Google Assistant picks up a few new tricks

Google Assistant, the voice-driven AI that sits inside Google Home (plus Android phones, newer Nest cameras and a bunch of other devices) and awaits your “Hey, Google” commands, is already pretty clever. That doesn’t mean it can’t learn a few new tricks.

In a quick press briefing this week, Google told us a couple of new abilities Assistant will pick up in the coming weeks.

First, and perhaps most interestingly: routines can now be set to trigger the moment you dismiss an alarm on your phone. Routines are basically Google Assistant combo moves; you build them to trigger multiple actions at once. You can build a “Hey Google, I’m going to bed” command, for example, that turns off your smart lights, shuts down the TV and locks your smart locks. For a while now, you’ve been able to have routines triggered at specific times; now you can have them triggered by alarm dismissal.

The difference? If you snooze the alarm on your phone, the routine won’t go off just yet. So you can build a routine, for example, that turns on the lights and starts reading the news — but now it can go off when you’re really getting out of bed, roughly two snooze-buttons after when you probably should’ve gotten up. You’ll find this one hiding in Android’s Clock app.

Another feature, meanwhile, is getting an upgrade: broadcasts. If you’ve got multiple Google Home devices around your house, you can already “broadcast” to all of them to make house-wide announcements like “Dinner’s ready!” or “help I need toilet paper downstairs” (THE FUTURE!). Now you can broadcast messages back to your home while out and about via Google Assistant on your phone, and people inside the home can respond. You can say, “Hey Google, broadcast ‘Do we need milk?’” and anyone inside your house can say “Hey Google, reply ‘no but please get eggnog, come on, please, it’s basically December, you said we could get eggnog in December.’ ”

Broadcast replies will be sent back to your phone as a voice message and a transcription.

Google is also starting to introduce “character alarms” — which are, as the name implies, alarms voiced by popular characters. Right now they’re adding the heroes in a half shell from Nickelodeon’s “Rise of the Teenage Mutant Ninja Turtles,” and a bunch of LEGO animated series characters (alas, no LEGO Batman.) They’ll presumably expand this with more licenses if it proves popular.

And if you listen to podcasts or audiobooks on your Google Assistant devices, you can now adjust the playback speed by saying “Hey Google, play at 1.5x” or “1.8x” or whatever you want up to twice the speed. “Play faster” or “Play slower” also works if you’re not feeling specific.

Oh, and for good measure: Google Assistant can now silence all the phones in your house (or, at least, the Android phones tied to your Google account) with a quick “Hey Google, silence the phones” command.

Fortnite’s Android installer shipped with an Epic security flaw

Google has clapped back in tremendous fashion at Epic Games, which earlier this month decided to make the phenomenally popular Fortnite available for Android via its own website instead of Google’s Play Store. Unfortunately, the installer had a phenomenally dangerous security flaw in it that would allow a malicious actor to essentially install any software they wanted. Google wasted exactly zero time pointing out this egregious mistake.

By way of a short explanation why this was even happening, Epic explained when it announced its plan that it would be good to have “competition among software sources on Android,” and that the best would “succeed based on merit.” Everyone of course understood that what he meant was that Epic didn’t want to share the revenue from its cash cow with Google, which takes 30 percent of in-app purchases.

Many warned that this was a security risk for several reasons, for example that users would have to enable app installations from unknown sources — something most users have no reason to do. And the Play Store has other protections and features, visible and otherwise, that are useful for users.

Google, understandably, was not amused with Epic’s play, which no doubt played a part in the decision to scrutinize the download and installation process — though I’m sure the safety of its users was also a motivating factor. And wouldn’t you know it, they found a whopper right off the bat.

In a thread posted a week after the Fortnite downloader went live, a Google engineer by the name of Edward explained that the installer basically would allow an attacker to install anything they want using it.

The Fortnite installer basically downloads an APK (the package for Android apps), stores it locally, then launches it. But because it was stored on shared external storage, a bad guy could swap in a new file for it to launch, in what’s called a “man in the disk” attack.

And because the installer only checked that the name of the APK is right, as long as the attacker’s file is called “com.epicgames.fortnite,” it would be installed! Silently, and with lots of extra permissions too, if they want, because of how the unknown sources installation policies work. Not good!

Edward pointed out this could be fixed easily and in a magnificently low-key bit of shade-throwing helpfully linked to a page on the Android developer site outlining the basic feature Epic should have used.

To Epic’s credit, its engineers jumped on the problem immediately and had a fix in the works by that very afternoon and deployed by the next one. Epic InfoSec then requested Google to wait 90 days before publishing the information.

As you can see, Google was not feeling generous. One week later (that’s today) and the flaw has been published on the Google Issue Tracker site in all its… well, not glory exactly. Really, the opposite of glory. This seems to have been Google’s way of warning any would-be Play Store mutineers that they would not be given gentle handling. (Update: Google says that the shorter disclosure timing is just normal policy when a fix is put out quickly: the official period for public disclosure is “90 days, or sooner if the vendor releases a fix.”)

Epic Games CEO Tim Sweeney was likewise unamused. In a comment provided to Android Central — which, by the way, predicted that this exact thing would happen — he took the company to task for its “irresponsible” decision to “endanger users.”

Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336

Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.

Indeed, companies really should try not to endanger their users for selfish reasons.

Snoopware installed by 11 million+ iOS, Android, Chrome, and Firefox users

(credit: Ruth Suehle, opensource.com)

blog post published Tuesday by AdGuard, a developer of ad blockers and privacy tools. AdGuard cofounder Andrey Meshkov said in the post that the extensions and apps make a list of every exact address of every page visited and combine it with a unique identifier he believes is generated when the extension or app is first installed.

“There are numerous ways of discovering your real identity from observing your browsing history,” Meshkov wrote. “It can be straightforward, for instance, there is no ambiguity in who can visit this page: https://analytics.twitter.com/user/ay_meshkov/tweets. Even if you do not happen to visit such pages, there is still a high chance of exposing your real identity.”

Read 5 remaining paragraphs | Comments