Android users’ security and privacy at risk from shadowy ecosystem of pre-installed software, study warns

A large-scale independent study of pre-installed Android apps has cast a critical spotlight on the privacy and security risks that preloaded software poses to users of the Google developed mobile platform.

The researchers behind the paper, which has been published in preliminary form ahead of a future presentation at the IEEE Symposium on Security and Privacy, unearthed a complex ecosystem of players with a primary focus on advertising and “data-driven services” — which they argue the average Android user is unlikely to be unaware of (while also likely lacking the ability to uninstall/evade the baked in software’s privileged access to data and resources themselves).

The study, which was carried out by researchers at the Universidad Carlos III de Madrid (UC3M) and the IMDEA Networks Institute, in collaboration with the International Computer Science Institute (ICSI) at Berkeley (USA) and Stony Brook University of New York (US), encompassed more than 82,000 pre-installed Android apps across more than 1,700 devices manufactured by 214 brands, according to the IMDEA institute.

“The study shows, on the one hand, that the permission model on the Android operating system and its apps allow a large number of actors to track and obtain personal user information,” it writes. “At the same time, it reveals that the end user is not aware of these actors in the Android terminals or of the implications that this practice could have on their privacy.  Furthermore, the presence of this privileged software in the system makes it difficult to eliminate it if one is not an expert user.”

An example of a well-known app that can come pre-installed on certain Android devices is Facebook.

Earlier this year the social network giant was revealed to have inked an unknown number of agreements with device makers to preload its app. And while the company has claimed these pre-installs are just placeholders — unless or until a user chooses to actively engage with and download the Facebook app, Android users essentially have to take those claims on trust with no ability to verify the company’s claims (short of finding a friendly security researcher to conduct a traffic analysis) nor remove the app from their device themselves. Facebook pre-loads can only be disabled, not deleted entirely.

The company’s preloads also sometimes include a handful of other Facebook-branded system apps which are even less visible on the device and whose function is even more opaque.

Facebook previously confirmed to TechCrunch there’s no ability for Android users to delete any of its preloaded Facebook system apps either.

“Facebook uses Android system apps to ensure people have the best possible user experience including reliably receiving notifications and having the latest version of our apps. These system apps only support the Facebook family of apps and products, are designed to be off by default until a person starts using a Facebook app, and can always be disabled,” a Facebook spokesperson told us earlier this month.

But the social network is just one of scores of companies involved in a sprawling, opaque and seemingly interlinked data gathering and trading ecosystem that Android supports and which the researchers set out to shine a light into.

In all 1,200 developers were identified behind the pre-installed software they found in the data-set they examined, as well as more than 11,000 third party libraries (SDKs). Many of the preloaded apps were found to display what the researchers dub potentially dangerous or undesired behavior.

The data-set underpinning their analysis was collected via crowd-sourcing methods — using a purpose-built app (called Firmware Scanner), and pulling data from the Lumen Privacy Monitor app. The latter provided the researchers with visibility on mobile traffic flow — via anonymized network flow metadata obtained from its users. 

They also crawled the Google Play Store to compare their findings on pre-installed apps with publicly available apps — and found that just 9% of the package names in their dataset were publicly indexed on Play. 

Another concerning finding relates to permissions. In addition to standard permissions defined in Android (i.e. which can be controlled by the user) the researchers say they identified more than 4,845 owner or “personalized” permissions by different actors in the manufacture and distribution of devices.

So that means they found systematic user permissions workarounds being enabled by scores of commercial deals cut in a non-transparency data-driven background Android software ecosystem.

“This type of permission allows the apps advertised on Google Play to evade Android’s permission model to access user data without requiring their consent upon installation of a new app,” writes the IMDEA.

