According to Bloomberg, Apple's AirDrop feature has been cracked by a Chinese state-backed institution to identify senders who share "undesirable content". MacRumors reports: AirDrop is Apple's ad-hoc service that lets users discover nearby Macs and iOS devices and securely transfer files between them over Wi-Fi and Bluetooth. Users can send and receive photos, videos, documents, contacts, passwords and anything else that can be transferred from a Share Sheet. Apple advertises the protocol as secure because the wireless connection uses Transport Layer Security (TLS) encryption, but the Beijing Municipal Bureau of Justice (BMBJ) says it has devised a way to bypass the protocol's encryption and reveal identifying information.

According to the BMBJ's website, iPhone device logs were analyzed to create a "rainbow table" which allowed investigators to convert hidden hash values into the original text and correlate the phone numbers and email accounts of AirDrop content senders. The "technological breakthrough" has successfully helped the public security authorities identify a number of criminal suspects, who use the AirDrop function to spread illegal content, the BMBJ added. "It improves the efficiency and accuracy of case-solving and prevents the spread of inappropriate remarks as well as potential bad influences," the bureau added.

It is not known if the security flaw in the AirDrop protocol has been exploited by a government agency before now, but it is not the first time a flaw has been discovered. In April 2021, German researchers found that the mutual authentication mechanism that confirms both the receiver and sender are on each other's address book could be used to expose private information. According to the researchers, Apple was informed of the flaw in May of 2019, but did not fix it.

Amazon introduced a new feature that mimics Apple's AirPlay while working across different platforms, setting the stage for iPhone and Android users to wirelessly stream video to its TV hardware. From a report: The feature, called Matter Casting, is part of a push by Amazon to create interoperable services -- an alternative to the propriety technology developed by Apple and Google. It will make it easier for iOS and Android phones to send video to Amazon devices, such as its Fire TV boxes and sticks, as well as the Echo Show 15 smart display. [...] The feature will work with a range of other video services, including Plex, Pluto TV, Sling TV, Starz and ZDF, Amazon said.

Shortly after the premium email service Hey announced a standalone Hey Calendar app, co-founder David Heinemeier Hansson said it was rejected by Apple for violating App Store rules.

"Apple just called to let us know they're rejecting the HEY Calendar app from the App Store (in current form)," wrote DHH on X. "Same bullying tactics as last time: Push delicate rejections to a call with a first-name-only person who'll softly inform you it's your wallet or your kneecaps. Since it's clear we're never going to pay them the extortionate 30% ransom, they're back to the bullshit about 'the app doesn't do anything when you download it.' Despite the fact that after last time, they specifically carved out HEY in App Store Review Guidelines 3.1.3 (f)!" The Verge's Amrita Khalid reports: New users can't sign up for Hey Calendar directly on the app -- Basecamp, which makes Hey, makes users first sign up through a browser. Apple's App Store rules require most paid services to offer users the ability to pay and sign up through the app, ensuring the company gets up to a 30 percent cut. The controversial rule has a ton of gray areas and carve-outs (i.e. reader apps like Spotify and Kindle get an exception) and is the subject of antitrust fights in multiple countries. But as Hansson detailed on X and in a subsequent blog post, he found Apple's rejection insulting for another reason. Close to four years ago, the company rejected Hey's original iOS app for its email service for the exact same reason.

The outcome of the 2020 fight actually worked out in Hey's favor. After days of back and forth between Apple's App Store Review Board and Basecamp, the Hey team agreed to a rather creative solution suggested by Apple exec Phil Schiller. Hey would offer a free option for the iOS app, allowing new users to sign up directly. But the company had a slight twist -- users who signed up via the iOS app got a free, temporary randomized email address that worked for 14 days -- after which they had to pay to upgrade. Currently, Hey email users can only pay for an account through the browser. Following the saga with Hey, Apple made a carve-out to its App Store rules that stated that free companion apps to certain types of paid web services were not required to have an in-app payment mechanism. But, as Hansson mentions on X, a calendar app wasn't mentioned in the list of services that Apple now makes an exception for, which includes VOIP, cloud storage, web hosting -- and of course -- email. Hansson plans to fight Apple's decision without elaborating on exactly how he intends to do so.

