Have you read Mishaal’s Android 13 Deep Dive? Of course you have. But it’s probably time to give it another look — he totally overhauled the layout and table of contents, updated all the images, and added even more info. It’s the gift that keeps on giving.
In today’s newsletter:
- Zero-day exploits show a new trend in Android targets
- Google’s new Material Symbols glyph font
- Building a world without passwords
- The end of call recording in third-party apps
- …and other vital information that’s sure to impress your friends, family, and colleagues 🧠
In case you missed it
⬆️ Companies that use Managed Google Play will soon have more control over when and how apps update. Apps can be labeled as “high priority” so they’re updated immediately after a new version is published in the Play Store. Alternatively, apps can be set as “postponed” to delay the auto-update for 90 days (these apps can still be manually updated). Additionally, the device no longer needs to be on Wi-Fi and charging for high priority apps to update.
🦠 Google’s Project Zero released its year-end 0-day report for 2021, covering all detected and disclosed or exploited 0-day exploits for the year. In short, there were 58 0-day exploits found in 2021, making last year the most significant year since Project Zero started tracking them in 2014. That’s largely because companies like Apple and Google started disclosing these vulnerabilities in release notes. The full report covers far more than just Android, so the whole thing is worth a read if you have the time. We’ll talk about the Android exploits in more detail down below.
🔐 Right now, Android has separate menu options for security and privacy, which doesn’t make a lot of sense. With Android 13, however, Google is testing combining these two menus, as highlighted by Mishaal on Twitter.
🪳 Cybersecurity firm Check Point released details about a bug in the open source audio decoder used by Qualcomm and MediaTek chipsets for Apple’s Lossless Audio Codec that could allow bad actors to spy on users. This codec hadn’t previously been updated in over a decade. The bug was reported to both companies and patched with the December 2021 security update. All devices running security patch 2021-12-05 or newer are protected. For a high level look at this vulnerability, The Hacker News has a good post. For the full details, head over to Check Point’s blog.
News for developers
- You’ve undoubtedly used Android’s developer options at some point, but this is an extensive menu with many options, so it’s unlikely that you’ve used everything. XDA Developers assembled a roundup of all the features found in developer options and what you can do with them. Handy!
- Google released a new font called Material Symbols that contains over 2,500 glyphs. This open source font is available under the Apache License 2.0 and offers three styles, along with weight, grade, optical size, and fill options.
- Do you use Flow in Kotlin? Or maybe you don’t because it seems intimidating? This article at Kt.Academy looks to break down the barrier by explaining how Flow really works.
- The April 2022 Developer Policy Updates webinar happened this week, but if you missed it, you can catch the recording on demand now. This also covers the changes to call recording that we’ll talk about below.
- Google is adding emulator images for “Android Desktop” builds to Android Studio, presumably so developers can test apps and games for Google Play Games for PC.
Android Bytes: How does Esper build on Android with Foundation?
In this episode, David and Mishaal chat with Esper’s very own Varun Chitre about Foundation, the Android distribution we provide to our clients for use on fleets of various machines. The conversation begins with the basics of why you’d want to deploy a new OS on new hardware — because we all know how enterprise fleets cling to life well past their “use by” dates.
Android in the news
Video killed the radio star: As noted above, Google’s Project Zero released its 2021 0-day year in review this week. While it was the biggest year PZ has ever seen for 0-days with a total of 58, only seven of those targeted Android. But that’s not what’s noteworthy here — it’s what they exploited. Of the seven, five targeted GPU drivers.
As noted in the Project Zero report, this makes a lot of sense. There are several different versions of Android that run on a variety of hardware from many different manufacturers, so hackers need to maintain exploits that cover a wide range of devices and OS versions. But there are two GPU families common among Android devices — the Qualcomm Adreno and ARM Mali (used by MediaTek, Amlogic, Samsung Exynos, RockChip, and others).
This makes it easier for hackers to build and maintain exploits that target GPU drivers, which are more likely to be shared across OS versions and manufacturers (and therefore, devices). Of the five 0-days targeting GPU drivers, three targeted Adreno GPUs, and two targeted Mali GPUs. Of course, Google patched these exploits in early-to-mid 2021, so they’re no longer a concern.
