Last week, Android smartphone manufacturer "Nothing" announced that it's bringing iMessage to its newest phone through a new "Nothing Chats" app powered by the messaging platform Sunbird. After launching Friday, the app was shut down within 24 hours and the Sunbird app, which Nothing Chat is a clone of, was put "on pause." The reason? It's a security nightmare. Ars Technica reports: The initial sales pitch for this app -- that it would log you into iMessage on Android if you handed over your Apple username and password -- was a huge security red flag that meant Sunbird would need an ultra-secure infrastructure to avoid disaster. Instead, the app turned out to be about as unsecure as you could possibly be. Here's Nothing's statement: "We've removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users."

How bad are the security issues? Both 9to5Google and Text.com (which is owned by Automattic, the company behind WordPress) uncovered shockingly bad security practices. Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages. [...]

Despite being the cause of this huge catastrophe, Sunbird has been bizarrely quiet during this whole mess. The app's X (formerly Twitter) page still doesn't say anything about the shutdown of Nothing Chats or Sunbird. Maybe that's for the best because some of Sunbird's early responses to the security concerns raised on Friday do not seem like they came from a competent developer. [...] Nothing has always seemed like an Android manufacturer that was more hype than substance, but we can now add "negligent" to that list. The company latched on to Sunbird, reskinned its app, created a promo website and YouTube video, and coordinated a media release with popular YouTubers, all without doing the slightest bit of due diligence on Sunbird's apps or its security claims. It's unbelievable that these two companies made it this far -- the launch of Nothing Chats required a systemic security failure across two entire companies.

"NFTs aren't gone yet," writes the Verge.

"Disney will launch an 'all-new socially driven collectible experience' called Disney Pinnacle later this year, turning characters from Pixar, Star Wars, and its classic animated films into tradable digital pins." While announcing Pinnacle, Disney and its partner Dapper Labs won't even say the word "NFT." Dapper Labs still calls itself "the NFT company," but between a variety of scams, an eye-blistering episode at a recent Bored Ape event, and a market that has plunged since peaking in early 2021, that's a term they apparently will steer clear of. The only thing available on the site right now is a privacy policy that makes clear this is a Dapper Labs effort that's licensing content from Disney — not an in-house effort on the level of Disney Plus.

The NFT collection is being launched through an iOS app, and a spokesperson tells CoinDesk that web and Android applications will come later.
The Disney Pinnacle website has a few seconds of background animation showing the pins — and, of course, a waitlist signup form.

An anonymous reader shares a report: In May this year, Alexis Hancock's daughter got a children's tablet for her birthday. Being a security researcher, Hancock was immediately worried. "I looked at it kind of sideways because I've never heard of Dragon Touch," Hancock told TechCrunch, referring to the tablet's maker. As it turned out, Hancock, who works at the Electronic Frontier Foundation, had good reasons to be concerned. Hancock said she found that the tablet had a slew of security and privacy issues that could have put her daughter's and other children's data at risk.

The Dragon Touch KidzPad Y88X contains traces of a well-known malware, runs a version of Android that was released five years ago, comes pre-loaded with other software that's considered malware and a "potentially unwanted program" because of "its history and extensive system level permissions to download whatever application it wants," and includes an outdated version of an app store designed specifically for kids, according to Hancock's report, which was released on Thursday and seen by TechCrunch ahead of its publication. Hancock said she reached out to Dragon Touch to report these issues, but the company never responded. Dragon Touch did not respond to TechCrunch's questions either. After TechCrunch reached out to the company, Walmart removed the listing from its website, while Amazon said it's looking into the matter.

Microsoft has created a Windows App for iOS, iPadOS, macOS, Windows, and web browsers. From a report: The app essentially takes the previous Windows 365 app and turns it into a central hub for streaming a copy of Windows from a remote PC, Azure Virtual Desktop, Windows 365, Microsoft Dev Box, and Microsoft's Remote Desktop Services.

Microsoft supports multiple monitors through its Windows App, custom display resolutions and scaling, and device redirection for peripherals like webcams, storage devices, and printers. The preview version of the Windows App isn't currently available for Android, though. The Windows App is also limited to Microsoft's range of business accounts, but there are signs it will be available to consumers, too. The sign-in prompt on the Windows App on Windows (yes that's a mouthful) suggests you can access the app using a personal Microsoft Account, but this functionality doesn't work right now.

Lauren Irwin reports via The Hill: Google agreed to pay $8 billion over four years to Samsung to make its apps default on Samsung phones, according to information presented by Epic Games in court. James Kolotouros, vice president for partnerships at Google, testified Monday in a San Francisco trial, saying that the company and Samsung were to share app store revenue to ensure Android mobile devices came with Google Play preinstalled. Epic, the company that makes the popular video game "Fortnite," sued Google in 2020, alleging the company's app marketplace violates antitrust laws.