TechCrunch reports: Apple's warnings in late October that Indian journalists and opposition figures may have been targeted by state-sponsored attacks prompted a forceful counterattack from Prime Minister Narendra Modi's government. Officials publicly doubted Apple's findings and announced a probe into device security.

India has never confirmed nor denied using the Pegasus tool, but nonprofit advocacy group Amnesty International reported Thursday that it found NSO Group's invasive spyware on the iPhones of prominent journalists in India, lending more credibility to Apple's early warnings. "Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation," said Donncha Ã" Cearbhaill, head of Amnesty International's Security Lab, in the blog post.
Cloud security company Lookout has also published "an in-depth technical look" at Pegasus, calling its use "a targeted espionage attack being actively leveraged against an undetermined number of mobile users around the world." It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, Apple's built-in messaging and email apps, and others. It steals the victim's contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device...

According to news reports, NSO Group sells weaponized software that targets mobile phones to governments and has been operating since 2010, according to its LinkedIn page. The Pegasus spyware has existed for a significant amount of time, and is advertised and sold for use on high-value targets for multiple purposes, including high-level espionage on iOS, Android, and Blackberry.
Thanks to Slashdodt reader Mirnotoriety for sharing the news.

An anonymous reader quotes a report from The Register: Bruce Perens, one of the founders of the Open Source movement, is ready for what comes next: the Post-Open Source movement. "I've written papers about it, and I've tried to put together a prototype license," Perens explains in an interview with The Register. "Obviously, I need help from a lawyer. And then the next step is to go for grant money." Perens says there are several pressing problems that the open source community needs to address. "First of all, our licenses aren't working anymore," he said. "We've had enough time that businesses have found all of the loopholes and thus we need to do something new. The GPL is not acting the way the GPL should have done when one-third of all paid-for Linux systems are sold with a GPL circumvention. That's RHEL." RHEL stands for Red Hat Enterprise Linux, which in June, under IBM's ownership, stopped making its source code available as required under the GPL. Perens recently returned from a trip to China, where he was the keynote speaker at the Bench 2023 conference. In anticipation of his conversation with El Reg, he wrote up some thoughts on his visit and on the state of the open source software community. One of the matters that came to mind was Red Hat.

"They aren't really Red Hat any longer, they're IBM," Perens writes in the note he shared with The Register. "And of course they stopped distributing CentOS, and for a long time they've done something that I feel violates the GPL, and my defamation case was about another company doing the exact same thing: They tell you that if you are a RHEL customer, you can't disclose the GPL source for security patches that RHEL makes, because they won't allow you to be a customer any longer. IBM employees assert that they are still feeding patches to the upstream open source project, but of course they aren't required to do so. This has gone on for a long time, and only the fact that Red Hat made a public distribution of CentOS (essentially an unbranded version of RHEL) made it tolerable. Now IBM isn't doing that any longer. So I feel that IBM has gotten everything it wants from the open source developer community now, and we've received something of a middle finger from them. Obviously CentOS was important to companies as well, and they are running for the wings in adopting Rocky Linux. I could wish they went to a Debian derivative, but OK. But we have a number of straws on the Open Source camel's back. Will one break it?"

Another straw burdening the Open Source camel, Perens writes, "is that Open Source has completely failed to serve the common person. For the most part, if they use us at all they do so through a proprietary software company's systems, like Apple iOS or Google Android, both of which use Open Source for infrastructure but the apps are mostly proprietary. The common person doesn't know about Open Source, they don't know about the freedoms we promote which are increasingly in their interest. Indeed, Open Source is used today to surveil and even oppress them." Free Software, Perens explains, is now 50 years old and the first announcement of Open Source occurred 30 years ago. "Isn't it time for us to take a look at what we've been doing, and see if we can do better? Well, yes, but we need to preserve Open Source at the same time. Open Source will continue to exist and provide the same rules and paradigm, and the thing that comes after Open Source should be called something else and should never try to pass itself off as Open Source. So far, I call it Post-Open." Post-Open, as he describes it, is a bit more involved than Open Source. It would define the corporate relationship with developers to ensure companies paid a fair amount for the benefits they receive. It would remain free for individuals and non-profit, and would entail just one license. He imagines a simple yearly compliance process that gets companies all the rights they need to use Post-Open software. And they'd fund developers who would be encouraged to write software that's usable by the common person, as opposed to technical experts.

