million fine on Thursday.

India's antitrust watchdog fined Google $161.9 million on Thursday for anti-competitive practices related to Android mobile devices in "multiple markets" in a major setback for the search giant in the key overseas nation where it has poured billions of dollars over the past decade. From a report: The Competition Commission of India, which began investigating Google several years ago after complaints from local firms, said in its order that Google requiring device manufacturers to pre-install its entire Google Mobile Suite and mandating prominent placement of those apps "amounts to imposition of unfair condition on the device manufacturers" and thus was in "contravention of the provisions of Section 4(2)(a)(i) of the Act." It also ordered the Android-maker to not offer any incentives to smartphone makers to exclusively carry its search services.