Software

Samsung spilled SmartThings app source code and secret keys

Posted by | Android, Apps, computing, data breach, Dubai, Gadgets, gitlab, Password, Samsung, Security, smartphones, smartthings, SMS, Software, spokesperson, Stratics Networks | No Comments

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens (Image: supplied)

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials, but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:

Powered by WPeMatico

The EU will reportedly investigate Apple following anti-competition complaint from Spotify

Posted by | Android, app-store, Apple, apple inc, apple music, belgium, Brussels, ceo, computing, daniel ek, EC, Europe, european commission, european union, Facebook, Google, Google Play Store, iPhone, lawsuit, Margrethe Vestager, Media, online marketplaces, Online Music Stores, operating systems, Search, smartphones, social network, Software, Spotify, United States | No Comments

The spat between Spotify and Apple is going to be the focus on a new investigation from the EU, according to a report from the FT.

The paper reported today that the European Commission (EC), the EU’s regulatory body, plans to launch a competition inquiry around Spotify’s claim that the iPhone-maker uses its position as the gatekeeper of the App Store to “deliberately disadvantage other app developers.”

In a complaint filed to the EC in March, Spotify said Apple has “tilted the playing field” by operating iOS, the platform, and the App Store for distribution, as well as its own Spotify rival, Apple Music.

In particular, Spotify CEO Daniel Ek has said that Apple “locks” developers and their platform, which includes a 30 percent cut of in-app spending. Ek also claimed Apple Music has unfair advantages over rivals like Spotify, while he expressed concern that Apple controls communication between users and app publishers, “including placing unfair restrictions on marketing and promotions that benefit consumers.”

Spotify’s announcement was unprecedented — Ek claimed many other developers feel the same way, but do not want to upset Apple by speaking up. The EU is sure to tap into that silent base if the investigation does indeed go ahead as the FT claims.

Apple bit back at Spotify’s claims, but its response was more a rebuttal — or alternative angle — on those complaints. Apple did not directly address any of the demands that Spotify put forward, and those include alternative payment options (as offered in the Google Play store) and equal treatment for Apple apps and those from third-parties like Spotify.

The EU is gaining a reputation as a tough opponent that’s reining in U.S. tech giants.

Aside from its GDPR initiative, it has a history of taking action on apparent monopolies in tech.

Google fined €1.49 billion ($1.67 billion) in March of this year over antitrust violations in search ad brokering, for example. Google was fined a record $5 billion last year over Android abuses and there have been calls to look into breaking the search company up. Inevitably, Facebook has come under the spotlight for a series of privacy concerns, particularly around elections.

Pressure from the EU has already led to the social network introduce clear terms and conditions around its use of data for advertising, while it may also change its rules limiting overseas ad spending around EU elections following concern from Brussels.

Despite what some in the U.S. may think, the EU’s competition commissioner, Margrethe Vestager, has said publicly that she is against breaking companies up. Instead, Vestager has pledged to regulate data access.

“To break up a company, to break up private property would be very far-reaching and you would need to have a very strong case that it would produce better results for consumers in the marketplace than what you could do with more mainstream tools. We’re dealing with private property. Businesses that are built and invested in and become successful because of their innovation,” she said in an interview at SXSW earlier this year.

Powered by WPeMatico

Snap is channeling Asia’s messaging giants with its move into gaming

Posted by | alibaba, Apps, Asia, Australia, Bitmoji, Canada, China, computing, e-commerce, epic games, Evan Spiegel, Facebook, food, France, game developers, Gaming, instagram, Instant Messaging, Japan, josh constine, Kakao, Los Angeles, messaging apps, Messenger, nhn japan, Nintendo, operating systems, player, Snap, Snapchat, Social, social media, social network, Software, Southeast Asia, Startups, Tencent, United Kingdom, United States, WeChat, WhatsApp | No Comments

Snap is taking a leaf out of the Asian messaging app playbook as its social messaging service enters a new era.

The company unveiled a series of new strategies that are aimed at breathing fresh life into the service that has been ruthlessly cloned by Facebook across Instagram, WhatsApp and even its primary social network. The result? Snap has consistently lost users since going public in 2017. It managed to stop the rot with a flat Q4, but resting on its laurels isn’t going to bring back the good times.

Snap has taken a three-pronged approach: extending its stories feature (and ads) into third-party apps and building out its camera play with an AR platform, but it is the launch of social games that is the most intriguing. The other moves are logical, and they fall in line with existing Snap strategies, but games is an entirely new category for the company.

