Software

Google to pay security researchers who find Android apps and Chrome extensions misusing user data

Posted by | Android, browser extension, chrome os, gmail, Google, google-chrome, Mobile, operating systems, Security, Software | No Comments

Google said it will pay security researchers who find “verifiably and unambiguous evidence” of data abuse using its platforms.

It’s part of the company’s efforts to catch those who misuse user data collected through Android apps or Chrome extensions — and to avoid its own version of a scandal like Cambridge Analytica, which saw millions of Facebook profiles scraped and used to identify undecided voters during the U.S. presidential election in 2016.

Google said anyone who identifies “situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent” is eligible for its expanded data abuse bug bounty.

“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store,” read a blog post. “In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed.” The company said abuse of its developer APIs would also fall under the scope of the bug bounty.

Google said it isn’t providing a reward table yet but a single report of data misuse could net $50,000 in bounties.

News of the expanded bounty comes in the wake of the DataSpii scandal, which saw browser extensions scrape and share data from millions of users. These Chrome extensions uploaded web addresses and web page titles of every site a user visited, exposing sensitive data like tax returns, patient data and travel itineraries.

Google was forced to step in and suspend the offending Chrome extensions.

Instagram recently expanded its own bug bounty to include misused user data following a spate of data incidents.

Powered by WPeMatico

Hackers to stress-test Facebook Portal at hacking contest

Posted by | Apps, computer security, computing, cryptography, cybercrime, Facebook, Facebook Portal, Hack, hacker, hardware, Mobile, national security, Oculus, privacy, pwn2own, Security, Software, tokyo, Trend Micro, Virtual reality, web browser | No Comments

Hackers will soon be able to stress-test the Facebook Portal at the annual Pwn2Own hacking contest, following the introduction of the social media giant’s debut hardware device last year.

Pwn2Own is one of the largest hacking contests in the world, where security researchers descend to find and demonstrate their exploits for vulnerabilities in a range of consumer electronics and technologies, including appliances and automobiles.

It’s not unusual for companies to allow hackers put their products through their paces. Tesla earlier this year entered its new Model 3 sedan into the contest. A pair of researchers later scooped up $375,000 — and the car they hacked — for finding a severe memory randomization bug in the web browser of the car’s infotainment system.

Hackers able to remotely inject and run code on the Facebook Portal can receive up to $60,000, while a non-invasive physical attack or a privilege escalation bug can net $40,000.

Introducing the Facebook Portal is part of a push by Trend Micro’s Zero Day Initiative, which runs the contest, to expand the range of home automation devices available to researchers in attendance. Pwn2Own said researchers will also get a chance to try to hack an Amazon Echo Show 5, a Google Nest Hub Max, an Amazon Cloud Cam and a Nest Cam IQ Indoor.

Facebook said it also would allow hackers to find flaws in the Oculus Quest virtual reality kit.

Pwn2Own Tokyo, set to be held on November 6-7, is expected to dish out more than $750,000 in cash and prizes.

Powered by WPeMatico

Through crowdsourcing, Cerberus Interactive wants to take location-based gaming to the masses

Posted by | Age of Empires, augmented reality, austin, bangladesh, Cerberus Interactive, games, Gaming, Los Angeles, New Orleans, niantic, Pokémon Go, Prince, Reddit, Salman Khan, simulation, Software, steve huffman, TC, Toshiba, video gaming | No Comments

Sami Khan began his work in the startup world by marketing mobile-based investment services like Acorns.

Now the marketer who helped grow that business to a nearly $1 billion valuation is turning his attention to location-based gaming in the hopes that he can take on leading contender Niantic with a faster, more flexible and fan-driven approach to game development with his new startup, Cerberus Interactive.

Khan’s pitch is that he’s taking the skills he honed building up services like Acorns or the browser extension for bargain hunters, Honey, to game development to make games more viral from their inception.