The top-line conclusion of the study is that the supply chain around Android’s open source model is characterized by a lack of transparency — which in turn has enabled an ecosystem to grow unchecked and get established that’s rife with potentially harmful behaviors and even backdoored access to sensitive data, all without most Android users’ consent or awareness. (On the latter front the researchers carried out a small-scale survey of consent forms of some Android phones to examine user awareness.)

tl;dr the phrase ‘if it’s free you’re the product’ is a too trite cherry atop a staggeringly large yet entirely submerged data-gobbling iceberg. (Not least because Android smartphones don’t tend to be entirely free.)

“Potential partnerships and deals — made behind closed doors between stakeholders — may have made user data a commodity before users purchase their devices or decide to install software of their own,” the researchers warn. “Unfortunately, due to a lack of central authority or trust system to allow verification and attribution of the self-signed certificates that are used to sign apps, and due to a lack of any mechanism to identify the purpose and legitimacy of many of these apps and custom permissions, it is difficult to attribute unwanted and harmful app behaviors to the party or parties responsible. This has broader negative implications for accountability and liability in this ecosystem as a whole.”

The researchers go on to make a series of recommendations intended to address the lack of transparency and accountability in the Android ecosystem — including suggesting the introduction and use of certificates signed by globally-trusted certificate authorities, or a certificate transparency repository “dedicated to providing details and attribution for certificates used to sign various Android apps, including pre-installed apps, even if self-signed”.

They also suggest Android devices should be required to document all pre-installed apps, plus their purpose, and name the entity responsible for each piece of software — and do so in a manner that is “accessible and understandable to users”.

“[Android] users are not clearly informed about third-party software that is installed on their devices, including third-party tracking and advertising services embedded in many pre-installed apps, the types of data they collect from them, the capabilities and the amount of control they have on their devices, and the partnerships that allow information to be shared and control to be given to various other companies through custom permissions, backdoors, and side-channels. This necessitates a new form of privacy policy suitable for preinstalled apps to be defined and enforced to ensure that private information is at least communicated to the user in a clear and accessible way, accompanied by mechanisms to enable users to make informed decisions about how or whether to use such devices without having to root their devices,” they argue, calling for overhaul of what’s long been a moribund T&Cs system, from a consumer rights point of view.

In conclusion they couch the study as merely scratching the surface of “a much larger problem”, saying their hope for the work is to bring more attention to the pre-installed Android software ecosystem and encourage more critical examination of its impact on users’ privacy and security.

They also write that they intend to continue to work on improving the tools used to gather the data-set, as well as saying their plan is to “gradually” make the data-set itself available to the research community and regulators to encourage others to dive in.  

from Android – TechCrunch https://ift.tt/2FzeDqc
via IFTTT

Apple’s revamped TV app is ready to stream its new shows

Along with the long-awaited introduction of Apple’s TV and movie streaming service, the company also introduced a new Apple TV app for iPhone, iPad and Apple TV.  The updated design is meant to make it easier to find content, no matter the source – whether that’s Apple’s new TV channels service, Apple TV+, your iTunes library, cable or satellite TV, or other streaming services, like Amazon Prime Video or Hulu.

The updated app includes a new “Watch Now” tab where you can pick up where you left off on current shows, see suggestions of trending and popular content, or dive into personalized recommendations that get smarter the more you’re on the app.

The interface looks much like what you’d expect from a streaming service – with sections like “What to Watch” or “New and Noteworthy” where image thumbnails of the shows are browsed through horizontally.

When you find things you like, you can add items to your Watch Later list.

Similar to Roku’s TV and movies hub, The Roku Channel, or Amazon’s Prime Video Channels, the Apple TV app will also offer a simple way to subscribe to premium channels.

With a few clicks, you can start a free trial to paid channels like HBO, Showtime, Starz and others, using your saved payment information.

To navigate the app, you can tap on the sections across the top: Watch Now, Movies, TV shows, Sports, Kids and Library. Some of these have had small changes, as well.

For example, the brand new Kids experience lets children browse by their favorite characters, similar to Netflix.

There are other nice touches as well – like the ability to skip shows’ intros to get straight to the action – and, of course, you can still use Siri to find content and control the experience.

