The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Google

Google Advises Android Developers to Encrypt App Data On Device

Google Advises Android Developers to Encrypt App Data On Device
February 26, 2020Ravie Lakshmanan
Google today published a blog post recommending mobile app developers to encrypt data that their apps generate on the users' devices, especially when they use unprotected external storage that's prone to hijacking. Moreover, considering that there are not many reference frameworks available for the same, Google also advised using an easy-to-implement security library available as part of its Jetpack software suite. The open-sourced Jetpack Security (aka JetSec) library lets Android app developers easily read and write encrypted files by following best security practices , including storing cryptographic keys and protecting files that may contain sensitive data, API keys, OAuth tokens. To give a bit of context, Android offers developers two different ways to save app data. The first one is app-specific storage, also known as internal storage, where the files are stored in a sandboxed folder meant for a specific app's use and inaccessible to other apps on the same

Xiaomi Cameras Connected to Google Nest Expose Video Feeds From Others

Xiaomi Cameras Connected to Google Nest Expose Video Feeds From Others
January 03, 2020Wang Wei
Internet-connected devices have been one of the most remarkable developments that have happened to humankind in the last decade. Although this development is a good thing, it also stipulates a high security and privacy risk to personal information. In one such recent privacy mishap, smart IP cameras manufactured by Chinese smartphone maker Xiaomi found mistakenly sharing surveillance footage of Xiaomi users with other random users without any permission. The issue appears to affect Xiaomi IP cameras only when streamed through connected Google's Nest Hub, which came into light when a Reddit user claimed that his Google Nest Hub is apparently pulling random feeds from other users instead of his own Xiaomi Mijia cameras. The Reddit user also shared some photos showing other people's homes, an older adult sleeping on a chair, and a baby sleeping in its crib that appeared on his Nest Hub screen. It appears the issue doesn't reside in Google products; instead, it c

Google Offers Financial Support to Open Source Projects for Cybersecurity

Google Offers Financial Support to Open Source Projects for Cybersecurity
December 18, 2019Mohit Kumar
Besides rewarding ethical hackers from its pocket for responsibly reporting vulnerabilities in third-party open-source projects, Google today announced financial support for open source developers to help them arrange additional resources, prioritizing the security of their products. The initiative, called " Patch Rewards Program ," was launched nearly 6 years ago, under which Google rewards hackers for reporting severe flaws in many widely used open source software, including OpenSSH, OpenSSL, Linux kernel, Apache, Nginx, jQuery, and OpenVPN. So far, Google has paid hundreds of thousands of dollars as bounty to hackers across the world who helped improve the overall security of many crucial open source software and technologies that power the Internet, operating systems, and networks. The company has now also decided to motivate volunteer work done by the open source community by providing upfront financial help to project teams, using which they can acquire addition

Google offers up to $1.5 million bounty for remotely hacking Titan M chip

Google offers up to $1.5 million bounty for remotely hacking Titan M chip
November 22, 2019Wang Wei
With its latest announcement to increase bug bounty rewards for finding and reporting critical vulnerabilities in the Android operating system, Google yesterday set up a new challenging level for hackers that could let them win a bounty of up to $1.5 million. Starting today, Google will pay $1 million for a "full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices," the tech giant said in a blog post published on Thursday. Moreover, if someone manages to achieve the same in the developer preview versions of Android, Google will pay an additional $500,000, making the total to $1.5 million—that's 7.5 times more than the previous top Android reward. Introduced within the Pixel 3 smartphones last year, Google's Titan M secure element is a dedicated security chip that sits alongside the main processor, primarily designed to protect devices against the boot-time attacks. In other words, Titan M chip

Verizon, AT&T, Sprint and T-Mobile to replace SMS with RCS Messaging in 2020

Verizon, AT&T, Sprint and T-Mobile to replace SMS with RCS Messaging in 2020
October 25, 2019Mohit Kumar
Mobile carriers in the United States will finally offer a universal cross-carrier communication standard for the next-generation RCS messaging service that is meant to replace SMS and has the potential to change the way consumers interact with brands for years to come. All major United States mobile phone carriers, including AT&T, Verizon, T-Mobile, and Sprint, have joined forces to launch a new initiative that will replace SMS with RCS mobile messaging standard . What's more? The initiative is also working with its carrier ownership group and other companies to develop and deploy the new RCS standard in a new text messaging app for Android phones that is expected to be launched in 2020. The goal of this joint venture , dubbed the Cross Carrier Messaging Initiative (CCMI) , is to deliver the GSMA's Rich Communications Service (RCS) industry standard to consumers and businesses on each of the four carriers, both in the United States and globally. "Efforts like

