Archive for Android

When It Comes To Privacy For In Car Infotainment Systems, It’s An Open Question As To What Data Google And Apple Collects From You

Posted in Commentary with tags , , , on April 20, 2018 by itnerd

The issue of privacy when it comes to in car infotainment systems like Android Auto and Apple CarPlay flared up again yesterday when it came to light that Toyota took a pass on Android Auto because of privacy concerns. They joined Porsche who famously did the same thing a few years ago.

That made me wonder if it is spelled out clearly what data either of these systems collects and how it is used. Why does that matter? I’d like to know if Google or Apple is motioning how aggressively I drive. And what they do with that information and who gets to see it.  Thus I spent a day looking around the Internet to see if such documentation exists. The net result of my research is that neither company does a great job of spelling out what data they collect via their infotainment systems and how it is used. To illustrate this, I want to use Tesla as an example of what I am looking for. Their privacy policy makes it very clear what they collect in terms of data. And they go into a great amount of detail about how it is used. That way, you know exactly what Tesla is doing. As far as I am concerned, this is the gold standard when it comes to this sort of thing as it removes any questions from my mind about what Tesla may or may not be doing.

Now let’s go over to Apple. They have a privacy microsite that is better than most and specifically mentions Apple CarPlay here where it says this:

All the rigorous privacy measures built into your iPhone and apps carry over to CarPlay. Only essential information that enhances the CarPlay experience will be used from your car. For example, data such as your car’s GPS location can be used to help iPhone produce more accurate results in Maps.

That’s something I suppose, but beyond that there’s no specific mention in their privacy policy or anywhere else on their microsite about what CarPlay collects and what is done with that information.

In the case of Google and Android Auto, I was unable to find anything that specifically mentions Android Auto, and I looked at the Android Auto site and their privacy and terms microsite which if you dig for bit lists pretty much every product that they make except Android Auto. Which means that I have no idea what info Google collects. And that’s a step behind Apple who at least gives me some minimal information on this front.

So in either case, both Android Auto and Apple CarPlay fall well short of telling their users about what data they collect and how it is used when compared to Tesla. That’s a problem given how privacy and the security of data is now a top of mind issue. As a result, we’re left with rumor rather than fact. And that’s a huge problem for both companies if they want their infotainment systems to be adopted widely.

My challenge to both companies would be for them to make their data collection and usage policies for their infotainment systems as clear as Tesla does. At least when Tesla spells it out, I know what I am getting myself into up front assuming that I read the document. I believe that Google and Apple owe us the same.

So how about it Apple and Google? Will you do what’s right for users of Android Auto and Apple CarPlay, or will you continue to keep them in the dark about what data you collect and how it is used in terms of those products? Inquiring minds want to know.

 

Advertisements

Your Android Phone Might Not Be As Secure As You Think

Posted in Commentary with tags on April 13, 2018 by itnerd

If you own a Android phone from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE, but really any Android phone, you might not be getting the security patches that you need to keep your phone safe based on a recently released study:

The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. “We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” says SRL founder Karsten Nohl.

The number of missing security patches on phones varied between device makers. For example, Google, Samsung, and Sony devices were found to be missing 0 or 1 patches on average. Xiaomi, OnePlus, and Nokia devices were missing 1 to 3 patches on average, while HTC, Huawei, LG, and Motorola were missing 3 to 4 patches on average. Devices from TCL and ZTE fared the worst, missing an average of 4 or more patches that they claimed to have.

One of the huge problems with Android is that is is now so fragmented, and every vendor has filled it with their own custom stuff and they’ve done god knows what to the core of it. That’s horrible for the consumer as you are guaranteed to get this situation because it’s easier to fudge things than to come out with proper patches on a regular cadence.

Contrast that to those on team iOS where everything comes from Apple. Thus every iPhone user that has an iPhone made in the last five years give or take gets every security update that comes out. Sure iOS is a walled garden unlike the freedom that Android provides its users, but the wall surrounding that garden is pretty secure unlike Android.

While people are going to buy Android phones regardless of how insecure they are because they are cheap, Google and company need to do something about this. The fact is that you can’t have millions of phones running around out there which are wide open to being pwned. That’s just a disaster waiting to happen.

Android P Developer Preview Hits The Streets

Posted in Commentary with tags on March 7, 2018 by itnerd

Google today launched the first Android P developer preview which available for download now at developer.android.com.

Some notes on what’s on offer for download:

The preview includes an updated SDK with system images for the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, and the official Android Emulator. Unlike last year, there is no emulator for testing Android Wear on Android P.

Interesting that there’s nothing there to test Android Wear devices. I guess that has something to do with the fact that Android Wear devices pretty much got hammered by Apple Watches in the marketplace. Or they haven’t gotten around to it yet. Who knows?

But I digress.