Epic is trying to show that Google executives have discouraged third-party app stores on Samsung devices so it wouldn't cut into the profit of Google Play, Bloomberg reported. According to Kolotouros's testimony, half or more of Google Play revenue comes from Samsung devices. The trial targets the app store that distributes apps for the company's Android software, which powers virtually all the world's smartphones that aren't made by Apple.

Epic alleges Google has created an illegal monopoly on Android apps so it can boost its profits through commissions, ranging from 15 to 30 percent on purchases made within an app. Google argues it was doing so to compete with Apple and its app store, an argument attacked by Epic attorney Lauren Moskowitz. Earlier in the trial, Google's attorney said the company can't be a monopoly because it faces competition from companies such as Apple. Further reading: Apple Gets 36% of Google Revenue in Search Deal, Witness Says

Nothing Phone 2 owners get blue bubbles now. The company shared it has added iMessage to its newest phone through a new "Nothing Chats" app powered by the messaging platform Sunbird. From a report: The feature will be available to users in North America, the EU, and other European countries starting this Friday, November 17th. Nothing writes on its page that it's doing this because "messaging services are dividing phone users," and it wants "to break those barriers down." But doing so here requires you to trust Sunbird. Nothing's FAQ says Sunbird's "architecture provides a system to deliver a message from one user to another without ever storing it at any point in its journey," and that messages aren't stored on its servers.

Marques Brownlee has also had a preview of Nothing Chats. He confirmed with Nothing that, similar to how other iMessage-to-Android bridge services have worked before, "...it's literally signing in on some Mac Mini in a server farm somewhere, and that Mac Mini will then do all of the routing for you to make this happen." Nothing's US head of PR, Jane Nho, told The Verge in an email that Sunbird stores user iCloud credentials as a token "in an encrypted database" and associated with one of its Mac Minis in the US or Europe, depending on the user's location, that then act as a relay for iMessages sent via the app. She added that, after two weeks of inactivity, Sunbird deletes the account information.

Does Gmail want to be an instant messaging client? From a report: Last month the popular webmail app shipped an emoji reactions bar in the mobile app, where a single tap would send a new email with your emoji response. Now, a wild new UI experiment spotted by Android Police goes another step further: a quick reply bar that looks just like instant messaging input. Rather than the usual input block you get for writing paragraphs of overly formal text, this new Gmail experiment has a one-line input bar at the bottom for replies. A drop-down menu just above it lets you pick from the usual "reply," "reply all," or "forward" options. Besides that, you get an attachment and send button. An "expand" button will presumably launch the usual compose interface.

Google has confirmed in court that Epic was offered a $147 million deal to launch its hit game Fortnite on Android's Google Play Store. From a report: The deal, which Google's VP of Play partnerships, Purnima Kochikar, says was approved and presented to Epic but not accepted, would have seen the money dispensed over a three-year period of "incremental funding" (ending in 2021) to the games publisher. It was meant to stem a potential "contagion" of popular apps bypassing Android's official store and, with it, Google's lucrative in-app purchase fees.

Epic launched Fortnite on Android in 2018 directly through its website, avoiding the Play Store. That allowed it to sell Fortnite's in-game currency, V-Bucks, without paying the commission required of Play Store apps. It relented in 2020, saying that "scary, repetitive security pop-ups" and other factors had put it at a severe disadvantage. But in an antitrust lawsuit filed later that year -- and currently being argued before a jury -- it alleged its initial decision had thrown Google into a panic. It cited internal documents claiming Google feared a "contagion risk" if other game developers (including Blizzard, Valve, Sony, and Nintendo) followed Epic's lead, and it claimed Google attempted to forestall it by offering special benefits or even buying Epic.

The App Defense Alliance (ADA), an initiative set up by Google back in 2019 to combat malicious Android apps infiltrating the Play app store, has joined the Joint Development Foundation (JDF), a Linux Foundation project focused on helping organizations working on technical specifications, standards, and related efforts. From a report: The App Defense Alliance had, in fact, already expanded beyond its original Android malware detection roots, covering areas such as malware mitigation, mobile app security assessments (MASA), and cloud app security assessments (CASA). And while its founding members included mobile security firms such as ESET, Lookout and Zimperium, it has ushered in new members through the years including Trend Micro and McAfee. Today's news, effectively, sees ADA join an independent foundation, a move designed to open up the appeal to other big tech companies, such as Facebook parent Meta and Microsoft, both of which are now joining the ADA's steering committee. The ultimate goal is to "improve app security" through fostering greater "collaborative implementation of industry standards," according to a joint statement today.