But this highlights a more significant issue moving forward: hackers will more often target GPU drivers. Google and SoC vendors have tried to make GPU drivers easier to update, but so far that hasn’t panned out.
Android is preparing for a world without passwords: Let’s be real here: Passwords are the worst. Even if you use a password manager, they’re still cumbersome and clunky at best (please use a password manager). And at worst, well, you either can’t remember your passwords or use the same one everywhere.
But according to a new APK Insight from 9to5Google, Google is building a future without passwords by using “passkeys” in Android that sync across your Google account. In the simplest terms, these cryptographically signed keys are tied to your phone’s login security — so, your fingerprint, PIN, face, etc. These passkeys are stored on your device and saved to your Google account, much like the password manager built into Chrome and Smart Lock for Passwords on Android.
Passkeys will use the FIDO protocol, which creates a key pair when registering for a new online account. The device stores the private key, while the public key is registered with the online service. You can think of this more like a lock and key rather than two keys — the public key is the lock, and the private key is the key.
When you try to log in to a site using passkeys, the public key will send a locked message to the private key. The private key will unlock it and send it back. If everything is correct, you’ll log in to your account. The private key is the only thing that can unlock the message, making this a highly secure password replacement.
There are still a handful of questions surrounding passkeys, like what happens to existing passwords. Still, there are a ton of companies already on board with The FIDO Alliance, suggesting that wide adoption shouldn’t be much of an issue.
However, as for when this will be available, it’s unclear — passkeys will be a part of Google Play Services, but there’s no rollout timeline yet.
Call recording is dead (for third-party apps, anyway): Google has been trying to shut down apps that enable call recording for some time now, and clever developers find a workable solution each time. The most recent call recording method in third party apps leverages Accessibility Services, but Google is putting a stop to that, too.
Starting May 11, 2022, Google will push a change to Google Play Policies that blocks the use of Accessibility Services for call recording, effectively closing this loophole. Apps that use Accessibility Services for call recording will be removed from Google Play if developers don’t remove the feature.
That doesn’t mean call recording on Android will no longer be possible. To start, first party dialers with call recording features will still offer these features. Secondly, developers will still be able to offer their apps with call recording outside of Google Play — direct downloads, alternative app stores, etc. According to NLL Apps, the developer of ACR Phone, SIP Recording will also continue to work.
Android Inside: Lucid Motors
Imagine a world where Tesla only makes luxury cars that run a custom version of Android Automotive. If that sounds cool to you, you’ll love what Lucid Motors has to offer because it’s exactly that.
Lucid Motors makes luxury electric cars, and its in-vehicle infotainment is built from the ground up on Android Automotive. But here’s the interesting part — unlike most cars that use Automotive, they’re not using the GAS version. Like Android for handhelds, Google offers an open source build of Android Automotive that manufacturers can download, modify, and redistribute. So that’s exactly what Lucid did.
Of course, that presents its own challenges, as the company’s cars don’t have access to the Google Play Store for app distribution. Lucid had to work with third-party developers from companies like Spotify, Tidal, and several others to integrate their apps into the infotainment system. Similarly, you won’t find Google Assistant here, but Amazon Alexa.
If you want to learn more about Lucid Motors, TechCrunch has a good write-up that talks about some of the finer details. For a higher-level overview (including pricing), Lucid’s site is the place to go.
Android Dessert Bites
One of the most significant performance optimizations in Android 13 is coming via an update to the Linux kernel. In this week’s edition, I’ll be taking a look at how Linux’s next-gen page reclaim policy will improve memory management.
What we’re reading
Sideloading is often a double-edged sword — in the right situation, it’s great. But it also opens the door for all sorts of malicious garbage on your phone. Android Central’s Jerry Hildenbrand has a good editorial on the risks and rewards of sideloading.
It turns out that Android apps on Windows 11 might not be all they’re cracked up to be, according to Android Police’s review. This is part app selection and part sideloading difficulty to circumvent the poor app selection. Either way, it’s not a good look.