An anonymous reader shares a report: Google was sued last week for allegedly stealing Android users' cellular data allowances through unapproved, undisclosed transmissions to the web giant's servers. The lawsuit, Taylor et al v. Google, was filed in a US federal district court in San Jose on behalf of four plaintiffs based in Illinois, Iowa, and Wisconsin in the hope the case will be certified by a judge as a class action. The complaint contends that Google is using Android users' limited cellular data allowances without permission to transmit information about those individuals that's unrelated to their use of Google services. Data sent over Wi-Fi is not at issue, nor is data sent over a cellular connection in the absence of Wi-Fi when an Android user has chosen to use a network-connected application. What concerns the plaintiffs is data sent to Google's servers that isn't the result of deliberate interaction with a mobile device -- we're talking passive or background data transfers via cell network, here. "Google designed and implemented its Android operating system and apps to extract and transmit large volumes of information between Plaintiffs' cellular devices and Google using Plaintiffs' cellular data allowances," the complaint claims. "Google's misappropriation of Plaintiffs' cellular data allowances through passive transfers occurs in the background, does not result from Plaintiffs' direct engagement with Google's apps and properties on their devices, and happens without Plaintiffs' consent." The allegation: "The device, stationary, with all apps closed, transferred data to Google about 16 times an hour, or about 389 times in 24 hours. Assuming even half of that data is outgoing, Google would receive about 4.4MB per day or 130MB per month in this manner per device subject to the same test conditions."

Read more of this story at Slashdot.

The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study -- considered the largest one of its kind carried out to date. From a report: Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analyzed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019. In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps. [...] The results showed that around 67% of the malicious app installs researchers identified came from the Google Play Store. Google did not respond to a request for comment made by ZDNet almost three weeks ago.

Read more of this story at Slashdot.

This year Let's Encrypt announced that it's issued a billion certificates, and it's been estimated they've made certs for almost 30% of web domains. But Friday they posted that "The DST Root X3 root certificate that we relied on to get us off the ground is going to expire — on September 1, 2021. Fortunately, we're ready to stand on our own, and rely solely on our own root certificate." "However, this does introduce some compatibility woes." Some software that hasn't been updated since 2016 (approximately when our root was accepted to many root programs) still doesn't trust our root certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let's Encrypt. Android has a long-standing and well known issue with operating system updates. There are lots of Android devices in the world running out-of-date operating systems. The causes are complex and hard to fix: for each phone, the core Android operating system is commonly modified by both the manufacturer and a mobile carrier before an end-user receives it. When there's an update to Android, both the manufacturer and the mobile carrier have to incorporate those changes into their customized version before sending it out. Often manufacturers decide that's not worth the effort. The result is bad for the people who buy these devices: many are stuck on operating systems that are years out of date. Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let's Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites. Hopefully these numbers will be lower by the time DST Root X3 expires next year, but the change may not be very significant. Let's Encrypt engineer Jacob Hoffman-Andrews explains that "In the time between now and September 29 we plan to start serving certificates with the 'alternate' link relation 186 to allow Automatic Certificate Management Environment (ACME) clients to programmatically select a chain they prefer." But Friday's blog post explains that won't solve everything: There will be site owners that receive complaints from users and we are empathetic to that being not ideal. We're working hard to alert site owners so you can plan and prepare. We encourage site owners to deploy a temporary fix (switching to the alternate certificate chain) to keep your site working while you evaluate what you need for a long-term solution: whether you need to run a banner asking your Android users on older OSes to install Firefox, stop supporting older Android versions, drop back to HTTP for older Android versions, or switch to a CA that is installed on those older versions. Gizmodo notes that Firefox will be unaffected "since it relies on its own certificate store that includes Let's Encrypt's root, though that wouldn't keep applications from breaking or ensure functionality beyond your browser." They describe Let's Encrypt as "the Mozilla-partnered nonprofit," and offers this succinct summary of the problem. "One of the world's top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021."

Read more of this story at Slashdot.