Google Fined $170 Million For Violating Kids' Privacy On YouTube

Google Fined $170 Million For Violating Kids' Privacy On YouTube
September 05, 2019Wang Wei
Google has finally agreed to pay $170 million fine to settle allegations by the Federal Trade Commission and the New York attorney general that its YouTube service earned millions by illegally harvesting personal information from children without their parents' consent. The settlement requires Google to pay $136 million to the FTC and an additional $34 million fine to New York state for allegedly violating the Children's Online Privacy Protection Act (COPPA) Rule. The COPPA rule requires child-directed websites and online services to explicitly obtain parental consent before collecting personal information from children under the age of 13 and then using it for targeted advertising. However, an FTC investigation [ PDF ] against Google's video service for children, called YouTube Kids, revealed that it had illegally gathered kids' data under 13. The data also includes children' persistent identification codes used to track a user's Internet browsing hab

Google Proposes 'Privacy Sandbox' to Develop Privacy-Focused Ads

Google Proposes 'Privacy Sandbox' to Develop Privacy-Focused Ads
August 23, 2019Swati Khandelwal
Google today announced a new initiative—called Privacy Sandbox —in an attempt to develop a set of open standards that fundamentally enhances privacy on the web while continuing to support a free, open and democratic Internet through digital advertisements. A lot of websites on the Internet today, including The Hacker News, rely on online advertisements as their primary source of funding to operate and keep their professionally created content open and freely accessible to everyone. However, with the evolution of online advertising, the targeted advertisement technologies have become too much invasive because of involved intrusive practices and more prudent approaches to accurately curate users' personal information, thereby raising serious privacy concerns among Internet users. In its latest blog post , Google acknowledged that ad tracking is "now being used far beyond its original design intent," but also highlights that unplanned attempts to address privacy con

Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows

Google Discloses 20-Year-Old Unpatched Flaw Affecting All Versions of Windows
August 13, 2019Swati Khandelwal
Update — With this month's patch Tuesday updates, Microsoft has finally addressed this vulnerability, tracked as CVE-2019-1162 , by correcting how the Windows operating system handles calls to Advanced Local Procedure Call (ALPC). A Google security researcher has just disclosed details of a 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows, back from Windows XP to the latest Windows 10. The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application. MSCTF is a module in Text Services Framework (TSF) of the Windows operating system that manages things like input methods, keyboard layouts, text processing, and speech recognition. In a nutshell, when you log in to your Windows machine, it starts a CTF monitor service that works as a central manager to handle communications between all c

Android Users Can Now Log in to Google Services Using Fingerprint

Android Users Can Now Log in to Google Services Using Fingerprint
August 12, 2019Swati Khandelwal
If you're using Chrome on Android, you can now sign-in to your Google account and some of the other Google services by simply using your fingerprint, instead of typing in your password every time. Google is rolling out a new feature, called " local user verification ," that allows you to log in to both native applications and web services by registering your fingerprint or any other method you've set up to unlock your Android device, including pins, pattern or password. The newly introduced mechanism, which has also been named "verify it's you," takes advantage of Android's built-in FIDO2 certified security key feature that Google rolled out earlier this year to all devices running Android version 7.0 Nougat or later. Besides FIDO2 protocol, the feature also relies on W3C WebAuthn (Web Authentication API) and FIDO Client to Authenticator Protocol (CTAP), which are designed to provide simpler and more secure authentication mechanism that sit

Your Android Phone Can Get Hacked Just By Playing This Video

Your Android Phone Can Get Hacked Just By Playing This Video
July 25, 2019Wang Wei
Are you using an Android device? Beware! You should be more careful while playing a video on your smartphone—downloaded anywhere from the Internet or received through email. That's because, a specially crafted innocuous-looking video file can compromise your Android smartphone—thanks to a critical remote code execution vulnerability that affects over 1 billion devices running Android OS between version 7.0 and 9.0 (Nougat, Oreo, or Pie). The critical RCE vulnerability (CVE-2019-2107) in question resides in the Android media framework, which if exploited, could allow a remote attacker to execute arbitrary code on a targeted device. To gain full control of the device, all an attacker needs to do is tricking the user into playing a specially crafted video file with Android's native video player application. Though Google already released a patch earlier this month to address this vulnerability, apparently millions of Android devices are still waiting for the latest A