The biggest thing is how do you de-risk what is perceived as a hit-driven industry?,” Khan asks. “Games are closer to digital apps than back in the days of the console and companies should ship it like an e-commerce concept… If adoption of the game is going to be the decision factor of whether a game fails or succeeds… why isn’t the adoption of the game tested before the title is built or while the game is being conceived?”

So for his first foray into gaming, Khan is combining a crowdsourced approach to the development of the game and applying it to what many people think is gaming’s next big frontier — the location-based game phenomenon that hit its stride with Niantic’s Pokémon GO.

Right now in location-based games you have the behemoth which is Niantic,” says Khan. “Right now the gaming industry looks at location-based games as its own sub genre. But when we look at location-based games, we believe that location-based games have an aspect that it is a game mechanic within other games.” 

The first game that Cerberus is developing is a base-building simulator akin to a title like “Age of Empires,” but based on real-world locations. “Simulation games or casual games with location built in will have a bonus or an advantage over the stationary games that we play today,” says Khan.

The “Atlas Empires” title that Cerberus is currently developing is being made in concert with the gamers who might want to play it. So far, an undisclosed number of customers are already paying to have a say in certain aspects of the game’s development — kind of like a premier tier within a crowdfunding campaign.

Khan, a New Orleans native who splits his time between Los Angeles and Austin, has enlisted some marquee investors in his bid to challenge both the traditional ways in which games have been developed and the current industry leader.

Strategic investor MobilityWare has signed on to back the company along with individual investors like Steve Huffman, the co-founder and chief executive of Reddit, and Blake Chandler, the chief business officer of the runaway social network hit, TikTok.

Khan traces his love of games to his time visiting his cousins in Bangladesh and playing “Prince of Persia” on an early Toshiba laptop. “I remember sitting around the computer, watching my oldest cousin play because my dad didn’t want any of the kids touching the laptop,” Khan says.

So far the beta version of “Atlas Empires” has had 50,000 downloads and has about 1,000 daily players, Khan says. The commercial version of the game is expected to go live in the first quarter of 2020, says Khan.

Powered by WPeMatico

Google Maps adds biking and ridesharing options to transit directions for multi-mode commutes

Posted by | Android, Apps, computing, eta, Google, Google-Maps, operating systems, smartphones, Software, TC, Transportation | No Comments

Google is introducing combo navigation directions that pair ridesharing and biking options with transit guidance. Starting today, when you search from directions using Google Maps and select the “transit” tab, you’ll see ridesharing options included when the nearest station is a bit farther than most people might expect to go on foot. Similarly, you’ll also see routes with bike suggestions for certain legs, all listed alongside routes that stick to just transit alone for a full range of options.

The new hybrid navigation options will include useful info like the cost of rideshare segments, as well as wait times and traffic conditions. You’ll be able to specify your preferred rideshare provider from this, available through Google Maps in your area, and also pick which rideshare method you prefer (i.e. pool or economy).

Bikers will get route directions specific to the best paths and roads for bikes to takes, and in both cases, all of the available info will be fed into providing an overall ETA, so you can make an informed decision about which route and method of transportation to take depending on when you need to be where you’re going.

Google says that the combined transit/ridesharing navigation will start rolling out today on both Android and iOS, and that iOS users will start seeing the biking options today, with Android to follow in the coming weeks.

Powered by WPeMatico

Apple patches previously fixed security bug that allowed iPhone jailbreak

Posted by | Apple, espionage, iOS, iPad, iPhone, Israel, Jamal Khashoggi, Mobile, operating systems, Security, smartphones, Software, Spyware | No Comments

Apple has fixed a security flaw for a second time after it accidentally reintroduced an old bug in a recent software update.

Released Monday, iOS 12.4.1 contains a security fix that was first patched months earlier in iOS 12.3. Apple rolled out a fix in May, but accidentally undid the security patch in its latest update, iOS 12.4, in July.

In a brief security advisory published after the software’s release, Apple said it fixed a kernel vulnerability that could have allowed an attacker to execute code on an iPhone or iPad with the highest level of privileges.