Why should you care? Here’s what Android P…. One has to wonder what food item that will be used to market this OS…… Popsicles perhaps?…… Has going for it:

  • Android P offers support for “the latest edge-to-edge screens with display cutout for camera and speaker,” with a new “DisplayCutout” class for outlining the size and shape of a notch on an Android device. Seeing as Android device makers are copying the iPhone X and its notch.
  • Indoor positioning APIs so that your phone will more accurately grab a location indoors.
  • Enhanced notifications
  • Multi-camera support
  • HEIF image support
  • Restricted access to the mic, camera, and other hardware
  • Open Mobile API for NFC payments and secure transactions

Expect this OS to ship sometime in Q3.

#Fail: Google Play Protect Can’t Protect You From Malware

Posted in Commentary with tags on October 26, 2017 by itnerd

Google has a new initiative to reduce malware in the Android ecosystem. Called Google Play Protect, it’s supposed to catch the bad stuff before it ends up on your Android  smartphone. Because lots of bad stuff ends up on Android smartphones. And that’s a big problem.

However, it appears that it will not do much for you. Tests by German malware experts AV-Test indicate that Google Play Protect detected just 65.8 percent of recent malware samples, rising to 79.2 percent of malware of around a month old. Meanwhile, third party solutions caught pretty much everything that was thrown at it. The net result was that Google Play Protect finished dead last in this test.

I’m not sure what Google is going to do about it, but I know what you should do. Forget Google Play Protect and invest in a third party anti-virus app that was tested by AV-Test as it seem Google can’t protect you from the bad stuff that’s out there.

 

Android Devices Not Running Android Oreo Vulnerable To Pwnage

Posted in Commentary with tags on September 11, 2017 by itnerd

Well, this is potentially going to be a problem for reasons that I will get to in a bit. If you’re using an Android device and it’s not running Android Oreo which is the latest and greatest from Google, then you’re vulnerable to an “Overlay Attack” as per Palo Alto Networks who spill the details here. Here’s how the attack works in short:

  1. Download a malicious app from the Google Play Store.
  2. The app draws a bogus screen for users to click on (for example, to install an app or accept a set of permissions), hiding what’s really happening.
  3. Users accept the permissions that the malicious app serves up.
  4. Pwnage.

Android is supposed to prevent this happening. But any Android device not running Oreo doesn’t. Thus there need to be patches for this and soon. Here’s the problem. The Android ecosystem is notorious for being slow to deliver patches because of the diversity of devices and quite frankly the manufacturers of these devices not having security as a top of mind item. So it is entirely possible that this threat might be out there for months before devices get patched. If they get patched at all. And that ignores the fact that the malicious apps are being served up from Google Play which is another huge problem. Clearly Android users have something to worry about.

 

Tech Companies Team Up On Android Botnet Takedown

Posted in Commentary with tags , on August 29, 2017 by itnerd

In an unprecedented move, a half dozen tech companies have teamed up to take down the “WireX” botnet which may have had tens of thousands of compromised Android devices as part of it. Noted security expert Brian Krebs has the details:

News of WireX’s emergence first surfaced August 2, 2017, when a modest collection of hacked Android devices was first spotted conducting some fairly small online attacks. Less than two weeks later, however, the number of infected Android devices enslaved by WireX had ballooned to the tens of thousands.

More worrisome was that those in control of the botnet were now wielding it to take down several large websites in the hospitality industry — pelting the targeted sites with so much junk traffic that the sites were no longer able to accommodate legitimate visitors.

Experts tracking the attacks soon zeroed in on the malware that powers WireX: Approximately 300 different mobile apps scattered across Google‘s Play store that were mimicking seemingly innocuous programs, including video players, ringtones or simple tools such as file managers.

That’s right, apps from the Google Play Store were central to the existence of this botnet. Proving once again that Google has a bit of a problem when it comes to what is available to download and install onto Android devices. But I digress. Several hundred apps that had the code to power this botnet have been removed from the Google Play Store. But this case illustrates the fact that the botnet is now at a whole new level that requires companies who aren’t friendly towards each other to team up to take down these botnets. It will be interesting to see if this sort of co-operation is the new normal, or just a one time event.

The Next Version Of Android Will Be Named Oreo

Posted in Commentary with tags on August 21, 2017 by itnerd

Google has announced the next-generation version of its Android operating system. The name will be Oreo as in the cookie. Much like with Kit Kat, there’s a clear tie in with the product in question as evidenced by this video:

Key features include:

  • Notification Dots to make it easier to see which apps have new content to display.
  • A long tap on an app icon now displays information like the last notification received.
  • App widgets which is much like 3D Touch does on iOS.
  • Picture-in-picture support allows users to watch video content while using other apps, which is coming to iOS.
  • A new autofill feature remembers login information to allow for quicker username and password entry.
  • Support for new Unicode 10 emoji is included.

You can see the full feature list here.

The update is available today through Google’s Android Open Source Project, with Google planning to roll it out to Pixel and Nexus devices in the near future as soon as carrier testing is complete. If you own some other Android phone, you may have to wait a while for it to appear on your device as device manufacturers in the Android space tend not to be too quick to roll these updates out.