New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission

New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission
July 17, 2019Swati Khandelwal
Earlier this month, The Hacker News covered a story on research revealing how over 1300 Android apps are collecting sensitive data even when users have explicitly denied the required permissions. The research was primarily focused on how app developers abuse multiple ways around to collect location data, phone identifiers, and MAC addresses of their users by exploiting both covert and side channels. Now, a separate team of cybersecurity researchers has successfully demonstrated a new side-channel attack that could allow malicious apps to eavesdrop on the voice coming out of your smartphone's loudspeakers without requiring any device permission. Abusing Android Accelerometer to Capture Loudspeaker Data Dubbed Spearphone , the newly demonstrated attack takes advantage of a hardware-based motion sensor, called an accelerometer, which comes built into most Android devices and can be unrestrictedly accessed by any app installed on a device even with zero permissions. An

Android's Built-in Security Key Now Works With iOS Devices For Secure Login

Android's Built-in Security Key Now Works With iOS Devices For Secure Login
June 12, 2019Mohit Kumar
In April this year, a software update from Google overnight turned all Android phones , running Android 7.0 Nougat and up, into a FIDO-certified hardware security key as part of a push to encourage two-step verification. The feature made it possible for users to confirm their identity when logging into a Google account more effortless and secure, without separately managing and plugging-in a Yubico's YubiKey or Google's Titan key . "FIDO security keys provide the strongest protection against automated bots, bulk phishing, and targeted attacks by leveraging public key cryptography to verify your identity and URL of the login page, so that an attacker can't access your account even if you are tricked into providing your username and password," Google said . Android's security key feature until now was only compatible with Bluetooth-enabled Chrome OS, macOS, or Windows 10 devices over the Chrome browser. However, the latest update from Google now allow

US Tech Giants Google, Intel, Qualcomm, Broadcom Break Up With Huawei

US Tech Giants Google, Intel, Qualcomm, Broadcom Break Up With Huawei
May 20, 2019Mohit Kumar
Google has reportedly suspended all businesses with the world's second-biggest smartphone maker, Huawei, and revoked its Android license effective immediately—a move that will have a drastic impact on Huawei devices across the globe. Revoking Android license means Huawei future smartphones will no longer have access to Android updates and apps like Gmail or the Play Store, as well as Google technical support beyond services that are publicly available via open source licensing, Reuters report. Why? That's because last week, U.S. President Donald Trump signed an executive order declaring a national emergency banning foreign companies—over surveillance fear—from doing telecommunication business in the United States without the government's approval. About the executive order, White House Press Secretary Sarah Sanders said in a statement that President Trump "has made it clear that this Administration will do what it takes to keep America safe and prosperous, an

Google Chrome to Introduce Improved Cookie Controls Against Online Tracking

Google Chrome to Introduce Improved Cookie Controls Against Online Tracking
May 08, 2019Mohit Kumar
At the company's I/O 2019 developer conference, Google has announced its plan to introduce two new privacy and security-oriented features in the upcoming versions of its Chrome web browser. In an attempt to allow users to block online tracking, Google has announced two new features—Improved SameSite Cookies and Fingerprinting Protection—that will be previewed by Google in the Chrome web browser later this year. Cookies, also referred to as HTTP cookies or browser cookies, are the small pieces of information that websites store on your computer, which play an important role in improving your online experience. Cookies are created by a web browser when a user loads a particular website, which helps the website to remember information about your visit, like your login information, preferred language, items in the shopping cart and other settings. However, cookies are also being widely used to identify users and track their activities not only on the site that issued a cooki

Google Adds New Option to 'Auto-Delete' Your Location History and Activity Data

Google Adds New Option to 'Auto-Delete' Your Location History and Activity Data
May 02, 2019Swati Khandelwal
Google is giving you more control over how long you want the tech company to hold on to your location history and web activity data. Google has introduced a new, easier, privacy-focused auto-delete feature for your Google account that will allow you to automatically delete your Location History and Web and App Activity data after a set period of time. Google's Location History feature, if enabled, allows the company to track locations that you have visited, while Web and App Activity tracks websites you have visited and apps you have used. Until now, Google allowed you to either altogether disable the Location History and Web and App Activity feature or manually delete all or part of that data, providing no controls for regular deletion so that users can manage their data efficiently. However, an AP investigation last year revealed that even if you turn off the Location History feature in all your accounts, Google services on Android and iPhone devices continue to trac