Pointing to popular applications from Apple, Google, and Microsoft, Perens says: "A lot of the software is oriented toward the customer being the product -- they're certainly surveilled a great deal, and in some cases are actually abused. So it's a good time for open source to actually do stuff for normal people." The reason that doesn't often happen today, says Perens, is that open source developers tend to write code for themselves and those who are similarly adept with technology. The way to avoid that, he argues, is to pay developers, so they have support to take the time to make user-friendly applications. Companies, he suggests, would foot the bill, which could be apportioned to contributing developers using the sort of software that instruments GitHub and shows who contributes what to which products. Merico, he says, is a company that provides such software. Perens acknowledges that a lot of stumbling blocks need to be overcome, like finding an acceptable entity to handle the measurements and distribution of funds. What's more, the financial arrangements have to appeal to enough developers. "And all of this has to be transparent and adjustable enough that it doesn't fork 100 different ways," he muses. "So, you know, that's one of my big questions. Can this really happen?" Perens believes that the General Public License (GPL) is insufficient for today's needs and advocates for enforceable contract terms. He also criticizes non-Open Source licenses, particularly the Commons Clause, for misrepresenting and abusing the open-source brand.

As for AI, Perens views it as inherently plagiaristic and raises ethical concerns about compensating original content creators. He also weighs in on U.S.-China relations, calling for a more civil and cooperative approach to sharing technology.

You can read the full, wide-ranging interview here.

Alphabet will pay $700 million and alter its Google Play policies to settle claims that the app store unlawfully dominates the Android mobile applications market, resolving antitrust complaints brought by attorneys general of about three dozen states and consumers. From a report: The deal disclosed in a court filing late Monday calls for tweaks to Google Play policies designed to reduce barriers to competition in the markets for app distribution and payment processing. The lawsuits that were grouped together in federal court in California had threatened billions of dollars in revenue generated by the sale and distribution of apps through Google Play. Google will also make a series of changes to its business practices as part of the settlement. In a blog post, the Android-maker said: Streamlining sideloading while prioritizing security: Unlike on iOS, Android users have the option to sideload apps, meaning they can download directly from a developer's website without going through an app store like Google Play. While we maintain it is critical to our safety efforts to inform users that sideloading on mobile could come with unique risks, as part of our settlement we will be further simplifying the sideloading process and updating the language that informs users about these potential risks of downloading apps directly from the web for the first time.
Expanding user choice billing to more people: App and game developers will be able to implement an alternative billing option alongside Google Play's billing system for their U.S. users who can then choose which option to use when making in-app purchases. We have been piloting user choice billing in the U.S. for over a year and will now expand this option further.
Expanding open communication on pricing: We have always given developers more ways to interact with their customers than iOS and other operating systems. For example, Google Play allows developers to communicate freely with their customers outside the app about subscription offers or lower-cost options available on a rival app store or the developer's website. This openness has spurred competition and benefited consumers and developers. As part of user choice billing, which we're expanding with today's settlement announcement, developers are also able to show different pricing options within the app when a user makes a digital purchase.

Forbes recently published this article by author/speaker Nina Xiang, who reports that Huawei is pushing forward with "an amibitious plan to dethrone Android." Hundreds of technical experts from many of China's biggest state-owned and private companies, including the Industrial and Commercial Bank of China (ICBC), China Telecom, Meituan, and Baidu, all gathered in Beijing last month. The purpose behind the meeting was for their staff to receive training so they could be certified as developers on Huawei's Harmony Operation System (OS).

While most observers were looking the other way, Huawei has been quietly building an independent Chinese operating system that isn't subject to U.S. sanctions. In the four years after the telecom giant was banned from using Google apps, the Shenzhen-based company has been making significant strides toward achieving its long-term goal: To dethrone Android and make its HarmonyOS the default operating system in China.

Looking at the data for smartphone sales in China shows that HarmonyOS had the third-largest share with 10% in the second quarter of 2023, thanks to a strong resurgence in sales of Huawei smartphones. Although it's still well below Android's dominant 72%, it's not far from iOS's 17%... Huawei already says more than 700 million devices (including phones, smart devices, computers, and others) were equipped with HarmonyOS as of August this year, with over 2.2 million developers actively building within the ecosystem...