Google officially introduced its Android mobile operating system on November 5th, 2007, which just so happens to line up with today, so happy 13th birthday, Android. Ryne Hager from Android Police reports: On November 5th, 2007, the "Open Handset Alliance" was revealed after long speculation that Google would enter the smartphone market, following the purchase of a little startup named "Android." Rumors had swirled surrounding a potential "Gphone," but Google quashed them as it announced that Android would be an open platform for anyone. Companies including Motorola, Qualcomm, HTC, and T-Mobile were all on board to help deliver the hardware and partnerships the nascent platform would require. Google promised that Android would change the status quo, and it definitely delivered, with it now claiming over 72% of the worldwide smartphone market share, according to some recent estimates (if not more). It's the primary vehicle that has allowed billions of people to get online in emerging markets, and it's the reason our site even exists.

Read more of this story at Slashdot.

Samsung is back on top as the world's biggest smartphone vendor one quarter after losing its spot to Huawei, according to reports from IDC, Counterpoint, and Canalys. The news comes just as Samsung posted its highest quarterly revenue figures ever, which the company said was helped by a boost in demand for smartphones. From a report: Huawei became the number one vendor for the first time three months ago, benefiting from strong sales in China while much of the rest of the world was operating under constrained retail conditions due to the COVID-19 pandemic. But Huawei's shipments fell 7 percent quarter-on-quarter and 24 percent year-on-year, according to Counterpoint, while Samsung's shipments increased by 47 percent over the last quarter. Xiaomi was able to regain the number three spot for the first time in several years, overtaking Apple for the first time with year-on-year growth of 46 percent. Apple's shipments fell 7 percent year-on-year in the July-September quarter, no doubt affected by the fact that its new iPhones this year slipped until October and November release dates.

Read more of this story at Slashdot.

OnePlus, the Chinese smartphone manufacturer that has turned into one of the most popular Android smartphone brands worldwide, is reportedly missing one of its cofounders. According to Android Police, citing Reddit user JonSigur, who published alleged screenshots of internal memos at OnePlus, co-founder Carl Pei has left his role at the company after nearly seven years. From the report: The messages listed the company's leadership structure, with Pei notably absent. The memos also noted Emily Dai, who was in charge (or could still be in charge) of OnePlus operations in India, was recently appointed as the head of the Nord product line globally. Pei was previously in charge of Nord, and was prominently featured in the documentary about the phone's development. We reached out to OnePlus for a statement, and a spokesperson declined to comment. That adds more credibility to the story -- if it were false, it would be extremely easy for OnePlus to outright deny it. The report notes that OnePlus' other co-founder, Pete Lau, remains the company's CEO.

Read more of this story at Slashdot.

Google has removed this summer more than 240 Android apps from the official Play Store for showing out-of-context ads and breaking a newly introduced Google policy against this type of intrusive advertising. From a report: Out-of-context ads (also known as out-of-app ads) are mobile ads that are shown outside an app's normal container. They can appear as popups or as fullscreen ads. Out-of-context ads are banned on the Play Store since February this year, when Google banned more than 600 apps that were abusing this practice to spam their users with annoying ads. But despite the public crackdown and ban, other apps showing out-of-context ads have continued to be discovered -- such as in June this year. The latest of these discoveries come from ad fraud detection firm White Ops. In a blog post today, the company said it discovered a new cluster of more than 240+ Android apps bombarding their users with out-of-context ads -- but made to look like they originated from other, more legitimate applications.

Read more of this story at Slashdot.

"Google is hiring to create a special Android security team that will be tasked with finding vulnerabilities in highly sensitive apps on the Google Play Store," reports ZDNet: "As a Security Engineering Manager in Android Security... Your team will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers," reads a new Google job listing posted on Wednesday. Applications that this new team will focus on include the likes of COVID-19 contact tracing apps and election-related applications, with others to follow, according to Sebastian Porst, Software Engineering Manager for Google Play Protect.

Read more of this story at Slashdot.

