• chevron_right

      VLC dévoile les sombres dessous de la signature d’apps Android

      news.movim.eu / Korben · 2 days ago - 08:21 · 4 minutes

    Astuces VLC

    La sécurité sur Android et plus particulièrement la signature des applications c’est loin d’être tout beau tout rose. Vous le savez peut-être, notre bon vieux VLC , a quelques soucis pour mettre à jour son app Android sur le Play Store ces derniers temps.

    Alors pourquoi ce blocage ? Eh bien tout simplement parce que Google a décidé de rendre obligatoire l’utilisation des App Bundles pour toutes les applications proposant des fonctionnalités TV. Jusque-là, pas de problème me direz-vous. Sauf que ce nouveau format nécessite de fournir sa clé de signature privée à Google. Et ça, c’est juste im-po-ssible pour l’équipe de VLC !

    Fournir sa clé privée à un tiers, c’est comme donner les clés de son appartement à son voisin. C’est la base de la sécurité : ce qui est privé doit le rester. Sinon autant laisser sa porte grande ouverte avec un panneau « Servez-vous » ! 😅

    Depuis les débuts d’Android, chaque app doit être installée via un fichier APK . Ce fichier contient tout le nécessaire : le code, les ressources, les données… Et pour vérifier qu’un APK est authentique, il doit être signé avec une clé privée générée par le développeur. N’importe qui peut alors vérifier la clé publique utilisée pour signer le fichier.

    L’avantage de ce système est de garantir l’intégrité de l’app. Si le développeur perd sa clé privée ou son mot de passe, impossible de publier des mises à jour car la nouvelle signature ne correspondra pas. Et s’il file sa clé à quelqu’un d’autre, cette personne pourra signer ses propres versions qui seront considérées comme légitimes. Vous voyez le problème maintenant ?

    Avec les App Bundles, on passe à un système de double signature où une clé de téléchargement ( upload key ) permet au Play Store de vérifier que celui qui envoie le fichier est légitime. Jusque-là, ça va. Mais où clé de signature ( release key ), doit être détenue par Google ! Autrement dit, le Play Store signe l’app à la place du développeur. C’est donc cette clé privée que Google réclame aujourd’hui à VLC.

    Google a bien tenté de mettre en place des mesures pour atténuer le problème, comme le dual release qui permet sur les appareils récents (Android 11+) d’installer une mise à jour signée différemment si une preuve de rotation de clé est fournie. Mais pour les apps comme VLC qui supportent aussi les vieux appareils et la TV, ça ne fonctionne pas.

    Du coup, l’équipe de VLC se retrouve face à un choix cornélien :

    1. Donner sa clé privée à Google et continuer à publier normalement. Bénéfice : aucun. Risque : Google a le contrôle total sur les mises à jour et la sécurité de l’app. Autant dire que pour eux c’est non.
    2. Virer le support TV des APK publiés sur le Play Store. Avantage : pas besoin de donner sa clé privée pour les appareils récents. Inconvénient : plus de support TV pour les vieux appareils sous Android 10 et moins. Pas top.
    3. Passer full App Bundles. Avantage : aucun. Inconvénient : ça rendrait l’app incompatible avec 30% des utilisateurs actuels. Même pas en rêve !

    Bref, vous l’aurez compris, l’équipe de VLC est dans une impasse et c’est pour ça qu’aucune mise à jour n’a été publiée ces derniers mois sur le Play Store.

    Et ce n’est pas qu’une question de principe. Le Play Store n’est pas le seul store sur Android. VLC est aussi disponible sur le site officiel, l’Amazon AppStore, le Huawei AppGallery… Donc donner sa clé à Google compromettrait toute la chaîne de publication.

    Malheureusement, sans modification de la part de Google sur ces nouvelles exigences, il n’y a pas de solution miracle pour continuer à proposer le support TV sur les vieux appareils Android via le Play Store.

    C’est rageant pour les développeurs qui se retrouvent pieds et poings liés, mais c’est aussi inquiétant pour nous utilisateurs. Quand le plus gros store d’apps au monde se met à réclamer les clés privées des développeurs, on peut légitimement se poser des questions sur sa conception de la sécurité et de la vie privée.

    Espérons que Google entendra les critiques et fera machine arrière sur ce point. En attendant, la seule chose à faire est de soutenir les développeurs comme VLC qui résistent encore et toujours à l’envahisseur et continuent à privilégier la sécurité de leurs utilisateurs avant tout.

