Security

Secret Chips in Replacement Parts Can Completely Hijack Your Phone's Security (arstechnica.com) 50

Dan Goodin, writing for ArsTechnica: People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens -- one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 -- can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it. The research, in a paper presented this week (PDF) at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary."
Media

Video Is Coming To Reddit (variety.com) 67

An anonymous reader shares a report from Variety: Videos are coming to Reddit, thanks to a new feature that allows users to upload video clips directly to the service. Reddit rolled out the new video feature Tuesday after testing it with around 200 communities over the past couple of weeks. Reddit users are now able to upload videos of up to 15 minutes in length, with file sizes being limited to 1 gigabyte. Users will be able to upload videos via Reddit's website and its mobile apps for iOS and Android, with the latter offering basic trimming functionality as well. And, in keeping with the spirit of the site, Reddit is also offering a conversion tool to turn videos into animated Gifs. Videos are being displayed persistently, or pinned, meaning that users can scroll through the comments while the video keeps playing in the corner of their screen. And community moderators can opt not to allow videos in their Subreddits at all, with Le arguing that some discussion-heavy Subreddits may decide that the format just doesn't work for them.
Desktops (Apple)

In Defense of the Popular Framework Electron (dev.to) 127

Electron, a popular framework that allows developers to write code once and seamlessly deploy it across multiple platforms, has been a topic of conversation lately among developers and users alike. Many have criticised Electron-powered apps to be "too memory intensive." A developer, who admittedly uses a high-end computer, shares his perspective: I can speak for myself when I say Electron runs like a dream. On a typical day, I'll have about three Atom windows open, a multi-team Slack up and running, as well as actively using and debugging my own Electron-based app Standard Notes. [...] So, how does it feel to run this bloat train of death every day? Well, it feels like nothing. I don't notice it. My laptop doesn't get hot. I don't hear the fan. I experience no lags in any application. [...] But aside from how it makes end-users feel, there is an arguably more important perspective to be had: how it makes software companies feel. For context, the project I work in is an open-source cross-platform notes app that's available on most platforms, including web, Mac, Windows, Linux, iOS, and Android. All the desktop applications are based off the main web codebase, and are bundled using Electron, while the iOS and Android app use their own native codebases respectively, one in Swift and the other in Kotlin. And as a new company without a lot of resources, this setup has just barely allowed us to enter the marketplace. Three codebases is two too many codebases to maintain. Every time we make a change, we have to make it in three different places, violating the most sacred tenet of computer science of keeping it DRY. As a one-person team deploying on all these platforms, even the most minor change will take at minimum three development days, one for each codebase. This includes debugging, fixing, testing, bundling, deploying, and distributing every single codebase. This is by no means an easy task.
Google

Google Allo For Chrome Finally Arrives, But Only For Android Users (engadget.com) 88

Google Allo, the chat app that arrived on the iPhone and Android devices last year, now has a web counterpart. Head of product for Allo and video chat app Duo, Amit Fulay, tweeted: "Allow for web is here! Try it on Chrome today. Get the latest Allo build on Android before giving it a spin." Engadget reports: To give it a go, you'll need to open the Allo app on your device and use that to scan a QR code you can generate at this link. Once you've scanned the code, Allo pulls up your chat history and mirrors all the conversations you have on your phone. Most of Allo's key features, including smart replies, emoji, stickers and most importantly the Google Assistant are all intact here. In fact, this is the first time you can really get the full Google Assistant experience through the web; it's been limited to phones and Google Home thus far.
Software

App Developers Should Charge More If They Want People To Buy Subscriptions, Suggests Report (theverge.com) 50

A new report from Liftoff, a Silicon Valley-based mobile app marketing and retargeting firm, says that subscription-based apps may do better if developers charge a higher price for services, rather than setting prices too low to lure users in initially. The Verge reports: The Liftoff report, which analyzed data gathered between June 2016 and June 2017, categorized app subscriptions into low-cost monthly subs ($0.99 to $7), medium ($7 to $20), and high-cost subs ($20 to $50), while also factoring the cost of acquisition per customer. The company found that apps in the medium price range had the highest conversion rate -- 7.16 percent -- and the lowest cost to acquire a subscriber, at just over $106 dollars. This was five times higher than the rate of people who subscribed to apps when the apps were in the low-cost category. This may partly be because streaming media apps, like Netflix and Spotify, have already conditioned people to pay around $10 a month for services. But it also might be attributable to the sunk cost fallacy, Liftoff says: the "cognitive bias people have that makes them stay the course because they have already spent time or resources on it." The report also examines apps that fulfill "need states," like dating apps or cloud services. These have the potential to offer services that customers are willing to pay for, again and again. But, according to Liftoff, utility apps have a much higher install-to-subscriber rate compared to dating apps. Blame those who eventually find love?
Businesses

