Google Play is changing how app ratings work

Two years ago, Apple changed the way its app store ratings worked by allowing developers to decide whether or not their ratings would be reset with their latest app update — a feature that Apple suggests should be used sparingly. Today, Google announced it’s making a change to how its Play Store app ratings work, too. But instead of giving developers the choice of when ratings will reset, it will begin to weight app ratings to favor those from more recent releases.

“You told us you wanted a rating based on what your app is today, not what it was years ago, and we agree,” said Milena Nikolic, an Engineering Director leading Google Play Console, who detailed the changes at the Google I/O Developer conference today.

She explained that, soon, the average rating calculation for apps will be updated for all Android apps on Google Play. Instead of a lifetime cumulative value, the app’s average rating will be recalculated to “give more weight” to the most recent users ratings.

With this update, users will be able to better see, at a glance, the current state of the app — meaning, any fixes and changes that made it a better experience over the years will now be taken into account when determining the rating.

“It will better reflect all your hard work and improvements,” touted Nikolic, of the updated ratings.

On the flip side, however, this change also means that once high-quality apps which have since failed to release new updates and bug fixes will now have a rating that reflects their current state of decline.

It’s unclear how much the change will more broadly impact Google Play Store SEO, where today app search results are returned based on a combination of factors, including app names, descriptions, keywords, downloads, reviews and ratings, among other factors.

The updated app ratings was one of numerous Google Play changes announced today, along with the public launch of dynamic delivery features, new APIs, refreshed Google Play Console data, custom listings, and even “suggested replies” — like those found in Gmail, but for responding to Play Store user reviews.

End users of the Google Play Store won’t see the new, recalculated rating until August, but developers can preview their new rating today in their Play Store Console.

from Android – TechCrunch https://tcrn.ch/2Haez0M
via IFTTT

Samsung spilled SmartThings app source code and secret keys

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access, and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens. (Image: supplied).

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:

• Security lapse exposed a Chinese smart city surveillance system
• A leaky database of SMS text messages exposed password resets and two-factor codes
• Chipotle customers are saying their accounts have been hacked
• We found a massive spam operation — and sunk its server
• Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
• Stop saying, ‘We take your privacy and security seriously’
• Robocaller firm Stratics Networks exposed millions of call recordings
• Massive mortgage and loan data leak gets worse as original documents also exposed

from Android – TechCrunch https://tcrn.ch/2DV8xPv
via IFTTT

Android Q scores a system-wide ‘Dark Theme’

Google is bringing a system-wide dark mode to Android Q. It’s called Dark Theme and it’s exactly what you would expect, changing white page elements to solid black across the OS for friendlier night-time viewing.

You’ll be able to activate dark mode by tapping a dedicates tile in Quick Settings, or it can be auto-triggered when you turn on battery-saver mode. The company says the mode “will help you save battery,” highlighting how “Dark Theme” will fire up fewer pixels on your OLED device.

It looks like the theme will be coming to all of the first-party Android apps. Developers should be able to bring the functionality to their apps to easily trigger dark modes when Dark Theme is enabled.

Google acknowledged it was a small update, but that didn’t stop the crowd from whooping it up.

from Android – TechCrunch https://tcrn.ch/2H73M7m
via IFTTT

Google launches new Assistant developer tools

At its I/O conference, Google today announced a slew of new tools for developers who want to build experiences for the company’s Assistant platform. These range from the ability to build games for smart displays like the Google Home Hub and the launch of App Actions for taking users from an Assistant answer to their native apps, to a new Local Home SDK that allows developers to run their smart home code locally on Google Home Speakers and Nest Displays.

This Local Home SDK, may actually be the most important announcement in this list, given that it turns these devices into a real hardware hub for these smart home devices and provides local compute capacity without the round-trip to the cloud. The first set of partners include Philips, Wemo, TP-Link and LIFX, but the SDK will become available to all developers next month.

In addition, this SDK will make it easier for new users to set up their smart devices in the Google Home app. Google tested this feature with GE last October and is now ready to roll it out to additional partners.

Developers who want to take people from the Assistant to the right spot inside of their native apps, Google announced a preview of App Actions last year. Health and fitness, finance, banking, ridesharing and food ordering apps can now make use of these built-in intents. “If I wanted to track my run with Nike Run Club, I could just say ‘Hey Google, start my run in Nike Run Club’ and the app will automatically start tracking my run,” Google explains in today’s announcement.