Screen Shot 2019 08 26 at 2.27.33 PM 1

Apple’s latest security advisory for iOS 12.4.1

Those privileges, also known as system or root privileges, can open up a device to running apps that are not normally allowed by Apple’s strict rules. Known as jailbreaking, apps can access parts of a device that are normally off-limits. On one hand that allows users to extensively customize their devices, but it can also expose the device to malicious software, like malware or spyware apps.

Spyware apps often rely on undisclosed jailbreak exploits to get access to a user’s messages, track their location and listen to their calls without their knowledge. Nation states are known to hire mobile spyware makers to remotely install malware on the devices of activists, dissidents and journalists. Washington Post journalist Jamal Khashoggi, who was murdered by agents of the Saudi regime, is believed to have been targeted by mobile spyware, according to reports. The company accused of supplying the spyware, Israel-based NSO Group, has denied any involvement.

Apple confirmed it pushed out a fix in its security notes, which included a short acknowledgement to Pwn20wnd, the team that confirmed last week that its jailbreak was working again.

The same kernel vulnerability was fixed in a supplemental update for macOS 10.14.6.

Powered by WPeMatico

Roblox announces new game-creation tools and marketplace, $100M in 2019 developer revenue

Posted by | david baszucki, Gaming, online games, player, Roblox, Software, video games, video gaming | No Comments

A week after gaming platform Roblox announced its new milestone of 100 million monthly users — topping Minecraft — the company said at its fifth annual developer conference that its developer community is on track to earn $100 million in 2019. Roblox also introduced a new set of developer tools for building immersive, more realistic 3D experiences; detailed its plans to make its developer software fully cloud-based; unveiled a new Developer Marketplace where creators can set their development assets and tools to others; and more.

Over the past decade or so, Roblox has grown to become a $2.5 billion company, with roughly half of U.S. children ages 9 through 12 playing on its platform.

The company provides game-creation tools via Roblox Studio, which developers use to build their own games for people to play. Roblox doesn’t pay the developers for their work — rather, the developers generate revenue through virtual purchases, which players buy using the in-game currency Robux.

At its invite-only event, the Roblox Developers Conference, which was held Friday, August 9 through Sunday, August 11, the company announced new tools aimed at enabling small developer teams to work together to build more massive games that can support hundreds of players.

The news follows the growing popularity of Roblox’s larger games, like Adopt Me (180.7K players), Royale High (68.7K players), Welcome to Bloxburg (66.7K players), MeepCity (52.4K players), Murder Mystery 2 (33.7K players), Work at a Pizza Place (32.7K players) and others.

The new toolset will offer developers access to an enhanced lighting system, updated terrain and other visual upgrades, including support for building competitive matchmaking games that will match players of similar skill levels, the company said.

Roblox had earlier discussed its plans for these sorts of visual improvements, which VP of Product Enrico D’Angelo said were prioritized in order to up the quality of the games.

The company said at RDC it’s also on track to bring its creation tools, Roblox Studio, to the cloud by year-end. This will allow developers to collaborate in real time, access their development files online and work across computing platforms to do things like manage permissions, versions and rollbacks.

In addition to monetizing their games, developers also will be able to monetize their development assets and tools through a new Developer Marketplace, where they can sell their plug-ins, vehicles, 3D models, terrain enhancements and other items.

RDC 2019 Audience

“The Roblox creator community thinks of things we could never imagine, and their continued growth is our future,” said David Baszucki, founder and CEO, Roblox, in a statement about the new tools. “With top Roblox experiences achieving more than 100,000 concurrent users and 1 billion plays, there’s no denying the power of user-generated content. We are committed to supporting our creator community with the tools and resources they need to realize even greater success,” he added.

The company also made note of its improved localization support for Brazilian Portuguese, English, French, German, Japanese, Korean, Simplified and Traditional Chinese and Spanish, and discussed its recent Microsoft partnership in more detail.