The revamped app will be available on Apple TV, iPhone, and iPad in May, and will come for the first time to the Mac this fall. It will also become available worldwide in over 100 countries, when the OS update arrives.

As previously announced, the Apple TV will be available on non-Apple devices for the first time, too. This includes smart TVs like those from Samsung, LG, Sony, and Vizio, as well as on Roku and Amazon Fire TV platforms at a later date.

from Apple – TechCrunch https://ift.tt/2HDvmLb

The Apple TV app to launch on smart TVs, Roku, Fire TV and computers

Apple is revamping its Apple TV app with a new offering. But how will you be able to access the service exactly? Apple is launching the Apple TV app on smart TVs from Samsung, LG, Sony and Vizio.

The Samsung app will land first, and other manufacturers will get the Apple TV app this Spring. The app will also be available on Roku and Fire TV devices. And the company is also launching an Apple TV app on macOS this Fall. It’s unclear if you’ll be able to access the service from Android phones, Windows 10 computers, etc.

The Apple TV app has been available in a handful of countries so far. Apple is launching the app in over 100 countries by the end of the year.

The app combines content you can buy and rent in the iTunes Store, subscriptions to premium partners, such as HBO, Starz and Showtime, as well as on-demand offering from cable subscriptions (Spectrum, AT&T, etc.).

And of course, Apple is also announcing its own original content subscription, Apple TV+.

from Apple – TechCrunch https://ift.tt/2OqHv6B

Apple Arcade is Apple’s new cross-platform gaming subscription

Apple wants to tilt the balance from ad-laden freemium gaming titles towards all-access ad-free gaming experiences that can be downloaded across platforms on iOS and macOS.

At the company’s services event this morning, they announced Apple Arcade, their new premium subscription service for gaming across their hardware products. “We want to make gaming even better,” Apple CEO Tim Cook said onstage.

The subscription will boast 100+ new and exclusive games while Apple will be adding new content “all the time.” It looks like the company will have a hand in building out the titles by working directly with developer partners to product titles. Early partners include names like Disney, Konami and Lego.

Another important note, all games will be playable offline. This is a content play rather than a tech product like Google’s recently-announced Stadia game-streaming platform. The subscription will provide access to all of the content in the games without ads.

Apple has the benefit of building this directly into the App Store, you’ll be able to access Apple Arcade from a new bottom tab in the App Store app. This may be the company’s best chance at leveraging its strength on iOS to finally build a better home for games on Mac.

The service is coming this fall. Apple oddly didn’t detail pricing though they did share it would be launching 150 regions.

from Apple – TechCrunch https://ift.tt/2U2sWM3

Apple Pay is coming to transit systems in major US cities later this year

Being able to pay for things like subways and buses with your phone just makes sense, but in much of the US, you’ll still need a paper ticket or an oh-so-losable reloadable card if you want a ride.

At its big press event this afternoon, Apple announced that transit systems in a few major US cities are picking up support for Apple Pay, allowing you to tap your phone or Apple Watch to pay for your ride.

Details were light, but Apple confirmed that transit systems in New York City, Chicago, and Portland would play friendly with Apple Pay starting later this year.

This isn’t the first time we’ve seen Apple Pay pick up compatibility with transit; support went live in Beijing and Shanghai, for example, nearly a year ago. Still, more cities is a great thing, if only because it makes it that much easier to figure out the transit system when you land somewhere new.

from Apple – TechCrunch https://ift.tt/2JDiA15

Apple introduces its own credit card, the Apple Card

Today, Apple announced… a credit card. The Apple Card is designed for the iPhone and will work with the Wallet app. You sign up from your iPhone and you can use it with Apple Pay in just a few minutes.

Before introducing the card, Apple CEO Tim Cook shared a few numbers about Apple Pay. This year, Apple Pay will reach 10 billion transactions this year. By the end of this year, Apple Pay will be available in more than 40 countries.