A key moment will come next year, when Huawei says HarmonyOS will no longer be compatible with Android apps.

Earlier this week Google Maps stopped storing user location histories in the cloud. But why did Google make this move? Bloomberg reports that it was "so that the company no longer has access to users' individual location histories, cutting off its ability to respond to law enforcement warrants that ask for data on everyone who was in the vicinity of a crime." The company said Thursday that for users who have it enabled, location data will soon be saved directly on users' devices, blocking Google from being able to see it, and, by extension, blocking law enforcement from being able to demand that information from Google. "Your location information is personal," said Marlo McGriff, director of product for Google Maps, in the blog post. "We're committed to keeping it safe, private and in your control."

The change comes three months after a Bloomberg Businessweek investigation that found police across the US were increasingly using warrants to obtain location and search data from Google, even for nonviolent cases, and even for people who had nothing to do with the crime. "It's well past time," said Jennifer Lynch, the general counsel at the Electronic Frontier Foundation, a San Francisco-based nonprofit that defends digital civil liberties. "We've been calling on Google to make these changes for years, and I think it's fantastic for Google users, because it means that they can take advantage of features like location history without having to fear that the police will get access to all of that data."

Google said it would roll out the changes gradually through the next year on its own Android and Apple Inc.'s iOS mobile operating systems, and that users will receive a notification when the update comes to their account. The company won't be able to respond to new geofence warrants once the update is complete, including for people who choose to save encrypted backups of their location data to the cloud.
The EFF general counsel also pointed out to Bloomberg that "nobody else has been storing and collecting data in the same way as Google." (Apple, for example, is technically unable to provide the same data to police.)

Google Maps will soon give you the option to store your location data on your device instead of in the cloud. Android Police reports: In the coming year, Google is planning to switch things up by defaulting to saving your Timeline directly on your device instead of the cloud. You'll also have the option to wipe out bits or the whole information dossier whenever you want and disable location history completely. When you're jumping ship to a new device and want to keep your data close, you always have the option to back it up in the cloud. Google assures you that it'll lock it up with encryption.

Another significant update is the shorter default amount of time before your location history is auto-deleted. Soon, when you turn on location history, the default auto-delete time shrinks to three months. In the past, it used to hang around for 18 months by default. If you're the sentimental type, you can extend the Timeline's lifespan or turn off the auto-delete option. Google Maps has another nifty trick up its sleeve: soon, you can erase all traces of your trips with just a few taps. Say you've got a favorite hangout spot and you want to keep it to yourself. You can wipe the slate clean right from the app, whether it's searches, directions, visits, or shares. This handy feature is making its debut on Maps for Android and iOS in the next few weeks.

Finally, you will soon be able to click on the blue dot on the map to view your Location History and Timeline at a glance. It allows you to tweak what you share and store on Maps, all without having to dive into the settings. Currently, the blue dot only gives you some neat shortcuts for parking saves and location sharing.

According to the Wall Street Journal, Apple is including new Stolen Device Protection in iOS 17.3 that requires authentication through Face ID or Touch ID to perform certain actions. The Verge reports: The new feature appears to come in response to the concerns raised in previous reports by The Wall Street Journal describing how thieves watch their victims type in their iPhone passcodes and then steal their devices. This gives thieves access to a trove of personal and financial information stored on the device, allowing them to lock victims out of their iCloud accounts and spend thousands of dollars using saved payment information.

If you opt in to the feature, you would have to verify your identity with face or fingerprint biometrics when doing things like viewing your saved passwords in iCloud Keychain, applying for a new Apple Card, factory resetting your device, using saved payment methods in Safari, and turning off Lost Mode. This way, thieves wouldn't be able to steal your information even if they have your phone and the passcode.

For even more sensitive actions, like changing your Apple ID password, changing your iPhone passcode, or turning off Find My, the new Stolen Device Protection feature adds an additional hurdle if the device is somewhere other than locations you often frequent, like at home or in the office. It requires you to not only verify your identity with Face ID or Touch ID but also wait one hour and then repeat the authentication process again.