Roblox had previously announced a collaboration with Microsoft Azure PlayFab, which made PlayFab’s LiveOps analytics service free to Roblox’s top 10,000 developers. This allows the game creators to track trends in player behavior, purchase history and game telemetry.

Alongside Roblox’s user growth, its creator community has been expanding, as well.

Today, there are more than 2 million Roblox game creators worldwide, ranging from indie developers to studios with teams of 10 or 20 people. Over 500 developers attended the three-day event in San Francisco and the private RDC 2019 viewing party in London.

“We ultimately become more and more inspired and convinced that this is not just the future of gaming, this is really the future of a whole new category,” said Baszucki, during the keynote. “I believe we’re sitting with not just the future of gaming,” he said, addressing the crowd of developers at RDC, “but the future of human co-experience.”

“We have this vision that there’s a new category emerging that’s bigger than gaming,” the CEO continued. “It’s the category that allows people around the world to connect, to not just play together, but to work together, to learn together and to create together.”

TechCrunch’s Extra Crunch recently analyzed Roblox’s history and business in its EC-1, which you can read here (Extra Crunch membership required).

Photo credits: Ian Tuttle/Getty Images for Roblox

Powered by WPeMatico

Google launches ‘Live View’ AR walking directions for Google Maps

Posted by | Android, Apps, arkansas, augmented reality, computing, Google, Google-Maps, Mobile, operating systems, smartphones, Software, TC, Transportation | No Comments

Google is launching a beta of its augmented reality walking directions feature for Google Maps, with a broader launch that will be available to all iOS and Android devices that have system-level support for AR. On iOS, that means ARKit-compatible devices, and on Android, that means any smartphones that support Google’s ARcore, so long as “Street View” is also available where you are.

Originally revealed earlier this year, Google Maps’ augmented reality feature has been available in an early alpha mode to both Google Pixel users and to Google Maps Local Guides, but starting today it’ll be rolling out to everyone (this might take a couple of weeks depending on when you actually get pushed the update). We took a look at some of the features available with the early version in March, and it sounds like the version today should be pretty similar, including the ability to just tap on any location nearby in Maps, tap the “Directions” button and then navigating to “Walking,” then tapping “Live View” which should appear near the bottom of the screen.Live ViewThe Live View feature isn’t designed with the idea that you’ll hold up your phone continually as you walk — instead, in provides quick, easy and super-useful orientation by showing you arrows and big, readable street markers overlaid on the real scene in front of you. That makes it much, much easier to orient yourself in unfamiliar settings, which is hugely beneficial when traveling in unfamiliar territory.

Google Maps is also getting a number of other upgrades, including a one-stop “Reservations” tab in Maps for all your stored flights, hotel stays and more — plus it’s backed up offline. This, and a new redesigned Timeline, which is airing on Android devices only for now, should also be rolling out to everyone over the next few weeks.

Powered by WPeMatico

Sex tech companies and advocates protest unfair ad standards outside Facebook’s NY HQ

Posted by | Advertising Tech, computing, digital advertising, Facebook, Gadgets, Google, instagram, internet culture, Lora DiCarlo, online ads, operating systems, photo sharing, social media, Software, TC, United States | No Comments

A group of sex tech startup founders, employees and supporters gathered outside of Facebook’s NY office in Manhattan to protest its advertising policies with respect to what it classifies as sexual content. The protest, and a companion website detailing their position we reported on Tuesday, are the work of “Approved, Not Approved,” a coalition of sex health companies co-founded by Dame Products and Unbound Babes.

These policies as applied have fallen out of step with “the average person’s views of what should or shouldn’t be approved of ads,” according to Janet Lieberman, co-founder and CTO of Dame Products.

