With both the Polestar 2 and Volvo XC40 set to launch sometime in 2020, there's still sometime before the first slate of Android Automotive cars make their way to consumers. Thankfully, Google is making it easier for developers to create apps for the infotainment system to ensure a smooth experience for early adopters. The company says it's rolling out a new version of the Android Automotive emulator that includes the Google Play Store.
That means they can test everything about an app, including downloading and installing it, without having to wait for a car actually running Android Automotive. With its close ties to Android Auto, Google adds that it's "simple" to port over any existing experiences to Android Automotive, with the company showing off examples from Amazon and Audioburst (seen below). All of this is good news if you plan to hop on Android Automotive early, since Google is taking the right steps to ensure the system has a compelling third-party ecosystem at launch. The lower barrier of entry may mean you'll also see apps from more than just the big names like Spotify.
Some third-party Android Automotive apps
Google
The company also has its eyes on the future. In May, Google said that it eventually plans to allow third-party developers to create more than just media apps. The company hasn't said when that will happen, but at some point, dev shops will be able to port their navigation and communication platforms over as well.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
We’ve known since the spring of last year that Amazon Alexa and Google Home smart speakers can eavesdrop on owners, and even phish them via voice. However, new research shows that new malicious apps with these capabilities continue to be approved by both companies.
The two vulnerabilities, demonstrated in videos below, occur because both companies make their speakers smarter by allowing third-party developers to create apps or “skills” for them. Apple’s HomePod is safe because the company doesn’t allow this type of third-party access…
Both Amazon and Google have deployed countermeasures every time, yet newer ways to exploit smart assistants have continued to surface.
The latest ones were disclosed today, after being identified earlier this year by Luise Frerichs and Fabian Bräunlein, two security researchers at Security Research Labs (SRLabs), who shared their findings with ZDNet last week.
Both the phishing and eavesdropping vectors are exploitable via the backend that Amazon and Google provide to developers of Alexa or Google Home custom apps.
These backends provide access to functions that developers can use to customize the commands to which a smart assistant responds, and the way the assistant replies.
The way third-party apps should work is that the microphones are active for only a short time after the smart speaker asks the user a question. For example, if I tell Alexa to ask my supermarket app to add something to the basket, the app will check my order history for the exact product details, then Alexa will tell me what it found and ask me to confirm that’s what I want. It will then activate the Echo Dot’s microphone for a short time while it waits for me to say yes or no. If I don’t reply within a few seconds, the microphone is switched off again.
However, malicious apps can leave the microphone activated — and recording what it hears — for much longer. It’s achieved by using a special string that creates a lengthy pause after a question or confirmation, the mic remaining on during this time.
The “�. ” string can also be used […] for eavesdropping attacks. However, this time, the character sequence is used after the malicious app has responded to a user’s command.
The character sequence is used to keep the device active and record a user’s conversation, which is recorded in logs, and sent to an attacker’s server for processing.
In that way, smart speakers can eavesdrop on anything said while the mic is still on.
Alternatively, the long pause can be used to make an owner think they are no longer interacting with the app. At that point, a phishing attempt can be made.
The idea is to tell the user that an app has failed, insert the “�. ” to induce a long pause, and then prompt the user with the phishing message after a few minutes, tricking the target into believing the phishing message has nothing to do with the previous app with which they just interacted.
For example, in the videos below, a horoscope app triggers an error, but then remains active, and eventually asks the user for their Amazon/Google password while faking an update message from Amazon/Google itself.
This type of attack would not be possible on HomePod because the only way a third-party app can interact with Siri is via Apple’s own APIs. Apps have no direct access.
HTC has announced a new entry-level phone aimed at cryptocurrency users called the HTC Exodus 1S, a followup to the $699 Exodus 1 that was originally released last year. The Exodus 1S is a much cheaper device at €219 (around $244), and offers much less powerful hardware built around a Qualcomm Snapdragon 435 processor.
The Exodus 1S’s big new cryptocurrency feature is that it’s able to run a full bitcoin node, which HTC says is a first for a smartphone. It’s something the company has been talking about wanting to do since the announcement of the original Exodus 1. Speaking to Forbes, HTC’s Phil Chen said that being able to run a full node means that the phone can relay, confirm, and validate bitcoin transactions, which offers more privacy and also allows you to contribute to the security of the network.
Running a full bitcoin node on a phone comes with its limitations. HTC recommends that you connect the phone to Wi-Fi and plug it into a power source while it’s running the full node, and you’ll also need to buy an SD card with a capacity of 400GB or more if you want the phone to be able to hold a full copy of the Bitcoin ledger. The Exodus 1S will also not be able to operate as a mining node.