It isn’t hard to see where Snap found inspiration for social games — Asian messaging companies have long twinned games and chat — but the U.S. company is applying its own twist to the genre.

Powered by WPeMatico

Firefox is now a better iPad browser

Posted by | Apps, Firefox, firefox focus, free software, iOS, iPad, Mobile, Mozilla, Software, tablet computers, TC, Web browsers | No Comments

Mozilla today announced a new iOS version of Firefox that has been specifically optimized for Apple’s iPad. Given the launch of the new iPad mini this week, that’s impeccable timing. It’s also an admission that building a browser for tablets is different from building a browser for phones, which is what Mozilla mostly focused on in recent years.

“We know that iPads aren’t just bigger versions of iPhones,” Mozilla writes in today’s announcement. “You use them differently, you need them for different things. So rather than just make a bigger version of our browser for iOS, we made Firefox for iPad look and feel like it was custom made for a tablet.”

So with this new version, Firefox for iPad gets support for iOS features like split screen and the ability to set Firefox as the default browser in Outlook for iOS. The team also optimized tab management for these larger screens, including the option to see tabs as large tiles, “making it easy to see what they are, see if they spark joy and close with a tap if not.” And if you have a few tabs you want to share, then you can do so with the Send Tabs feature Mozilla introduced earlier this year.

Starting a private browsing session on iOS always took a few extra tabs. The iPad version makes this a one-tap affair as it prominently highlights this feature in the tab bar.

Because quite a few iPad users also use a keyboard, it’s no surprise that this version of Firefox also supports keyboard shortcuts.

If you are an iPad user in search of an alternative browser, Firefox may now be a viable option for you. Give it a try and let us know what you think in the comments (just don’t remind us how you work from home for only a few hours a day and make good money… believe me, we’re aware).

Powered by WPeMatico

Gaming clips service Medal has bought Donate Bot for direct donations and payments

Posted by | api, bot, computing, discord, e-commerce, freeware, Gaming, M&A, operating systems, Patreon, PayPal, Shopify, social media platforms, Software, Steam, subscription services, TC, Twitter | No Comments

The Los Angeles-based video gaming clipping service Medal has made its first acquisition as it rolls out new features to its user base.

The company has acquired the Discord -based donations and payments service Donate Bot to enable direct payments and other types of transactions directly on its site.

Now, the company is rolling out a service to any Medal user with more than 100 followers, allowing them to accept donations, subscriptions and payments directly from their clips on mobile, web, desktop and through embedded clips, according to a blog post from company founder Pim De Witte.

For now, and for at least the next year, the service will be free to Medal users — meaning the company won’t take a dime of any users’ revenue made through payments on the platform.

For users who already have a storefront up with Patreon, Shopify, Paypal.me, Streamlabs or ko-fi, Medal won’t wreck the channel — integrating with those and other payment processing systems.

Through the Donate Bot service any user with a discord server can generate a donation link, which can be customized to become more of a customer acquisition funnel for teams or gamers that sell their own merchandise.

Webhooks API gives users a way to add donors to various list or subscription services or stream overlays, and the Donate Bot is directly linked with Discord Bot List and Discord Server List as well, so you can accept donations without having to set up a website.

In addition, the company updated its social features, so clips made on Medal can ultimately be shared on social media platforms like Twitter and Discord — and the company is also integrated with Discord, Twitter and Steam in a way to encourage easier signups.

Powered by WPeMatico

Fortnite Season 8 is now available, and it includes pirates, cannons and volcano lava

Posted by | Christmas, epic games, fortnite, fortnite battle royale, Gaming, Software | No Comments

Fortnite, the world’s most popular game right now with some 200 million players, has just announced that its much-anticipated Season 8 is available.

For those of you who don’t play Fortnite, the title takes an episodic approach with new features, tools and maps released every few months. That keeps things fresh, gamers engaged and the money flowing as each new season offers a Battle Pass, which costs around $10 and unlocks a load of goodies, including skins and emote dance moves.

Season 8 is pretty much what the leaks this week suggested. The theme is pirates, with new skins that include a gigantic banana suit, pirates and snakes, and pirate cannon is a new weapon that’s been added. Cannons can dish out 100 damage when there’s a direct hit, or administer 50 damage on those in the impact area — it can also be used to fire players to new locations.

The map is also a major Fortnite focus, and Season 8 has added lava to the existing volcano. Stepping on lava gives players one damage point per touch while there are volcanic vents that can be used to send a player or vehicle into the air using a gust of hot air. There’s also a range of treasure to be found inside pirate ships, another new addition (which is where the cannons can be found).