“If you look at the history of the sex toy industry, for example, vibrators were sexual health products until advertising restrictions were put on them in the 1920s and 1930s — and then they became dirty, and that’s how the industry got shady, and that’s why we have negative thoughts towards them,” she told me in an interview at the protest. “They’re moving back towards wellness in people’s minds, but not in advertising policies. There’s a double standard for what is seen as obscene, talking about men’s sexual health versus women’s sexual health and talking about products that aren’t sexual, and using sex to sell them, versus taking sexual products and having completely non-sexual ads for them.”

facebook ad protest nyc

Credit: TechCrunch

It’s a problem that extends beyond just Facebook and Instagram, Lieberman says. In fact, her company is also suing NYC’s MTA for discrimination for its own ad standards after it refused to run ads for women’s sex toys in their out-of-home advertising inventory. But it also has ramifications beyond just advertising, because in many ways what we see in ads helps define what we see as acceptable in terms of our everyday lives and conversations.

“Some of this stems from society’s inability to separate sexual products from feeling sexual, and that’s a real problem that we see that hurts women more than men, but hurts both genders, in not knowing how to help our sexual health,” Lieberman said. “We can’t talk about it without being sexual, and that we can’t bring things up, without it seeming like we’re bringing up something that is dirty.”

IMG 9739

Credit: Unbound / Dame Products

“A lot of the people you see here today have Instagrams that have been shut down, or ads that have been not approved on Facebook,” said Bryony Cole, CEO at Future of Sex, in an interview. “Myself, I run Future of Sex, which is a sex tech hackathon, and a podcast focused on sex tech, and my Instagram’s been shut down twice with no warning. It’s often for things that Facebook will say they consider phallic imagery, but they’re not […] and yet if you look at images for something like HIMS [an erectile dysfunction medication startup, examples of their ads here], you’ll see those phallic practice images. So there’s this gross discrepancy, and it’s very frustrating, especially for these companies where a lot of the revenue in their business is around community that are online, which is true for sex toys.”

Online ads aren’t just a luxury for many of these startup brands and companies — they’re a necessary ingredient to continued success. Google and Facebook together account for the majority of digital advertising spend in the U.S., according to eMarketer, and it’s hard to grow a business that caters to primarily online customers without fair access to their platforms, Cole argues.

“You see a lot of sex tech or sexual wellness brands having to move off Instagram and find other ways to reach their communities,” she said. “But the majority of people, that’s where they are. And if they’re buying these products, they’re still overcoming a stigma about buying the product, so it’s great to be able to purchase these online. A lot of these companies started either crowdfunding, like Dame Products, or just through e-commerce sites. So the majority of their business is online. It’s not in a store.”

IMG 9753

Credit: Unbound / Dame Products

Earlier this year, sex tech company Lora DiCarlo netted a win in getting the Consumer Technology Association to restore its CES award after community outcry. Double standards in advertising is a far more systemic and distributed problem, but these protests will hopefully help open up the conversation and prompt more change.

Powered by WPeMatico

Uber riders now earn rewards for shopping during their trip with new Cargo app

Posted by | Amazon, Android, cargo, carsharing, commuting, driver, eCommerce, line, Nintendo, operating systems, Software, TC, transport, Transportation, Uber, universal studios | No Comments

Uber is launching a new shopping app with commerce partner Cargo, a startup with which it signed an exclusive global partnership last year. The app will feature items curated by Uber, including products like Nintendo Switch, Apple hardware, Away luggage, Glossier cosmetics and more, and will be available to download for Uber riders making trips in cars that have Cargo consoles on board. The Cargo app will also provide in-ride entertainment, including movies from Universal Studios available to purchase for between $5 and $10 each (with bundle discounts for multiple movies), which are then viewable in the Movies Anywhere app.

Uber riders will also benefit by receiving 10% of their purchase value back in Uber Cash, which they can then use either on future trips or on other purchases made through the Cargo app while riding. Uber drivers also benefit, earning 25% of the value of items purchased from the Cargo Box in-car, and an additional $1 for each first purchase by a passenger through the new app.