Outside of its blockchain capabilities, the HTC Exodus 1S features entry-level hardware. It’s got a 5.7-inch HD display, 4GB of RAM, 64GB of internal storage, and it has a single rear-facing 13-megapixel camera. It charges over MicroUSB, but at least you get a 3.5mm headphone jack.
HTC’s Exodus phones are an ambitious attempt by the company to appeal to cryptocurrency enthusiasts as its smartphone sales have plummeted in recent years. Compared to the Exodus 1, the cheaper starting price of the Exodus 1S could make it appealing as a secondary device to experiment with.
The HTC Exodus 1S won’t be available in the US, but you can now order it from HTC’s site in Europe, Taiwan, Saudi Arabia and the UAE. Naturally, HTC will happily accept payment in bitcoin, ethereum, litecoin, Binance coin, and bitcoin cash for the phone.
Face unlock on the Pixel 4 could inspire other Android phones.
Sarah Tew/CNET
With the blink of an eye, Google's Pixel 4 has accomplished something that no other significant Android phone-maker has. It finally caught up to iPhone's Face ID -- a biometric unlocking feature that Apple popularized two years ago -- to unlock the phone and buy things with a scan of your face. Now that a secure version exists in Android phones, face unlock will be the killer feature every Android user will want.
The face unlock feature on Android phones has existed for years, but mostly as a convenience that's been flimsy enough to fool with photos. Face ID's more rigorous process meant it was secure enough for transactions.
Now playing:Watch this:
Should you upgrade to the Pixel 4?
7:06
With consumers more aware of the value of their privacy, being able to offer secure face unlock is potentially even more convenient than scanning your fingerprint or entering a pin code. Closing the gap with Face ID also gives Google an edge over Samsung, LG, Huawei and all the rest at a time when Google can sell its phones across all major US carriers, providing an opportunity to make the Pixel, which hasn't historically sold well, more of a household name.
But more importantly, the Pixel 4's adoption of this secure version of face unlock could have ripple effects throughout the rest of the Android world. If Google folds the blueprint for this secure version of face unlock into the Android OS, it will all but guarantee that every midrange and premium phone will use the feature, since roughly 90% of all smartphones run on the platform.
Why face unlock matters
Face scanning, along with fingerprint scanning, is one of the few biometrically secure methods of verifying your identity. On a phone, it's meant to be a fast, convenient and mostly hands-free alternative to fingerprint readers. Using face unlock instead of a fingerprint reader can free up space on the screen and keep you from fumbling on the back or side of the phone to unlock it.
Proponents of face unlock also claim that it's more secure than fingerprint readers and harder to fool with images and synthetic appendages, like dummy fingers. It has the power to authenticate password autofill in addition to mobile payments.
The technology works by scanning your features and creating a stored image that the phone then compares to your face whenever you attempt to unlock your device. Versions that are less secure create optical images with the camera, which are easy enough to fool with photos, masks or other spoofs.
This is how Google visualizes the Pixel 4's Soli radar sensor to detect your presence and motion.
Sarah Tew/CNET
Apple, and now Google, uses an infrared sensor to project tens of thousands of dots onto your face. This creates a 3D depth map with far more data on the length, shape, span and width of your unique features.
While the iPhone requires you to swipe up from the bottom of the screen to finish unlocking the phone (after it's verified your identity), the Pixel 4 uses Motion Sense, a collection of motion-sensing features that are driven by radar to recognize when you're reaching for your device. That alone will trigger the Pixel 4 to unlock the screen.
Using gestures and a glance to unlock the phone should be faster than swiping it -- at least, according to Google. This is something we'll test soon.
You can't see the radar chip inside, but it's to the right of the speaker grille.
Angela Lang/CNET
Why only now?
It isn't clear why the Android competition has lagged so far behind when it comes to truly secure face unlock. Qualcomm bundled support for a 50,000-dot projector into its Snapdragon 845 chipset a year after the iPhone X launched in 2017, but rivals were slow to take up the technology.
Perhaps some of these device-makers lacked the technology or software teams to get the feature secure enough, or perhaps they wanted to put their own spin on the secure face unlock realm, as Google has now done.
Either way, Google's opportunity to innovate on hardware by pairing Motion Sense gestures to the face unlock mechanism isn't just a long-overdue way for the brand to flex its technical muscle. And it isn't just a way for Pixel phones to race ahead. Because of Google's considerable resources and reach, its blueprint for face unlock on Android phones has the potential to push biometrics even further into the future.