    Si ça vous interesse, vous pouvez suivre toute l’affaire en détail sur cet article passionnant (si si, je vous jure) : VLC for Android updates on the Play Store

    • chevron_right

      Apple, Google, and Meta are failing DMA compliance, EU suspects

      news.movim.eu / ArsTechnica · 4 days ago - 16:04

    EU Commissioner for Internal Market Thierry Breton talks to media about non-compliance investigations against Google, Apple, and Meta under the Digital Markets Act (DMA).

    Enlarge / EU Commissioner for Internal Market Thierry Breton talks to media about non-compliance investigations against Google, Apple, and Meta under the Digital Markets Act (DMA). (credit: Thierry Monasse / Contributor | Getty Images News )

    Not even three weeks after the European Union's Digital Markets Act (DMA) took effect, the European Commission (EC) announced Monday that it is already probing three out of six gatekeepers—Apple, Google, and Meta—for suspected non-compliance.

    Apple will need to prove that changes to its app store and existing user options to swap out default settings easily are sufficient to comply with the DMA.

    Similarly, Google's app store rules will be probed, as well as any potentially shady practices unfairly preferencing its own services—like Google Shopping and Hotels—in search results.

    Read 34 remaining paragraphs | Comments

    • chevron_right

      Google applique le DMA, mais a une petite surprise pour les développeurs

      news.movim.eu / JournalDuGeek · Thursday, 7 March - 08:03

    Google Dma Europe

    Google vient d'annoncer son plan de mise en conformité avec le DMA européen, de nouvelles taxes arrivent.
    • chevron_right

      Google’s loss to Epic Games leads to $700M settlement with users, states

      news.movim.eu / ArsTechnica · Tuesday, 19 December - 15:38

    Google’s loss to Epic Games leads to $700M settlement with users, states

    Enlarge (credit: SOPA Images / Contributor | LightRocket )

    After Epic Games proved that Google’s Android app store monopoly violates antitrust law , Google has agreed to pay a $700 million settlement with US states and consumers, Reuters reported .

    Once a judge approves the settlement, the largest chunk—$630 million—will go to consumers who allegedly were hit with unnecessary fees for in-app transactions. Google has not admitted to any wrongdoing, but each eligible consumer will receive at least $2, and some will receive more. Individual payouts will vary, depending on how much consumers spent in the Google Play Store between August 16, 2016 and September 30, 2023.

    The remaining $70 million will go to states that joined the settlement, which includes all 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands.

    Read 11 remaining paragraphs | Comments

    • chevron_right

      The Ars Technica staff guide to the mobile apps we can’t live without

      news.movim.eu / ArsTechnica · Tuesday, 7 November - 14:00

    Young woman receiving notifications and commenting on social media posts with smart phone. People networking with technology. Social media addiction concept.

    Enlarge / Behold, a collection of apps we love. (credit: Oscar Wong / Getty Images)

    Senior Reviews Editor Samuel Axon

    Todoist basically runs my life—but that's OK, because it's a very well-designed app. There are a ton of to-do apps on the iPhone, but I went with this one because it's very flexible.

    For example, yeah, you can see a top-to-bottom to-do list like with many others, but you can view that same data as a Trello-like Kanban board, too.

    I've also found that Todoist is better at understanding natural language settings for projects, times, and so on than a lot of other to-do apps, so, for example, I can type "Edit next article at 2 pm on Tuesday #ArsTechnica" to add a to-do within the Ars Technica project with a due time of 2 pm on the following Tuesday. A lot of to-do apps support that, but I feel Todoist does it best.

    Read 52 remaining paragraphs | Comments

    • chevron_right

      Google tentatively settles Play Store monopoly case with 30 states, 21M users

      news.movim.eu / ArsTechnica · Wednesday, 6 September, 2023 - 16:39

    Google tentatively settles Play Store monopoly case with 30 states, 21M users

    Enlarge (credit: NurPhoto / Contributor | NurPhoto )

    Google has reached a tentative settlement with more than 30 US states and 21 million customers who sued the tech giant for allegedly violating antitrust laws by overcharging for apps in the Google Play Store, Reuters reported .