Riders just need to grab the iOS or Android app and then scan the QR code located on the Cargo Box in their driver’s car. Cargo’s app only allows purchases while on the trip, and then the item will be automatically shipped to a rider’s home address for free with an estimated delivery time of between two and five business days.

Cargo App Home Screen

This tie-up is a natural evolution for Uber’s business — the company hosts millions of riders every week, and many of those are taking relatively long trips to and from airports and other transit hubs, which provides ample opportunity to get them buying stuff or watching purchased content. Cargo, in which Uber has some equity stake, has a good opportunity to figure out how best to make the most of those trips.

This is hardly without precedent — airlines have attempted to capture consumer interest in the skies with onboard duty-free and other sales, as well as content for purchase. The big question will be whether Uber and Cargo together can provide enough additional purchase incentive versus riders just opening the Amazon app or other commerce options they have available on their own personal devices to make it a sustainable extension of their business.

Powered by WPeMatico

AI photo editor FaceApp goes viral again on iOS, raises questions about photo library access

Posted by | Android, api, apple inc, Apple Photos, artificial intelligence, Banking, computing, iOS, ios 11, iOS 8, ML, ocr, operating systems, smartphones, Software, TC, Will Strafach | No Comments

FaceApp. So. The app has gone viral again after first doing so two years ago or so. The effect has gotten better but these apps, like many other one off viral apps, tend to come and go in waves driven by influencer networks or paid promotion. We first covered this particular AI photo editor  from a team of Russian developers about two years ago.

It has gone viral again now due to some features that allow you to edit a person’s face to make it appear older or younger. You may remember at one point it had an issue because it enabled what amounted to digital blackface by changing a person from one ethnicity to another.

In this current wave of virality, some new rumors are floating about FaceApp. The first is that it uploads your camera roll in the background. We found no evidence of this and neither did security researcher and Guardian App CEO Will Strafach or researcher Baptiste Robert.

The second is that it somehow allows you to pick photos without giving photo access to the app. You can see a video of this behavior here:

Shouldn’t photo access need to be enabled for this to be possible ? 🤔pic.twitter.com/wy45zKn63E

— Karissa Bell (@karissabe) July 16, 2019

While the app does indeed let you pick a single photo without giving it access to your photo library, this is actually 100% allowed by an Apple API introduced in iOS 11. It allows a developer to let a user pick one single photo from a system dialog to let the app work on. You can view documentation here and here.

IMG 54E064B28241 1

Because the user has to tap on one photo, this provides something Apple holds dear: user intent. You have explicitly tapped it, so it’s ok to send that one photo. This behavior is actually a net good in my opinion. It allows you to give an app one photo instead of your entire library. It can’t see any of your photos until you tap one. This is far better than committing your entire library to a jokey meme app.

Unfortunately, there is still some cognitive dissonance here, because Apple allows an app to call this API even if a user has set the Photo Access setting to Never in settings. In my opinion, if you have it set to Never, you should have to change that before any photo can enter the app from your library, no matter what inconvenience that causes. Never is not a default, it is an explicit choice and that permanent user intent overrules the one-off user intent of the new photo picker.

I believe that Apple should find a way to rectify this in the future by making it more clear or disallowing if people have explicitly opted out of sharing photos in an app.

IMG 0475

One good idea might be the equivalent of the ‘only once’ location option added to the upcoming iOS 13 might be appropriate.

One thing that FaceApp does do, however, is it uploads your photo to the cloud for processing. It does not do on-device processing like Apple’s first party app does and like it enables for third parties through its ML libraries and routines. This is not made clear to the user.

I have asked FaceApp why they don’t alert the user that the photo is processed in the cloud. I’ve also asked them whether they retain the photos.

Given how many screenshots people take of sensitive information like banking and whatnot, photo access is a bigger security risk than ever these days. With a scraper and optical character recognition tech you could automatically turn up a huge amount of info way beyond ‘photos of people’.

So, overall, I think it is important that we think carefully about the safeguards put in place to protect photo archives and the motives and methods of the apps we give access to.

Powered by WPeMatico