Now playing:Watch this:
The Pixel 4 is losing a lifelong fan
In May, Facebook said it was going to redesign the website and bring dark mode to its website and mobile apps. While it began testing dark mode for its Android app in August, it has now started rolling out a beta version of its website with that option to someusers too.
Multiple people are being invited to test the new interface. The screenshots shared by testers are akin to design Facebook showed off at its developer conference F8 in May. The new version of the website kinda looks like Twitter:
This is just a test version, so the final release of dark mode and the new interface might not look the same. Thankfully, if you don’t like the new look, there’s a handy toggle that lets you switch to the good ol’ classic version of the website.
We’ll keep an eye on this, and update you as soon as the new interface and dark mode is available for a wider audience.
NASA's InSight lander was supposed be digging a hole so a probe (above) could measure the heat escaping from Mars' interior, but it hasn't made much progress since work got started in February -- it hadn't even finished burying itself. At last, it's making some headway. The agency has revealed that the probe, nicknamed "the mole," is finally digging in earnest thanks to a new strategy. The arm had been stymied by unusually rough soil, but the team found it could get the necessary friction by having InSight press its robotic arm against the probe.
It's still moving slowly. The mole has dug roughly three quarters of an inch since October 8th, and it could venture as deep as 16 feet. It could be a long, long time before the probe reaches its potential. Nonetheless, it's a huge relief to scientists worried that one of InSight's key instruments might go to waste. So long as there aren't rocks or other hard obstacles underneath, the probe could shed more light on what's happening beneath Mars' surface.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Samsung has spent millions on making its phones more secure, and on making sure customers know about it. You’d think all that money would be enough to fend off the threat of a $2 silicone case. Apparently not.
You don’t need a 3D printer, super-high-res camera, latex molds, or any cloak-and-dagger nonsense. A dirt-cheap phone case is all you need to unlock someone’s Samsung flagship.
이슈가 되고 있는 갤럭시 S10, 노트10 기종 실리콘 케이스 지문인식 뚫리는 현상 테스트해봤습니다….
It’s hard to excuse this massive breach of trust, and it’s even harder to understand why Samsung has so far failed to apologize to customers. Yet, this embarrassing mishap isn’t that surprising in the scheme of things.
Biometrics make for poor security anyway
The truth is, fingerprints and other biometric authentication methods are flawed. You shouldn’t rely on them if you actually care about mobile security. PINs and passwords are much more secure — if less convenient — methods of authentication.
There are several reasons why an old-fashioned password is preferable to fingerprint readers, facial scanners, or retina/iris scanners.
For one, it’s easier to force someone to unlock their device with their fingerprint or face than it typically is to force them to reveal a password or PIN. It’s much easier to trick people into unlocking their device too — sometimes all it takes is to place the device in front of them while they’re sleeping (just ask Google Pixel 4 reviewers).
An old-school password is preferable to fingerprint readers, facial scanners, or retina/iris scanners
You could argue that fingerprint and facial scanners are good enough for 99% of users. Granted, most people will never have to worry about authorities rummaging through their messages or any shady entities stealing their fingerprints from their Facebook profile. It’s also true that biometric sensors have improved security for millions of users who, otherwise, could not be bothered with typing a PIN every time they unlock their phones.
How do you update your fingerprints or your retina?
But the stakes are getting higher all the time. We now use our faces and fingerprints to unlock our bank accounts, authorize payments in stores, and gain access to password lockers like LastPass. For now, that means your digital identity. In a few years, smartphones will be your identity, both online and in real life.
Finally, passwords have another massive advantage over biometric authentication methods: they’re disposable. You can always change your PIN or password, but what happens when your immovable physical traits leak? How do you update your fingerprints or your retina?
What you can do
If you’re worried about smartphone security, there are a few simple things you can do to protect yourself:
Pick a secure authentication method (PIN or password), but don’t be lazy: the more characters you use, the safer.
Avoid pattern locks. They’re easier to spy on, and less secure than a good PIN or password.
Disable features like Smart Lock that keep the device unlocked when it’s in certain areas or when a Bluetooth device is connected.
Understand the difference between the various face unlock methods — the ones that use laser or infrared to scan your face are more secure than those that rely on the front-facing camera.
Enable Lockdown mode, available on Android Pie and later. This gives you the option to quickly disable all unlocking methods except the PIN or password.
Buy devices from reputable manufacturers that are more likely to receive regular security and system updates.
In general, practice basic security hygiene. The chances of getting hacked remotely are much higher than of someone getting physical access to your device.