Google has recently removed 17 Android applications from the official Play Store because they were infected with the Joker (aka Bread) malware. ZDNet reports: "This spyware is designed to steal SMS messages, contact lists, and device information, along with silently signing up the victim for premium wireless application protocol (WAP) services," Zscaler security researcher Viral Gandhi said this week. The 17 malicious apps were uploaded on the Play Store this month and didn't get a chance to gain a following, having been downloaded more than 120,000 times before being detected. Following its internal procedures, Google removed the apps from the Play Store, used the Play Protect service to disable the apps on infected devices, but users still need to manually intervene and remove the apps from their devices. But this recent takedown also marks the third such action from Google's security team against a batch of Joker-infected apps over the past few months. [...] The way these infected apps usually manage to sneak their way past Google's defenses and reach the Play Store is through a technique called "droppers," where the victim's device is infected in a multi-stage process. Malware authors begin by cloning the functionality of a legitimate app and uploading it on the Play Store. This app is fully functional, requests access to dangerous permissions, but also doesn't perform any malicious actions when it's first run. Because the malicious actions are usually delayed by hours or days, Google's security scans don't pick up the malicious code, and Google usually allows the app to be listed on the Play Store. But once on a user's device, the app eventually downloads and "drops" (hence the name droppers, or loaders) other components or apps on the device that contain the Joker malware or other malware strains.

Read more of this story at Slashdot.

Google has removed an Android app from the Play Store that was used to collect personal information from Belarusians attending anti-government protests. ZDNet reports: The app, named NEXTA LIVE, was available for almost three weeks on the official Android Play Store, and was downloaded thousands of times and received hundreds of reviews. To get installs, NEXT LIVE claimed to be the official Android app for Nexta, an independent Belarusian news agency that gained popularity with anti-Lukashenko protesters after exposing abuses and police brutality during the country's recent anti-government demonstrations. However, the app contained code to to collect geolocation data, gather info on the device owner, and then upload the data to a remote Russian server at regular intervals. [...] While there is no official link between the fake Nexta app and the Minsk government, this would hardly be the first time that a government would try to spy on its citizens in the midst of anti-government protests, in attempts to identify protest-goers.

Read more of this story at Slashdot.

An anonymous reader shares a report: If you're going to spend $1,000 on a phone, you might as well spend $2,000. And honestly, if you're going to spend $2,000, why not just go for it and spend $3,300? That seems to be a chief guiding principle behind the Samsung Galaxy Fold Z 2 Thom Browne edition -- a handset for those who want the priciest mobile device you can buy -- and then some. Samsung has been partnering with the high-end American fashion designer for a couple of devices now. The Z Fold 2 edition follows the release of the Thom Browne Galaxy Z Flip, which also cost an additional $1,100 over the price of the standard foldable. Further justifying the device's cost is the inclusion of a Galaxy Watch 3 and the Galaxy Buds Live -- neither of which ship with the standard Fold Z 2. And perhaps even more importantly, it's something you can lord over the heads of your slightly more frugal friends who only shelled out for the regular Fold.

Read more of this story at Slashdot.

Comcast wants to turn the software running on its set-top boxes into an operating system for smart TVs, Protocol reported Friday, citing multiple industry insiders with knowledge of the company's plans. From the report: The company began pitching TV manufacturers on the idea in recent months and had some conversations on the subject at CES in January. It's unclear how far these talks have progressed, but the push underlines the growing importance of smart TVs as a major platform for the future of entertainment. At the center of these discussions has been Comcast's X1 platform, which the company built as an operating system for its own set-top boxes over the past decade. In addition to running on the company's cable boxes, X1 also powers Flex, the Roku-like streaming hardware launched by Comcast last year. Comcast has also for some time pitched X1 to fellow cable operators. Cox, for instance, runs X1 hardware and software under its Contour brand, and Charter executives have publicly acknowledged that the two companies have been negotiating a similar licensing deal.

Read more of this story at Slashdot.