With iOS 17.2 rolling out today, Apple is giving users the ability to record spatial videos on their iPhone 15 Pro and iPhone 15 Pro Max. "The new feature lets users film in three dimensions and experience their favorite memories and special moments on Apple Vision Pro, the upcoming mixed-reality headset," reports TechCrunch. From the report: In order to create a three-dimensional video, Apple explains that the iPhone uses both the main and ultrawide cameras when recording. This is then saved as a single file within a new album in the Photos app titled "Spatial." The videos will also sync across devices with iCloud. Spatial videos are captured in 1080p resolution at 30 frames per second. Spatial video recording can be enabled in Settings by toggling on "Spatial Video for Apple Vision Pro" in the Camera section under Formats. Apple suggests holding the iPhone in landscape orientation for optimal results. Spatial videos can be viewed on all iPhones and other devices; however, they'll appear as regular, 2D videos.

The new feature allows users to record videos that Apple's senior vice president of worldwide marketing, Greg Joswiak, describes as "magical" and "setting a new bar for what's possible." While that's marketing speak, it's a differentiator for Apple's high-end iPhone, and will deepen users' connections with Apple's latest product, the AR/VR headset, launching next year. As part of today's release, Apple also launched its Journal app, which is designed to allow iOS users to record key moments in their lives.

Google Play Movies & TV will be replaced with Google TV on January 17, 2024. 9to5Google reports: Since the 2020 launch of the Google TV platform, that branding has replaced Play Movies & TV in areas such as mobile apps, but that's also led to the choice to do away with Play Movies & TV branding basically everywhere else. In October, that decision also made its way to Android TV, and the app has not been working ever since. Despite some confusion over the past few days, the app currently just redirects to Android TV's "Shop" tab, which has been widely available for months.

In a new post, Google explains that it will do away with the last parts of Google Play Movies & TV in January 2024: "With these changes, Google Play Movies & TV will no longer be available on Android TV devices or the Google Play website.* However, you'll still be able to access all of your previously purchased titles (including active rentals) on Android TV devices, Google TV devices, the Google TV mobile app (Android and iOS), and YouTube."

On January 17, Play Movies & TV will officially cease for good on Android TV. For anyone who does still have the app working -- again, most users cannot use the app already -- the "Shop" tab will become the only option. Similarly, Google says that Play Movies & TV will cease on other remaining platforms that same date. Any cable boxes with the app integrated will also lose it, and in turn pushed to the YouTube app for continued access to purchased content. Web access via play.google.com/movies will also go away, with youtube.com/movies becoming the alternative.

The Browser Company's Chromium-based Arc browser, which aims to rethink the whole browser UI with a sidebar for tabs and lots of personalization options, is finally coming to Windows. In a post on X, the Browser Company says it's sent out the first Windows beta invites. It's currently only available for iOS and Mac users. Slashdot reader dokjest shares the email they received: Hey there,

Hursh here, CTO at the Browser Co, with some exciting news! A little while ago, you signed up for a brand new browser, Arc -- one that The Verge called "The Chrome replacement I've been waiting for" and Shopify's CEO named as "the best browser." Well, starting today, we're onboarding our very first beta testers to Arc on Windows. And you're next!

Over the coming weeks, our team will be onboarding hundreds of beta testers to Arc. And come January, we'll be welcoming 1,000s of you from the waitlist every week. If you don't mind a few bugs and some rough edges, sign up as a beta tester and we'll prioritize your invite to Arc! For us, this period leading up to our Windows release is about crafting the very best version of Arc that we can. And that means learning from you -- what you love, what's missing, what doesn't feel quite right. It still feels surreal to say, but it really does all begin today. Follow along for some fun on isarconwindowsyet.com -- And we'll see you very soon!

- Hursh and The Browser Co Crew

P.S. If you have a friend on Windows with one too many tabs, who could use a better browser -- forward this on to them, too! If you want to get on the beta waitlist, you can sign up here.

Apple today released iOS 17.2 and iPadOS 17.2, the second major updates to the iOS 17 and iPadOS 17 operating systems that came out in September. From a report: The iOS 17.2 update includes the new Journal app, which is designed to allow iOS users to record key moments in their lives. The Journal app includes journaling suggestions, scheduled notifications, and options for adding photos, locations, and more.

