| ▲ | themafia 6 hours ago |
| > Keeping users safe on Android is our top priority. I highly doubt this is your "top" priority. Or if it is then you're gotten there by completely ignoring Google account security. > intercepts the victim's notifications And who controls these notifications and forces application developers to use a specific service? > bad actors can spin up new harmful apps instantly. Like banking applications that use push or SMS for two factor authentication. You seem to approve those without hesitation. I guess their "top" priority is dependent on the situation. |
|
| ▲ | klabb3 4 hours ago | parent | next [-] |
| > > intercepts the victim's notifications > And who controls these notifications and forces application developers to use a specific service? Am I alone in being alarmed by this? Are they admitting that their app sandboxing is so weak that a malicious app can exfil data from other unaffiliated apps? And they must instead rely on centralized control to disable those apps after the crime? So.. what’s the point of the sandboxing - if this is just desktop level lack of isolation? Glossing over this ”detail” is not confidence inspiring. Either it’s a social engineering attack, in which case an app should have no meaningful advantage over traditional comms like web/email/social media impersonation. Or, it’s an issue of exploits not being patched properly, in which case it’s Google and/or vendor responsibility to push fixes quickly before mass malware distribution. The only legit point for Google, to me, is apps that require very sensitive privileges, like packet inspection or OS control. You could make an argument that some special apps probably could benefit from verification or special approvals. But every random app? |
| |
| ▲ | Zak 4 hours ago | parent | next [-] | | > Are they admitting that their app sandboxing is so weak that a malicious app can exfil data from other unaffiliated apps? An app can read the content of notifications if the appropriate permissions are granted, which includes 2FA codes sent by SMS or email. That those are bad ways to provide 2FA codes is its own issue. I want that permission to exist. I use KDE Connect to display notifications on my laptop, for example. Despite the name, it's not just for KDE or Linux - there are Windows and Mac versions too. | |
| ▲ | Groxx 3 hours ago | parent | prev [-] | | yes, they're admitting that their APIs are powerful enough to build accessibility tools (which often must read notifications) and many other useful things (e.g. Pushbullet) that are not possible on iOS. powerful stuff has room for abuse. I didn't really think there's much of a way to make that not the case. it's especially true for anything that you grant accessibility-level access to, and "you cannot build accessibility tools" is a terrible trade-off. (personally I think there's some room for options with taint analysis and allowing "can read notifications = no internet" style rules, but anything capable enough will also be complex enough to be a problem) |
|
|
| ▲ | BrenBarn 5 hours ago | parent | prev | next [-] |
| Their top priority is making money. |
| |
| ▲ | shirro 5 hours ago | parent | next [-] | | Making money and complying with the law. They are obligated to do both. In many countries laws are still enforced. Protecting their app store revenues from competition exposes them to scrutiny from competition regulators and might be counter productive. Many governments are moving towards requiring tech companies to enforce verification of users and limit access to some types of software and services or impose conditions requiring software to limit certain features such as end to end encryption. Some prominent people in big tech believe very strongly in a surveillance state and we are seeing a lot of buy in across the political spectrum, possibly due to industry lobbying efforts. Allowing people to install unapproved software limits the effectiveness of surveillance technologies and the revenues of those selling them. If legal compliance risks are pushing this then it is a job for voters, not Google to fix. | | |
| ▲ | BrenBarn 2 hours ago | parent [-] | | Complying with the law is just another way of protecting your money. I have no doubt if they would break laws if they judged it better for the bottom line --- in fact I have little doubt they're already doing so. On the flip side, if there were ruinous penalties for their anticompetitive behaviors (i.e., in the tens or hundreds of billions of dollars) they might change course. Certainly voters need to have their say, but often their message is muffled by the layers of political and administrative material it passes through. |
| |
| ▲ | hekkle 4 hours ago | parent | prev [-] | | BINGO! Google doesn't care at all about user security. - Just yesterday there was a story on here about how Google found esoteric bugs in FFMPEG, and told volunteers to fix it. - Another classic example, about how Google doesn't give a stuff about their user's security is the scam ads they allow on youtube. Google knows these are scams, but don't care because they there isn't regulation requiring oversight. | | |
| ▲ | gpm 3 hours ago | parent [-] | | > Just yesterday there was a story on here about how Google found [a security vulnerability that anyone running `ffmpeg -i <untrusted file> ...` was vulnerable to] in FFMPEG, and told [the world about it so that everyone could take appropriate action before hackers found the same thing and exploited it, having first told the ffmpeg developers about it in case they wanted to fix it before it was announced publicly] Fixed that for you. Google's public service was both entirely appropriate and highly appreciated. | | |
| ▲ | hekkle 3 hours ago | parent [-] | | > and highly appreciated. Not by the maintainers it wasn't Mr. Google. | | |
| ▲ | gpm 3 hours ago | parent [-] | | Yes, but it was a public service not a service for the maintainers, and as a member of the public who like anyone who had run `ffmpeg -i <thing I downloaded from the internet>` was previously exposed to the vulnerability I highly appreciate their service. I'd highly appreciate even if the maintainers never did anything with the report, because in that case I would know to stop using ffmpeg on untrusted files. | | |
| ▲ | hekkle 3 hours ago | parent [-] | | So you were using untrusted video files that required the LucasArts Smush codec? Again, if YOU highly appreciate their service, that's great, but FFMPEG isn't fixing a codec for a decades old game studio, so all Google has done is tell cyber criminals how to infect your Rebel Assault 2. I'm glad you find that useful. | | |
| ▲ | gpm 3 hours ago | parent [-] | | No, I was running on normal untrusted video files. The standard ffmpeg command line would happily attempt to parse those with the LucasArts Smush codec even though I'd never heard of it before. See the POC in the report by google, the command they run is just `./ffmpeg -i crash.anim -f null /dev/null -loglevel repeat+trace -threads 1` and the only relevant part of that for being vulnerable is that crash.anim is untrusted. Edit: And to be clear, it doesn't care about the extension. You can name it kittens.mp4 instead of crash.anim and the vulnerability works the same way. |
|
|
|
|
|
|
|
| ▲ | boxedemp 5 hours ago | parent | prev | next [-] |
| Only a few things in life are for sure. Death, taxes, and corpospeak. |
| |
| ▲ | _factor 5 hours ago | parent [-] | | Hey, sometimes the dumbest people it works on are also the ones with the decision making ability. What a world to live in. |
|
|
| ▲ | ajkjk 5 hours ago | parent | prev [-] |
| this is an absurd rant. they invest, like, billions into security. It's not as perfect as you want it to be but "completely ignoring" is a joke. if you've got actual grievances you should say what they are so that we can actually get on your side instead of rolling our eyes |
| |
| ▲ | asadotzler 5 hours ago | parent | next [-] | | They absolutely eo completely ignore many security and privacy things because they're very selective in what they focus on, particularly around how those things might impact their ad revenue. How much they spend is no indicator of how and where they spend it, so is hardly a compelling argument. | |
| ▲ | wmf 5 hours ago | parent | prev [-] | | I'm not the OP but we know that SMS is not secure. Google should try banning that first. | | |
| ▲ | arcfour 3 hours ago | parent [-] | | Some security is better than no security. It already took years to even get some of these backwards-thinking companies and services to adopt SMS OTP and it's simple for non-technical users to intuit. Also, believe it or not, some people don't have smartphones, and they will riot if you try to make them switch to any other MFA method... Of course, I'm not saying we shouldn't push to improve things, but I don't think this is the right reaction either. |
|
|