On the gaming-playing side, the major addition is “Party Assist” mode, which lets players bring their friends into Fortnite’s daily or weekly challenges. Those challenges are important to players because they unlock treasures, including skins, and, in fact, those who played Season 7 could earn a free Battle Pass for Season 8 by completing the right challenges. That might have saved a few million parents $10.

(By the way, if you’re struggling to load the game, that’s because scheduled maintenance kicked off at 4am EST in preparation for the new season launch — you can find more info on the status page here.)

Those are the main additions, though game-maker Epic Games has chucked in a few little touches — including extending the somewhat comical “infinite dab” feature from 11 hours to 12, meaning that your character will keep dancing a little longer when left in the lobby.

I can’t help but think Season 7 was a greater leap — as the addition of planes and ziplines really changed how players get around — but we’ll have to see how the gaming public reacts. This time around, a lot of the focus is on skins and emotes, rather than features.

A recent report suggested Fortnite’s revenue had dipped in January, but that was pretty unfair because it’s the month that followed a surge in spending around the December Battle Pass and also, more generally, a surge around the Christmas holidays.

Sources told us recently Epic Games banked $3 billion in profit across its entire business in 2018, thanks in particular to Fortnite, and it needs to keep its season releases compelling if that streak is to continue. There’s a lot riding on Season 8, particularly as credible rivals emerge.

Powered by WPeMatico

Ford partners with geocoding startup what3words

Posted by | Android, automotive, Cabify, Ford, Logistics, Lonely Planet, red cross, Software, spain, Sync 3, TomTom, Transportation, united nations, what3words | No Comments

Ford is partnering with what3words to give drivers access to the startup’s novel addressing system.

Under the partnership, drivers will be able to connect to the free what3words app — on an iOS or Android device — to their vehicle via their SYNC 3 infotainment platform. Drivers can find the three-word address on website contact pages, guidebooks and business cards. Drivers can enter the addresses via voice or text input and receive directions through the vehicle’s navigation system.

The startup, founded in 2013, has divided the entire world into 57 trillion 3-by-3 meter squares and assigned three words to each one. Users of the what3words app, which is available in 26 languages, has been adopted by logistics, travel, automotive and humanitarian organizations because it provides exact locations anywhere in the world.

The system is used by Lonely Planet, which has rolled out three-word addresses for each of its listings, as well as Mercedes-Benz, ride-hailing app Cabify, the UN, Red Cross and TomTom.

The startup has also attracted an interesting mix of investors, most recently Sony’s venture capital arm. And last year, Daimler took a 10 percent stake in what3words, following an announcement in 2017 to integrate the addressing system into Mercedes’ new infotainment and navigation system — called the Mercedes-Benz User Experience, or MBUX. MBUX is now in the latest Mercedes A-Class and B-Class cars and Sprinter commercial vehicles.

“We are more mobile than ever before, but with that comes its challenges. The growing traction that what3words is gaining within the automobility industry is a testament to how we are improving journeys and customer experiences,” CEO and co-founder Chris Sheldrick said.

What3words will initially be available to Ford owners in the U.K. and Ireland, Germany, Spain, the U.S. and Mexico. More markets and languages will follow later in the year. The addressing system can be downloaded for free on iOS and Android.

Powered by WPeMatico

Google will bring its Assistant to Android Messages

Posted by | allo, Android, Apps, artificial intelligence, Assistant, computing, Google, Google Allo, machine learning, messaging apps, Mobile, mobile software, mwc 2018, operating system, Software, technology | No Comments

It’s only been a few weeks since Google brought the Assistant to Google Maps to help you reply to messages, play music and more. This feature first launched in English and will soon start rolling out to all Assistant phone languages. In addition, Google also today announced that the Assistant will come to Android Messages, the standard text messaging app on Google’s mobile operating system, in the coming months.

If you remember Allo, Google’s last failed messaging app, then a lot of this will sound familiar. For Allo, after all, Assistant support was one of the marquee features. The different, though, is that for the time being, Google is mostly using the Assistant as an additional layer of smarts in Messages while in Allo, you could have full conversations with a special Assistant bot.

In Messages, the Assistant will automatically pop up suggestion chips when you are having conversations with somebody about movies, restaurants and the weather. That’s a pretty limited feature set for now, though Google tells us that it plans to expand it over time.