Slow load times? Choppy videos? The real problem is latency, writes the Verge — but the good news is "there's a plan to almost eliminate latency, and big companies like Apple, Google, Comcast, Charter, Nvidia, Valve, Nokia, Ericsson, T-Mobile parent company Deutsche Telekom, and more have shown an interest." It's a new internet standard called L4S that was finalized and published in January, and it could put a serious dent in the amount of time we spend waiting around for webpages or streams to load and cut down on glitches in video calls. It could also help change the way we think about internet speed and help developers create applications that just aren't possible with the current realities of the internet... L4S stands for Low Latency, Low Loss, Scalable Throughput, and its goal is to make sure your packets spend as little time needlessly waiting in line as possible by reducing the need for queuing. To do this, it works on making the latency feedback loop shorter; when congestion starts happening, L4S means your devices find out about it almost immediately and can start doing something to fix the problem. Usually, that means backing off slightly on how much data they're sending... [L4S] makes it easier to maintain a good amount of data throughput without adding latency that increases the amount of time it takes for data to be transferred...

If you really want to get into it (and you know a lot about networking), you can read the specification paper on the Internet Engineering Task Force's website... The L4S standard adds an indicator to packets, which says whether they experienced congestion on their journey from one device to another. If they sail right on through, there's no problem, and nothing happens. But if they have to wait in a queue for more than a specified amount of time, they get marked as having experienced congestion. That way, the devices can start making adjustments immediately to keep the congestion from getting worse and to potentially eliminate it altogether... In terms of reducing latency on the internet, L4S or something like it is "a pretty necessary thing," according to Greg White, a technologist at research and development firm CableLabs who helped work on the standard. "This buffering delay typically has been hundreds of milliseconds to even thousands of milliseconds in some cases. Some of the earlier fixes to buffer bloat brought that down into the tens of milliseconds, but L4S brings that down to single-digit milliseconds...."

Here's the bad news: for the most part, L4S isn't in use in the wild yet. However, there are some big names involved with developing it... When we spoke to Greg White from CableLabs, he said there were already around 20 cable modems that support it today and that several ISPs like Comcast, Charter, and Virgin Media have participated in events meant to test how prerelease hardware and software work with L4S. Companies like Nokia, Vodafone, and Google have also attended, so there definitely seems to be some interest. Apple put an even bigger spotlight on L4S at WWDC 2023 after including beta support for it in iOS 16 and macOS Ventura... At around the same time as WWDC, Comcast announced the industry's first L4S field trials in collaboration with Apple, Nvidia, and Valve. That way, content providers can mark their traffic (like Nvidia's GeForce Now game streaming), and customers in the trial markets with compatible hardware like the Xfinity 10G Gateway XB7 / XB8, Arris S33, or Netgear CM1000v2 gateway can experience it right now...

The other factor helping L4S is that it's broadly compatible with the congestion control systems in use today...

An anonymous reader quotes a report from TechCrunch: A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, dubbed "AutoSpill," can expose users' saved credentials from mobile password managers by circumventing Android's secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week. The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, password managers can get "disoriented" about where they should target the user's login information and instead expose their credentials to the underlying app's native fields, they said. This is because WebView, the preinstalled engine from Google, lets developers display web content in-app without launching a web browser, and an autofill request is generated.

"Let's say you are trying to log into your favorite music app on your mobile device, and you use the option of 'login via Google or Facebook.' The music app will open a Google or Facebook login page inside itself via the WebView," Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday. "When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app." Gangwal notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: "Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information."

The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability. Gangwal says he alerted Google and the affected password managers to the flaw. Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.

An anonymous reader shares a report: Beeper has been offering a unified messaging platform for a few years, allowing users to open a single app to communicate with contacts via SMS, Google Chat, Facebook Messenger, Slack, Discord, WhatsApp, and perhaps most significantly, iMessage. Up until this week though, Android users that wanted to use Beeper to send "blue bubble" messages to iMessage users had their messages routed through a Mac or iOS device. Now Beeper has launched a new app called Beeper Mini that handles everything on-device, no iPhone or Mac bridge required.