Snap Sold Fewer Than 42K Spectacles, Down 35% In Q2 (androidheadlines.com) 50

The hype surrounding Snap's Spectacles appears to be dwindling. Their sales have decreased by 35 percent in the second quarter of the year, with the company's latest consolidated financial report revealing that its "Other" revenue amounted to $5.4 million over the three-month period ending June 30. Android Headlines reports: With Spectacles being the company's only miscellaneous endeavor at this point in time and sporting a $130 price tag that has yet to see any discounts, it seems that the Venice, Los Angeles-based social media giant managed to only sell approximately 41,500 units of its first wearable in Q2 2017. During the first quarter of the year that also disappointed investors, Snap's "Other" business category recorded a revenue of $8.3 million, suggesting that the firm managed to sell around 64,000 units. The overall commercial performance of Spectacles may still improve during the current quarter as Snap just recently made the smart sunglasses available on Amazon, in addition to partnering with a number of physical retailers. Likewise, the Snapbot vending machines selling Spectacles only started appearing in Europe in June and are still popping up in a number of major cities on the Old Continent, which is another factor that could help improve the sales figures of Snap's camera-equipped pair of sunglasses. Regardless, the current state of affairs is unlikely to please investors, especially in light of the fact that Snap recently proclaimed itself to be "a camera company," noting how Snapchat is just one aspect of its product vision that's meant to incorporate a wide variety of photography-oriented hardware.
The Military

US Army Walks Back Decision To Ban DJI Drones Ever So Slightly (suasnews.com) 27

garymortimer shares a report from sUAS News: News has reached me that another DJI memo was passed around on Friday the 11th of August. An exception to policy with recommendations from the asymmetric warfare group that will permit the use of DJI kit once some conditions have been met. The Android Tactical Assault Kit will become the ground control station (GCS) of choice when a DJI plugin has passed OPSEC (Operational Security) scrutiny. In a separate report from Reuters, DJI said it is "tightening data security in the hopes that the U.S. Army will lift its ban on DJI drones because of 'cyber vulnerabilities.'" The company is "speeding deployment of a system that allows users to disconnect from the internet during flights, making it impossible for flight logs, photos or videos to reach DJI's computer servers," reports Reuters. While the security measure has been in the works for several months, it's being rolled out sooner than planned because of the Army's decision to discontinue the use of DJI drones.
Businesses

Andy Rubin's Essential Is Now Valued at Over a Billion Dollars Without Shipping a Single Phone (theverge.com) 75

An anonymous reader shares a report: Essential, the new phone startup from Android founder Andy Rubin, is now a unicorn, according to reports from over the weekend. If you're not up to date on the parlance of Silicon Valley, a unicorn is a company that's valued at over $1 billion dollars, which is no small feat in today's market. This title is even more impressive, given that Essential has yet to ship a single device to consumers. According to a report, Foxconn's FIH Mobile filing for a $3 million investment in Essential for around 0.25 percent of the fledgling phone company revealed Essential's new unicorn status with a valuation of around $1.2 billion.
Security

Spyware Apps Found on Google Play Store (bleepingcomputer.com) 37

Researchers at the security firm Lookout have identified a family of malicious Android apps, referred to as SonicSpy. From a report: Experts say the malware author modified a version of the official Telegram app, injected the spyware code, rebranded it, and uploaded the modified app on the Play Store. In total, the crook uploaded the app three times on the Play Store under the names Soniac, Hulk Messenger, and Troy Chat. Only Soniac was active on Google's app store when researchers first spotted the spyware, as the other two apps were already taken down, most likely by the developer himself. At the time of writing, Lookout says they identified over 1,000 variations of this new spyware called SonicSpy, which they believe to be a new version of an older Android spyware named SpyNote.
Iphone

Apple Refuses To Enable iPhone Emergency Settings that Could Save Countless Lives (thenextweb.com) 279