For how-to sites, Google also announced extended markup support that allows them to prepare their content for inclusion in Google Assistant answers on smart displays and in Google Search using standard schema.org markup.

You can read more about the new ability to write games for smart displays here, but this is clearly just a first step and Google plans to open up the platform to more third-party experiences over time.

from Android – TechCrunch https://tcrn.ch/304IXAX
via IFTTT

Google launches Jetpack Compose, an open-source, Kotlin-based UI development toolkit

Google today announced the first preview of Jetpack Compose, a new open-source UI toolkit for Kotlin developers who want to use a reactive programming model similar to what React Native and Vue.js.

Jetpack Compose is an unbundled toolkit that is part of Google’s overall Android Jetpack set of software components for Android developers, but there is no requirement to use any other Jetpack components. With Jetpack Compose, Google is essentially bringing the UI-as-code philosophy to Android development. Compose’s UI components are fully declarative and allow developers to create layouts by simply describing what the UI should look like in their code. The Compose framework will handle all the gory details of UI optimization for the developer.

Developers can mix and match the Jetpack Compose APIs and view with those based on Android’s native APIs. Out of the box, Jetpack Compose also natively supports Google’s Material Design.

As part of today’s overall Jetpack update, Google is also launching a number of new Jetpack components and features. These range from support for building apps for Android for Cars and Android Auto to an Enterprise library for making it easier to integrate apps with Enterprise Mobility Management solutions and built-in benchmarking tools

The standout feature, though, is probably CameraX, a new library that allows developers to build camera-centric features and applications that gives developers access to essentially the same features as the native Android camera app.

from Android – TechCrunch https://tcrn.ch/2VUrITI
via IFTTT

Android developers can now force app updates

Half a year ago, at the Android Dev Summit, Google announced a new way for developers to force their users to update their apps when they launch new features or important bug fixes. It’s only now, at Google I/O, though, that the company is actually making this feature available to developers. Previously, it was only available to a few select Google partners.

In addition, Google is also launching its dynamics updates feature out of beta. This allows developers to deliver some of their apps’ modules on demand, reducing the file size for the initial install.

“Right now, if you have an update, either you have auto-update or you need to go to the Play Store to even know that there is an update, or maybe the Play Store will give you a notification,” Chet Haase, Chief Advocate for Android, said. “But what if you have a really critical feature that you want people to get or, let’s say, a security issue you want to address, or a payment issue and you really want all of your users to get that as quickly as they can.”

This new feature, called Inline Updates, gives developers access to a new API that they can then use to force users to update. Developers can force users to update, say with a full-screen blocking message, force-install the update in the background and restart the app when the download has completed, or create their own custom update flows.

Android developers can now force users to update their apps

from Android – TechCrunch https://tcrn.ch/2LpVwDH
via IFTTT

Google latest Android Studio release focuses on speed and stability

At last year’s I/O developer conference, Google announced Project Marble, an effort to bring more speed and stability to the company’s Android Studio IDE. That was in marked contrast to previous updates, where the focus was very much on adding new features. Over time, though, as Google extended Android Studio, it started to slow down. Android Studio 3.5, which the company is launching today, is the result of these efforts.

“We are certainly not done improving quality with Android Studio, but with the work and new infrastructure put into Project Marble we hope that you are even more productive in developing Android apps,” the company notes in today’s announcement.

The most important updates probably focus on speed. One of the things that slowed Android Studio down were memory leaks, for example. Over the last year, the team fixed 33 major memory leaks and a new feature allows the IDE to collect more information about how it uses memory and suggest memory settings for you. It’s now also easier for developers to share their memory problems with Google.

The team also addressed user interface freezes and improved both build and overall IDE speed. The Android Emulator now also uses fewer CPU resources, often by up to 3x.

One interesting update will bring a welcome change to Android Studio users on Windows. Developers on Microsoft’s platform often complained about how their build times were getting slower. The reason for this, it turned out, was that many anti-virus programs would scan Android Studio’s build targets — and these have a lot of small files. Scanning those takes up a lot of I/O and CPU bandwidth. With this update, the IDE now check the directories that could be impacted by this and recommends how to fix this issue.

In addition to these updates that focus on speed and stability, the team also polished numerous existing features, ranging from improved Intellij support to Layout Editor improvement. Android Studio 3.5 is now also officially supported on Chrome OS 72 and high-end x86-based Chromebooks.

from Android – TechCrunch https://tcrn.ch/2VPPUXo
via IFTTT