Retail acceptance of Apple Pay is always growing. In the U.S., 70 percent of businesses accept Apple Pay. But it’s higher in some countries — Australia is at 99 percent acceptance for instance.

But let’s talk about the Apple Card. After signing up, you control the Apple Card from the Wallet app. When you tap on the card, you can see your last transactions, how much you owe, how much money you spent on each category.

You can tap on a transaction and see the location in a tiny Apple Maps view. Every time you make an Apple Pay transaction, you get 2 percent in cash back. You don’t have to wait until the end of the month as your cash is credited every day. For Apple purchases, you get 3 percent back.

As previously rumored, Apple has partnered with Goldman Sachs and Mastercard to issue that card. Apple doesn’t know what you bought, where you bought it and how much you paid for it. And Goldman Sachs promises that it won’t sell your data for advertising or marketing.

When it comes to the fine prints, there’s no late fees, no annual fees, no international fees and no over-limit fees. If you can’t pay back your credit card balance, you can start a multi-month plan — Apple tries to clearly define the terms of the plan. You can contact customer support through text messages in the Messages app.

The Apple Card isn’t limited to a virtual card. You get a physical titanium card with a laser-etched name. There’s no card number, no CVV code, no expiration date and no signature on the card. You have to use the Wallet app to get that information. Physical transactions are eligible to 1 percent in daily cash.

When it comes to security, you’ll get a different credit card number for each of your device. It is stored securely and you can access the PIN code using Face ID or your fingerprint.

The card will be available this summer for customers in the U.S.

from Apple – TechCrunch https://ift.tt/2CDaSy2

Apple unveils its $9.99 per month news subscription service, Apple News+

Apple today unveiled a revamped Apple News app which now includes a premium tier called Apple News+,  offering access to over 300 magazines and newspapers for $9.99 per month. At launch, the subscription includes magazine titles like Bon Appétit, People and Glamour, along with top publishers like The Wall Street Journal and Los Angeles Times, among others.

TechCrunch’s premium product, Extra Crunch, is among the new participants. Others highlighted on stage include theSkimm, GrubStreet, The Highlight by Vox, The Cut, and Vulture.

“When we created Apple news over three years ago, we wanted to provide the best way to read the news on your iPhone and iPad,” said Apple CEO Tim Cook, in introducing the company’s plans for Apple News+. “And we felt we can make a difference in the way that news is experienced and understood – a place where the news would come from trusted sources and be curated by experts,” he added.

The subscription introduces a new design feature called “Live Covers,” which shows animated images instead of static photos for the magazine’s cover. Inside the digital magazine’s pages, readers can view a table of contents, swipe through beautifully designed pages filled with text, photos and infographic content, and more. The experience looks very much like the popular digital magazine app, Flipboard.

The magazine publishers can also express their own unique look and feel through their design and photography, noted Apple designer Wyatt Mitchell, in presenting the new feature.

The News+ tab is where you can begin to explore the available magazines, while the Today tab features more recommendations of articles and issues. The service will also customize itself to your interests, but won’t do so by tracking what you read.

Instead, Apple says the service will download groups of articles from its servers. And then it uses on device intelligence to make recommendations. That means Apple won’t know what you read and won’t allow advertisers to track you either.

When you subscribe, your whole family can access the magazines through Apple Family Sharing, for the same price.

Apple had signaled its intention to enter the premium news subscription businesses when it acquired digital newsstand startup Texture in spring 2018. Shortly thereafter, reports surfaced that Apple was planning to relaunch Texture’s product as part of the existing Apple News application. The company had been courting high-profile publishers, but industry reaction was mixed.

That appears to remain the case as the service goes to launch. While it does offer The Wall Street Journal – announced ahead of today’s event – other top publishers like The New York Times and The Washington Post have chosen not to participate.

Apple News+ is available today in the U.S. and Canada, starting today. In Canada, The Star is participating. Later this year, Apple News+ will arrive in Europe, starting with the UK, and Australia.

from Apple – TechCrunch https://ift.tt/2YlPEOl