An anonymous reader shares a report: Despite being relatively easy, Apple keeps ignoring requests to enable a feature called Advanced Mobile Location (AML) in iOS. Enabling AML would give emergency services extremely accurate locations of emergency calls made from iPhones, dramatically decreasing response time. As we have covered before, Google's successful implementation of AML for Android is already saving lives. But where Android users have become safer, iPhone owners have been left behind. The European Emergency Number Association (EENA), the organization behind implementing AML for emergency services, released a statement today that pleads Apple to consider the safety of its customers and participate in the program: "As AML is being deployed in more and more countries, iPhone users are put at a disadvantage compared to Android users in the scenario that matters most: An emergency. EENA calls on Apple to integrate Advanced Mobile Location in their smartphones for the safety of their customers." Why is AML so important? Majority of emergency calls today are made from cellphones, which has made location pinging increasingly more important for emergency services. There are many emergency apps and features in development, but AML's strength is that it doesn't require anything from the user -- no downloads and no forethought: The process is completely automated. With AML, smartphones running supporting operating systems will recognize when emergency calls are being made and turn on GNSS (global navigation satellite system) and Wi-Fi. The phone then automatically sends an SMS to emergency services, detailing the location of the caller. AML is up to 4,000 times more accurate than the current systems -- pinpointing phones down from an entire city to a room in an apartment. "In the past months, EENA has been travelling around Europe to raise awareness of AML in as many countries as possible. All these meetings brought up a recurring question that EENA had to reply to: 'So, what about Apple?'" reads EENA's statement.
Android

T-Mobile To Launch Its Own Branded Budget Smartphone (cnet.com) 16

In a throwback to a time when carriers differentiated themselves by branding and selling exclusive phones, T-Mobile announced Wednesday that it's launching its very own budget Android smartphone called the Revvl. CNET reports: The Revvl, which runs on Android Nougat, offers pretty basic specs: a 5.5 inch HD display, 2GB of RAM, 32GB of storage, a 13-megapixel rear-facing camera a 5-megapixel front-facing camera. But it also throws in a fingerprint sensor and will cost T-Mobile customers just $5 a month with no down payment through the company's Jump! upgrade program. It goes on sale Thursday. In a blog post, T-Mobile COO Mike Sievert said the company is catering to those who want the latest smartphone technology but can't afford to pay for high-end devices.
Operating Systems

Android 8.0's 'Streaming OS Updates' Will Work Even If Your Phone Is Full (arstechnica.com) 40

Regardless of whether or not your phone is full of pictures, or videos, or apps, you will still be able to download and install an OS update with Android 8.0. According to the latest source.android.com documentation, Google has cooked up a scheme to make sure that an "insufficient space" error will never stop an update again. Ars Technica reports: Where the heck can Google store the update if your phone is full, though? If you remember in Android 7.0, Google introduced a new feature called "Seamless Updates." This setup introduced a dual system partition scheme -- a "System A" and "System B" partition. The idea is that, when it comes time to install an update, you can normally use your phone on the online "System A" partition while an update is being applied to the offline "System B" partition in the background. Rather than the many minutes of downtime that would normally occur from an update, all that was needed to apply the update was a quick reboot. At that point, the device would just switch from partition A to the newly updated partition B. When you get that "out of space" error message during an update, you're only "out of space" on the user storage partition, which is just being used as a temporary download spot before the update is applied to the system partition. Starting with Android 8.0, the A/B system partition setup is being upgraded with a "streaming updates" feature. Update data will arrive from the Internet directly to the offline system partition, written block by block, in a ready-to-boot state. Instead of needing ~1GB of free space, Google will be bypassing user storage almost entirely, needing only ~100KB worth of free space for some metadata. Ars Technica goes on to note that the feature will be backported to Google Play Services, and will be enabled on "Android 7.0 and later" devices with a dual system partition setup.
Youtube

YouTube Adds Mobile Chat, Because Google Doesn't Have Enough Messaging Apps (venturebeat.com) 25

Krystalo writes: YouTube today rolled out the ability to share videos with contacts directly in its mobile app for Android and iOS. Users can chat about shared videos using text, react with emoji, like messages with a heart, reply with other videos, and invite more friends to the conversation (up to a maximum of 30 people per group message). YouTube first started testing letting groups of users share and talk about videos in May 2016. The company then pushed the feature to Canada in January 2017 as a test, since Canadians share more videos online than any other nation. After some tweaks, the Google-owned company is now pushing it out to all its Android and iOS users. "We've been improving the feature since our experiments began last year," a YouTube spokesperson told VentureBeat. "For example, we've made changes to the chat visual; and we've made the video stick to the top of the chat when scrolling down, to allow replying and chatting while watching a video; and we'll continue making improvements." With the new update, YouTube has become yet another Google messaging app, on top of Android Messages, Allo, Duo, Hangouts Chat, and Hangouts Meet.
Debian