Beeper Mini is available now from the Google Play Store, and offers a 7-day free trial. After that, it costs $2 per month to keep using. [...] previously the company had to rely on a Mac-in-the-cloud? The company explains the method it's using in a blog post, but in a nutshell, Beeper says a security researcher has reverse engineered "the iMessage protocol and encryption," so that "all messages are sent and received by Beeper Mini Android app directly to Apple's servers" and "the encryption keys needed to encrypt these messages never leave your phone." That security researcher, by the way, is a high school student that goes by jjtech, who was hired by Beeper after showing the company his code. A proof-of-concept Python script is also available on Github if you'd like to run it to send messages to iMessage from a PC.

According to Microsoft Gaming CEO Phil Spencer, the company is talking to partners to help launch a mobile gaming store that will take on Apple and Google. "It's an important part of our strategy and something we are actively working on today not only alone, but talking to other partners who'd also like to see more choice for how they can monetize on the phone," Spencer said in an interview in Sao Paulo during the CCXP comics and entertainment convention. From the report: The executive declined to give a specific date for a launch of the online store, which earlier reports suggested could be next year. "I don't think this is multiple years away, I think this is sooner than that,'' he said. [...] Microsoft's mobile store would also enter a challenging regulatory climate around smartphone-based digital marketplaces. Fortnite-maker Epic Games has sued both Apple and Alphabet's Google over their iOS and Android store practices, alleging they are unnecessarily restrictive and unfair. Apple doesn't allow competing stores on its iPhone and iPad platforms, and collects a 30% cut of sales for most purchases. Game makers have taken issue with the fees.

Epic lost its battle with Apple but in September asked the US Supreme Court to weigh in. Apple is also petitioning that court to reverse an order that would force the company to let developers steer customers to other payment methods. Epic is still in court fighting its case against Google, which does allow third-party app stores on its devices.The European Union's Digital Markets Act, which is just beginning to take effect, could force Apple to open up its app store ecosystem. Apple is challenging the regulation.

Microsoft may be able to use long-standing resentment against the market leaders to martial support for its store offering. Xbox's cloud gaming technology already lets users stream blockbuster games to mobile phones. "We've talked about choice, and today on your mobile phones, you don't have choice,'' Spencer said. "To make sure that Xbox is not only relevant today but for the next 10, 20 years, we're going to have to be strong across many screens." Earlier this week, Xbox CFO Tim Stuart said during the Wells Fargo TMT Summit that Microsoft wants to make first-party games and Game Pass available on "every screen that can play games," including rival consoles. "It's a bit of a change of strategy. Not announcing anything broadly here, but our mission is to bring our first-party experiences [and] our subscription services to every screen that can play games," Stuart said. "That means smart TVs, that means mobile devices, that means what we would have thought of as competitors in the past like PlayStation and Nintendo."

An anonymous reader quotes a report from Hackaday: The BBC has a long history of teaching the world about computers. The broadcaster's name was proudly displayed on the BBC Micro, and BBC Basic was the programming language developed especially for that computer. Now, BBC Basic is back and running on a whole mess of modern platforms. BBC Basic for SDL 2.0 will run on Windows, MacOS, x86 Linux, and even Raspberry Pi OS, Android, and iOS. Desktop versions of the programming environment feature a BASIC editor that has syntax coloring for ease of use, along with luxury features like search and replace that weren't always available at the dawn of the microcomputer era. Meanwhile, the smartphone versions feature a simplified interface designed to work better in a touchscreen environment.

It's weird to see, but BBC Basic can actually do some interesting stuff given the power of modern hardware. It can address up to 256 MB of memory, and work with far more advanced graphical assets than would ever have been possible on the original BBC Micro. If you honed your programming skills on that old metal, you might be impressed with what they can achieve with BBC Basic in a new, more powerful context.

OpenAI's "ChatGPT with voice" feature announced in September is now rolling out to all free users on mobile. Engadget reports: When the company first introduced voice chats, it admitted that the capability to create "realistic synthetic voices from just a few seconds of real speech" presents new risks. It could, for instance, allow bad actors to impersonate public figures or anybody they want. As a result, it decided that ChatGPT's voice feature will focus on conversations. It's powered by a text-to-speech model that can generate "human-like audio from just text and a few seconds of sample speech." OpenAI worked with voice actors to create the capability and offers five different voices to choose from.