Security News

Google users who opt for the Advanced Protection Program to secure their accounts are now able to use their iPhone as a security key. In May 2019, Google made it possible to exchange the physical security key with one's Android device.

The online giant said its "Sandbox" program would still allow advertisers the ability to deliver targeted messages, while also sparing people from being tracked by snippets of code called "Cookies" when they use its Chrome web browser. "We are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete," Chrome director of engineering Justin Schuh said in a post.

Google has set an aggressive two-year deadline for dropping support for third-party tracking cookies in its Chrome web browser. Justin Schuh, engineering director for Google Chrome, said in a post Tuesday that the phasing out of third-party cookies was in response to evolving attitudes about online privacy.

Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution. Tracked as CVE-2019-8641, the vulnerability is considered Critical, featuring a CVSS score of 9.8, and was discovered by Google Project Zero security researchers Samuel Groß and Natalie Silvanovich.

The treachery lies in the payment model - the fleeceware we identified back in September 2019 didn't charge a fee for the app, but instead sold you a subscription to go along with the app. The app's free, don't forget; it's the subscription that you're being charged for, and Google permits app developers to ask that sort of money.

Google is testing out a feature to make Android's built-in password manager safer, according to online sleuths who have picked apart its software. You could use it to take autofill input from third-party password managers, or if you wanted to keep everything in your Google account, you could use autofill with Google's own password management service.

Google has removed 17,000 Android apps to date from the Play store that have been conduits for the Joker malware - and in an analysis of the code, said that Joker's operators have "At some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected." The internet giant said that having three or more active variants of Joker in circulation at the same time using different approaches or targeting different carriers is the norm; and at peak times of activity, up to 23 different apps from the Joker family have been submitted to Play in one day.

For much of Android's existence, Google has adopted a relatively hands-off approach that lets manufacturers ship units with pre-installed bloatware which, in many cases, cannot be easily removed. "Android Partners - who use the Android trademark and branding - are manufacturing devices that contain pre-installed apps that cannot be deleted, which can leave users vulnerable to their data being collected, shared and exposed without their knowledge or consent," the letter states.

These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model. This means permissions can be defined by the app - including access to the microphone, camera and location - without triggering the standard Android security prompts.

Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs. Over time, the developers of the applications have focused on finding new cloaking and obfuscation techniques to evade Google Play Store's new policies and Play Protect's evolving defenses and remain undetected.