OpenSSL Support In Debian Unstable Drops TLS 1.0/1.1 Support (debian.org) 76

An anonymous reader writes: Debian Linux "sid" is deprecating TLS 1.0 Encryption. A new version of OpenSSL has been uploaded to Debian Linux unstable. This version disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version. This will likely break certain things that for whatever reason still don't support TLS 1.2. I strongly suggest that if it's not supported that you add support for it, or get the other side to add support for it. OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don't need to enable them again. This move caused some concern among Debian users and sysadmins. If you are running Debian Unstable on server tons of stuff is going to broken cryptographically. Not to mention legacy hardware and firmware that still uses TLS 1.0. On the client side (i.e. your users), you need to use the latest version of a browser such as Chrome/Chromium and Firefox. The Older version of Android (e.g. Android v5.x and earlier) do not support TLS 1.2. You need to use minimum iOS 5 for TLS 1.2 support. Same goes with SMTP/mail servers, desktop email clients, FTP clients and more. All of them using old outdated crypto.

This move will also affect for Android 4.3 users or stock MS-Windows 7/IE users (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto.

Cellphones

Ask Slashdot: Are My Drone Apps Phoning Home? 132

Slashdot reader bitwraith noticed something suspicious after flying "a few cheap, ready-to-fly quadcopters" with their smartphone apps, including drones from Odyssey and Eachine. I often turn off my phone's Wi-Fi support before plugging it in to charge at night, only to discover it has mysteriously turned on in the morning. After checking the Wi-Fi Control History on my S7, it appears as though the various cookie-cutter apps for these drones wake up to phone home in the night after they are opened, while the phone is charging. I tried contacting the publisher of the Odyssey VR app, with no reply.

I would uninstall the app, but then how would I fly my drone? Why did Google grant permission to control Wi-Fi state implicitly to all apps, including these abusers? Are the apps phoning home to report my flight history?

The original submission asks about similar experiences from other drone-owning Slashdot users -- so leave your best answers in the comments. What's making this phone wake up in the night?

Are the drone apps phoning home?
Biotech

How Apple Is Putting Voices In Users' Heads -- Literally (wired.com) 91

schwit1 shared WIRED's report on "a life-changing technology." Steven Levy spoke with Mathias Bahnmueller as he tested a new Apple sound processor that beams digital audio directly into hearing aids. Bahnmueller suffers from hearing loss so severe that a year ago he underwent surgery to install a cochlear implant -- an electronic device in the inner ear that replaces the usual hearing mechanism. Around a million patients have undergone this increasingly mainstream form of treatment, and that's just a fraction of those who could benefit from it. (Of the 360 million people worldwide with hearing loss, about 10 percent would qualify for the surgery.) "For those who reach a point where hearing aids no longer help, this is the only solution," says Allison Biever, an audiologist in Englewood, CO who works with implant patients. "It's like restoring a signal in a radio station."

Cochlear implants bypass the usual hearing process by embedding a device in the inner ear and connecting it via electrodes to the nerve that sends audio signals to the brain... The system Bahnmueller was using came from a collaboration between Apple and Cochlear, a company that has been involved with implant technology since the treatment's early days. The firms announced last week that the first product based on this approach, Cochlear's Nucleus 7 sound processor, won FDA approval in June -- the first time that the agency has approved such a link between cochlear implants and phones or tablets. Those using the system can not only get phone calls directly routed inside their skulls, but also stream music, podcasts, audio books, movie soundtracks, and even Siri -- all straight to the implant... Apple will offer the technology free to qualified manufacturers.