    The settlement comes approximately one week after a court revoked the lawsuit's class-action status . Details, including the amount of the settlement, were not disclosed, Reuters reported, but plaintiffs agreed in a court filing yesterday not to oppose the court's decision on the class-action certification. At one point, plaintiffs estimated that Google might owe them $4.7 billion in damages ; however, it was previously reported that losing the class-action status would significantly reduce damages for states and customers suing.

    Nothing will be finalized until the settlement is approved by the State Attorneys General and Google owner Alphabet Inc’s board of directors. After that, a long-form settlement agreement must be reached before final approval by the court.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Google says it will start downranking non-tablet apps in the Play Store

      news.movim.eu / ArsTechnica · Wednesday, 26 July, 2023 - 20:40

    The Play Store on tablets is mostly just two big thumbnails.

    Enlarge / The Play Store on tablets is mostly just two big thumbnails. (credit: Google)

    Following the release of the Pixel Tablet and Pixel Fold, Google wants developers to take big-screen apps more seriously. Asking nicely rarely works, so Google is changing the Play Store ranking algorithms to increase the visibility of apps that better support large screens.

    Google's blog post says:

    Apps and games that adhere to our large screen app quality guidelines will now be ranked higher in search and Apps and Games Home. This helps users find apps that resize well, aren't letterboxed, and support both portrait and landscape orientations. Editors’ Choice and other curated collections and articles will also consider these criteria going forward, creating new featuring opportunities for optimized apps.

    The large screen app guidelines have various tiers, but they recommend keyboard, mouse, and stylus support, a two-pane tablet layout, drag-and-drop support, and foldable display awareness. The post also reiterates some improvements that Google has already rolled out, like showing tablet screenshots to tablet users and downranking apps that crash a lot.

    Read 4 remaining paragraphs | Comments

    • chevron_right

      Samsung’s Android app-signing key has leaked, is being used to sign malware

      news.movim.eu / ArsTechnica · Friday, 2 December, 2022 - 21:13 · 1 minute

    Samsung’s Android app-signing key has leaked, is being used to sign malware

    (credit: Dsimic )

    A developer's cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the signing key of the old app on your phone needs to match the key of the update you're installing. The matching keys ensure the update actually comes from the company that originally made your app and isn't some malicious hijacking plot. If a developer's signing key got leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they are legit.

    On Android, the app-updating process isn't just for apps downloaded from an app store, you can also update bundled-in system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled-in Android system apps have access to much more powerful and invasive permissions and aren't subject to the usual Play Store limitations (this is why Facebook always pays to be a bundled app). If a third-party developer ever lost their signing key, it would be bad. If an Android OEM ever lost their system app signing key, it would be really, really bad.

    Guess what has happened! Łukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung , LG , and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets .

    Read 1 remaining paragraphs | Comments

    • chevron_right

      YouTube algorithm pushed election fraud claims to Trump supporters, report says

      news.movim.eu / ArsTechnica · Friday, 2 September, 2022 - 19:20 · 1 minute

    YouTube algorithm pushed election fraud claims to Trump supporters, report says

    Enlarge (credit: Nathan Howard / Stringer | Getty Images News )

    For years, researchers have suggested that algorithms feeding users content aren't the cause of online echo chambers, but are more likely due to users actively seeking out content that aligns with their beliefs. This week, New York University researchers for the Center for Social Media and Politics showed results from a YouTube experiment that just happened to be conducted right when election fraud claims were raised in fall 2020. They say their results provide an important caveat to prior research by showing evidence that in 2020, YouTube's algorithm was responsible for "disproportionately" recommending election fraud content to users more "skeptical of the election's legitimacy to begin with."

    A coauthor of the study, Vanderbilt University political scientist James Bisbee told The Verge that even though participants were recommended a low number of election denial videos—a maximum of 12 videos out of hundreds participants clicked on—the algorithm generated three times as many to people predisposed to buy into the conspiracy than it to people who did not. "The more susceptible you are to these types of narratives about the election... the more you would be recommended content about that narrative," Bisbee said.

    YouTube spokesperson Elena Hernandez told Ars that Bisbee's team's report "doesn't accurately represent how our systems work." Hernandez says, "YouTube doesn't allow or recommend videos that advance false claims that widespread fraud, errors, or glitches occurred in the 2020 US presidential election" and YouTube's "most viewed and recommended videos and channels related to elections are from authoritative sources, like news channels."

    Read 20 remaining paragraphs | Comments