Congress Asks Google 10 Questions On Its Location Tracking Database

Congress Asks Google 10 Questions On Its Location Tracking Database
April 24, 2019Mohit Kumar
U.S. Congress has sent an open letter to Google CEO Sundar Pichai asking for more information about its Sensorvault database that's reportedly being used by law enforcement agencies to solve crime cases. Last week, we reported a story based upon NY Times findings that revealed how using a "geofence" warrant, authorities obtain location history of all devices from Google's Sensorvault database that pass through a crime scene over a certain time period. For those unaware, Google maintains Sensorvault database over nearly the past decade which contains precise location information from hundreds of millions of smartphones around the world and shares it with authorities to help in criminal cases. However, Google does not share identifiable information on all devices after receiving a warrant. Instead, authorities have to first narrow down their list of suspects using the location history data, only after which Google shares further information about a few selected u

Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

Google Makes it Tough for Rogue App Developers Get Back on Android Play Store
April 16, 2019Swati Khandelwal
Even after Google's security oversight over its already-huge Android ecosystem has evolved over the years, malware apps still keep coming back to Google Play Store. Sometimes just reposting an already detected malware app from a newly created Play Store account, or using other developers' existing accounts, is enough for 'bad-faith' developers to trick the Play Store into distributing unsafe apps to Android users. Since the mobile device platform is growing rapidly, every new effort Google makes apparently comes with trade-offs. For example, Google recently made some changes in its Play Store policies and added new restriction in Android APIs that now makes it mandatory for every new app to undergo rigorous security testing and review process before appearing in the Google Play Store. These efforts also include: restricting developers from abusing Android accessibility services, restricting apps access to certain permissions like call logs and SMS permi

Google Helps Police Identify Devices Close to Crime Scenes Using Location Data

Google Helps Police Identify Devices Close to Crime Scenes Using Location Data
April 15, 2019Swati Khandelwal
It's no secret that Google tracks you everywhere, even when you keep Google's Location History feature disabled. As revealed by an Associated Press investigation in 2018 , other Google apps like Maps or daily weather update service on Android allows the tech giant to continuously collect your precise latitude and longitude. According to Google, the company uses this location-tracking features with an intent to improve its users' experience, like "personalized maps, recommendations based on places you've visited, help finding your phone, real-time traffic updates about your commute, and more useful ads." Moreover, it's also known that Google could share your location data with federal authorities in criminal investigations when asked with a warrant. Google 'SensorVault' Database Help Police Solve Crimes But what many people weren't aware of is that Google also helps federal authorities identify suspects of crimes by sharing locati

Google Will Prompt European Android Users to Select Preferred Default Browser

Google Will Prompt European Android Users to Select Preferred Default Browser
March 20, 2019Swati Khandelwal
Google announced some major changes for its Android mobile operating system in October after the European Commission hit the company with a record $5 billion antitrust fine for pre-installing its own apps and services on third-party Android phones. The European Commission accused Google of forcing Android phone manufacturers to "illegally" tie its proprietary apps and services—specifically, Chrome and Google Search as the default browsers—to Android, unfairly blocking competitors from reaching consumers. This rule led Google to change the way it licenses the Google mobile application suite to Android smartphone makers. Now, Google is further making some changes related to browser and search engine choice. In a blog post published Tuesday, Google announced that the company would prompt Android phone owners in Europe (new and existing ones) in the coming months to choose from a variety of web browsers and search engines for their devices as their default apps. &

Google fined $57 million by France for lack of transparency and consent

Google fined $57 million by France for lack of transparency and consent
January 21, 2019Mohit Kumar
The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union's new General Data Protection Regulation (GDPR) law that came into force in May last year. The fine has been levied on Google for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization," the CNIL (National Data Protection Commission) said in a press release issued today. The fine was imposed following the latest CNIL investigation into Google after receiving complaints against the company in May 2018 by two non-profit organizations—None Of Your Business (NOYB) and La Quadrature du Net (LQDN). Why Has Google Been Fined? According to the CNIL, Google has been found violating two core privacy rules of the GDPR—Transparency, and Consent. First, the search engine giant makes it too difficult for users to find essential information, like the "data-processing purposes, the data storag
Exclusive Offers

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.