Google's accessibility team for Android has no public timeline for any similar hearing aid support, though according to the article it's "on the roadmap."
Android

BLU Claims Innocence, Gets Phones Reinstated On Amazon (slashgear.com) 43

Earlier this week, Amazon suspended budget phone maker BLU from selling its phones on the site, citing a "potential security issue." A few days have passed and BLU has made its defense. SlashGear reports: AdUps, the Chinese company that provides affordable firmware update software to countless budget Android phones, is not spyware and not even Kryptowire, the security firm that broke the news last year, called it that, insists BLU. To be fair, Kryptowire really didn't. In its 2016 report, it simply described AdUps' OTA software as "FIRMWARE THAT TRANSMITTED PERSONALLY IDENTIFIABLE INFORMATION (PII) WITHOUT USER CONSENT OR DISCLOSURE." Curiously, that is more or less how the FTC defines spyware (PDF). In its 2017 follow-up, it did drop the second part of that phrase and simply reported on "mobile devices for Personally Identifiable Information (PII) collection and transmission to third parties." While BLU, and a few other OEMs, was caught unaware by the first report, it's insisting on its innocence in this second instance. Its defense stems from the argument that it is doing nothing that violates its Privacy Policy and, therefore, doesn't constitute any wrongdoing. Yes, that privacy policy that barely anyone reads, which can't legally be blamed on manufacturers anyway.

In other words, when you agreed to use BLU's devices, you basically agreed that such PII could possibly be transmitted to a third party outside the US. In this particular case, that does apply to the situation with AdUps. Interestingly, the policy's copyright dates back to 2016, when the AdUps issue first came up. The Internet Archives doesn't seem to have any version of that page before April this year. And so we come to BLU's second arguments: everybody's doing it. The data that AdUps collects is the same or even just a fraction of what other OEMs are collecting. Google is hardly the bastion of privacy and other OEMs are also collecting such data and sending it to servers in China, as is the case with Huawei and ZTE. Finally, BLU says that Kryptowire's new report really only identifies the Cubot X16S, from a Chinese OEM, as the only smartphone really spying on its users.
UPDATE: BLU has confirmed that its devices "are now back up for sale on Amazon."
Businesses

Popular Password Manager LastPass Doubles Price of Its Premium Plan, Removes features From Its Free Service Tier (neowin.net) 156

An anonymous reader shares a report: In November, LastPass made a big change to its service, allowing users to keep track of their passwords across all their internet-enabled mobile and desktop devices, free of charge. In addition to the free tier, the cross-platform password manager - available on iOS, Android, and Windows 10 -- also offered a Premium plan with additional features, priced at $12 per year. Today, LastPass announced another wave of changes to its lineup for individual users -- but this time, the changes are unlikely to be welcomed with open arms by its customers. LastPass Premium has now doubled in price to $24 a year, which includes "emergency access, the ability to share single passwords and items with multiple people, priority tech support, advanced multi-factor authentication, LastPass for applications, and 1GB of encrypted file storage," along with all the other features of the Free tier. In a statement, the company said, "While LastPass Free continues to offer access on all browsers and devices and the core LastPass password management functionality, unlimited sharing and emergency access are now Premium features. Free users will be able to share one item with one other individual.
Android

Lenovo Switches To Stock Android For All Future Smartphones (ndtv.com) 80

Lenovo is canning its Vibe Pure UI Android skin in favor of the stock version of Google's mobile OS for its future smartphones, starting with the upcoming K8 Note, according to an interview from Gadgets 360 with Anuj Sharma, Lenovo India's head of marketing. From a report: Lenovo has confirmed that going forward, it will be abandoning its Vibe Pure UI Android customisation which ran on top of its recent Android smartphones in almost all markets. "What we have done in last 11 months is we looked at what we had in terms of software perspective. We have been close to the consumers and we saw what they were asking for. There was a certain trend and we have now decided to cut the Vibe Pure UI off from our phones. So you will now get the stock Android which consumers have been asking for," Sharma told Gadgets 360.
Android

Google Now Permits Android Apps That Facilitate Gambling With Real Money (betanews.com) 44

Mark Wilson shares a report from BetaNews: Google has relaxed its rules surrounding real-money gambling apps in Google Play -- in some countries, at least. There has been a ban on apps and games that allow users to gamble with real money since 2013, but that has now changed. While there was previously a ban in place due to the difficulty in policing ages and complying with different gambling laws around the world, real-money gambling apps are now permitted in the UK, France and Ireland. The new rules stipulate that developers must submit their gambling apps for a special vetting process, and they must have an IARC content rating. Other rules include a ban on the use of Google payment services, a requirement to display information about responsible gambling, and a requirement to block underage use. The full list of requirements [can be viewed here].

Slashdot Top Deals