What’s important here is that the suggestions are generated on your phone (and that may be why the machine learning model is limited, too, since it has to run locally). Google is clearly aware that people don’t want the company to get any information about their private text chats. Once you tap on one of the Assistant suggestions, though, Google obviously knows that you were talking about a specific topic, even though the content of the conversation itself is never sent to Google’s servers. The person you are chatting with will only see the additional information when you push it to them.

Powered by WPeMatico

Opera adds a free VPN to its Android browser app

Posted by | Ad blocking, america, Android, Apps, Asia, computing, Europe, freeware, Opera, search engines, Software, vpn, Web browsers | No Comments

Opera became the first browser-maker to bundle a VPN with its service, and now that effort is expanding to mobile.

The company announced today that its Android browser app will begin offering a free VPN. The feature will be rolled out to beta users on a gradual basis. The VPN is free and unlimited, and it can be set to locations in America, Europe and Asia as well as an “optimal” setting that hooks up the fastest available connection. Switching on the VPN means that user traffic data isn’t collected by Opera, while it makes it harder for websites to track location and user data.

There are granular settings too, which include limiting VPN usage to private tabs and switching it off for search engines to get more local results.

Opera previously offered a free VPN app for Android and iOS, but that project was closed last year. The new strategy, it seems, was to bake that technology directly into the browser to give it a more competitive advantage and use the tech to bring more users into the Opera ecosystem. There’s no word on an iOS launch.

“The reason why we are including this built-in VPN in our Android browser is because it gives you that extra layer of protection that you are searching for in your daily mobile browsing,” the company — which listed on the Nasdaq last year — said in a blog post.

The VPN — which is powered by a 2015 acquisition — is one of a number of privacy features that Opera offers. Others include cookie dialog box blocking, cryptojacking and ad blocking. The company has also offered support for crypto with the addition of a crypto wallet, support for Web 3 apps and — as of this week — a feature that lets users buy crypto from inside their browser.

Besides its core apps, Opera also offers a “Touch” browser that is optimized for devices that don’t have a home button. It launched on Android and expanded to iOS late last year.

Powered by WPeMatico

China finally grants a game license to Tencent

Posted by | Asia, Beijing, China, game publisher, Gaming, ma huateng, netease, shenzhen, Software, Tencent, WeChat | No Comments

Tencent has finally come out of a prolonged freeze on game approvals as Beijing granted licenses to two of its mobile games this month.

According to a notice published Thursday by China’s State Administration of Press, Publication, Radio, Film and Television, Tencent is one of nearly 200 games assigned licenses in January.

That’s big news for the Shenzhen-based firm, which has seen its share price plummet in the past months because the licensing halt crippled its ability to generate gaming revenues. Tencent is best known for its immensely popular WeChat messenger, but games contribute a bulk of its earnings.

Both games approved are for educational purposes so are unlikely to generate income at the level of Tencent’s more lucrative role-playing titles, such as Honor of Kings. Tencent has been at the center of government criticisms on games deemed harmful and addictive, and the firm has subsequently introduced so-called “utility games” in 2018 designed to promote traditional Chinese culture, science and technology.

That said, the tech giant could be raking in big bucks from a third-party game that also got approved this week. The title comes from China’s third-largest game publisher, Perfect World, with exclusive publishing rights handled by Tencent.

“The game is the mobile version of the extremely successful massively multiplayer online role-playing game with the same name,” Daniel Ahmad, an analyst at market research firm Niko Partners, suggests to TechCrunch. “We note that Perfect World Mobile is a core game that is set to be a high revenue generating title when it launches.”

China resumed its game approval process in December after a nine-month hiatus during which it worked to reshuffle its main regulating bodies for games. However, it left Tencent, the country’s biggest game publisher, and runner-up NetEase off its first batch of approved titles that month.

NetEase also scored its first post-freeze license in January and had better luck than Tencent, winning a nod for a multiplayer online role-playing game.

Despite the thawing, industry experts warn that approvals will come at a much slower rate than before as Chinese regulators look to more closely monitor game content, putting the burden on developers and publishers to decipher new industry rules.

“The size of the gaming company does not matter. It matters how fast the company can be adapting to the new set of rules and guidelines,” Shenzhen-based game consultant Ilya Gutov told TechCrunch in December.

“As the review and approval process for games resumes, we are confident that Tencent will be producing more compliant and higher-quality cultural work for society and the public,” a Tencent spokesperson said in December, highlighting its plan to churn out content that fits into China’s ideological agenda.

Powered by WPeMatico