Google today released the alpha version of Jetpack Compose, its UI toolkit for helping developers "build beautiful UI across all Android platforms, with native access to the platform APIs." From a report: While an alpha release means it is definitely not production ready, Jetpack Compose promises to let Android developers build apps using "dramatically less code, interactive tools, and intuitive Kotlin APIs." The alpha release also includes new tools including Animations, Constraint Layouts, and performance optimizations. Android Jetpack, which Google launched at its I/O 2018 developer conference, is a set of components for speeding up app development. Think of it as the successor to Support Library, a set of components that makes it easier to leverage new Android features while maintaining backwards compatibility. Jetpack Compose, which Google first showed off at its I/O 2019 developer conference, is an unbundled toolkit meant to simplify UI development by combining a reactive programming model with Kotlin.

Read more of this story at Slashdot.

An anonymous reader writes: After more than a year of development, Mozilla today launched Firefox 79 for Android, branded Firefox Daylight. Like with Firefox 57 Quantum, Firefox Daylight gets its own name as it marks "a new beginning for our Android browser." The new version is "an entirely overhauled, faster, and more convenient product." Firefox Daylight includes Enhanced Tracking Protection on by default, a new user interface, Mozilla's own mobile browser engine GeckoView, and a slew of new features. Mozilla is rolling out the new Firefox for Android globally, starting in Germany, France, and the U.K. today, and North America starting August 27.

Read more of this story at Slashdot.

In the name of security and privacy, Google is taking away the ability for users to select third-party camera apps in Android 11, forcing users to rely on the built-in camera app. Android Police reports: At the heart of this change is one of the defining traits of Android: the Intent system. Let's say you need to take a picture of a novelty coffee mug to sell through an auction app. Since the auction app wasn't built for photography, the developer chose to leave that up to a proper camera app. This where the Intent system comes into play. Developers simply create a request with a few criteria and Android will prompt users to pick from a list of installed apps to do the job. However, things are going to change with Android 11 for apps that ask for photos or videos. Three specific intents will cease to work like they used to, including: VIDEO_CAPTURE, IMAGE_CAPTURE, and IMAGE_CAPTURE_SECURE. Android 11 will now automatically provide the pre-installed camera app to perform these actions without ever searching for other apps to fill the role. Google describes the change in a list of new behaviors in Android 11, and further confirmed it in the Issue Tracker. Privacy and security are cited as the reason, but there's no discussion about what exactly made those intents dangerous. Perhaps some users were tricked into setting a malicious camera app as the default and then using it to capture things that should have remained private. Not only does Android 11 take the liberty of automatically launching the pre-installed camera app when requested, it also prevents app developers from conveniently providing their own interface to simulate the same functionality. I ran a test with some simple code to query for the camera apps on a phone, then ran it on devices running Android 10 and 11 with the same set of camera apps installed. Android 10 gave back a full set of apps, but Android 11 reported nothing, not even Google's own pre-installed Camera app.

Read more of this story at Slashdot.

An anonymous reader writes: Google today announced Chrome for Android's context menu will show "Fast page" labels for webpages deemed to have good performance. The label will be determined using Google's Web Vitals, an initiative the company announced in May to provide web developers and website owners with a unified set of metrics for building websites with user experience and performance in mind. Core Web Vitals, Google's attempt to spell out the metrics it considers critical for all web experiences, will measure a webpage's responsiveness and visual stability.

Read more of this story at Slashdot.

Google today launched ChromeOS.dev, a new site that aims to help developers get started with building Android apps for the company's Linux-based operating system. With today's update, Google is also making it easier to build and test Android applications on Chromebooks. From a report: The new ChromeOS.dev site, which is available in English and Spanish for now, is meant to "help developers maximize their capabilities on the platform through technical resources/tutorials, product announcements, code samples and more," a Google spokesperson told us. As Google notes in today's announcement, in the last quarter, Chromebook unit sales were up 127% year-over-year in the last quarter, compared to 40% for notebook sales in general. To help Android developers do all of their work on a Chromebook if they so desire, Google now offers the full Android Emulator on Chrome OS to test apps right on their Chromebooks. The team also made deploying apps on Chrome OS (M81 and newer) much easier. Developers can now deploy and test apps directly without having to use developer mode or connect devices via USB.

Read more of this story at Slashdot.