Combing through the code of the new version of Google Photos app for Android, some users have found that Google plans to restrict Magic Editor, a feature it unveiled at Google I/O this year, from making certain kinds of edit. AndroidAuthority: Summarizing the strings above, it seems Magic Editor will refuse to edit:
1. Photos of ID cards, receipts, and other documents that violate Google's GenAI terms.
2. Images with personally identifiable information.
3. Human faces and body parts.
4. Large selections or selections that need a lot of data to be generated.

Emma Roth reports via The Verge: YouTube appears to be testing a new "play something" button on its mobile app that directs you to a random video when you don't know what to watch. As first spotted by Android Police, the prompt shows up between content as you scroll through the feed on your homepage -- but only some users are seeing it. While Android Police mentions that the button only directs users to YouTube Shorts, one of my colleagues here at The Verge found that the feature also shows them random full-length videos. It's still not clear if YouTube takes your watch history into account when picking the random videos it plays or how widely Google is rolling out this feature.

Epic Games, the maker of the popular game "Fortnite," has launched a battle against Google in federal court in a closely watched antitrust showdown that could reshape how smartphone users get Android apps and pay for in-app content. From a report: Epic's lawsuit in the US District Court in California's Northern District targets the Google Play Store, focusing on Google's fees for in-app subscriptions and one-off transactions, along with other terms that app developers such as Epic say helped Google maintain an illegal monopoly in app distribution.

The legal battle follows a years-long debate about whether app store operators such as Google and Apple foster an open, competitive app ecosystem. The two companies argue their app stores help unlock billions in revenue for small businesses, while ensuring that Android and iOS users benefit from security oversight that the technology giants provide. The jury may hear high-profile witnesses testify from both sides, including Google CEO Sundar Pichai and Epic CEO Tim Sweeney.

The court fight traces back to 2020, when Epic launched Project Liberty, a plan to circumvent Apple and Google's app store terms. That move by Epic forced a confrontation with the tech giants. Epic updated the Fortnite app to encourage players to pay for in-app content directly through Epic's own website -- rather than through Apple and Google's in-app payment systems. That gambit triggered a violation of the app stores' developer terms. The move also prompted both app stores to remove the Fortnite app from their platforms.

An anonymous reader quotes a report from Ars Technica: Android is slowly entering the RISC-V era. So far we've seen Google say it wants to give the up-and-coming CPU architecture "tier-1" support in Android, putting RISC-V on equal footing with Arm. Qualcomm has announced the first mass-market RISC-V Android chip, a still-untitled Snapdragon Wear chip for smartwatches. Now Google has announced a timeline for developer tools via the Google Open Source Blog. The last post is titled "Android and RISC-V: What you need to know to be ready."

Getting the Android OS and app ecosystem to support a new architecture is going to take an incredible amount of work from Google and developers, and these tools are laying the foundation for that work. First up, Google already has the "Cuttlefish" virtual device emulator running, including a gif of it booting up. This isn't the official "Android Emulator" -- which is targeted at app developers doing app development -- Cuttlefish is a hardware emulator for Android OS development. It's the same idea as the Android Emulator but for the bottom half of the tech stack -- the kernel, framework, and hardware bits. Cuttlefish lets Google and other Android OS contributors work on a RISC-V Android build without messing with an individual RISC-V device. Google says it's working well enough now that you can download and emulate a RISC-V device today, though the company warns that nothing is optimized yet.

The next step is getting the Android Emulator (for app developers) up and running, and Google says: "By 2024, the plan is to have emulators available publicly, with a full feature set to test applications for various device form factors!" The nice thing about Android is that most app code is written with no architecture in mind -- it's all just Java/Kotlin. So once the Android RunTime starts spitting out RISC-V code, a lot of app code should Just Work. That means most of the porting work will need to go into things written in the NDK, the native developer kit, like libraries and games. The emulator will still be great for testing, though.

Google says it'll issue a system update to fix a major storage bug in Android 14 that has caused some users to be locked out of their devices. Ars Technica reports: Apparently one more round of news reports was enough to get the gears moving at Google. Over the weekend the Issue tracker bug has been kicked up from a mid-level "P2" priority to "P0," the highest priority on the issue tracker. The bug has been assigned to someone now, and Googlers have jumped into the thread to make official statements that Google is looking into the matter. Here's the big post from Google on the bug tracker [...]. The highlights here are that Google says the bug affects devices with multiple Android users, not multiple Google accounts or (something we thought originally) users with work profiles. Setting up multiple users means going to the system settings, then "Multiple users," then "Allow multiple users," and you can add a user other than the default one. If you do this, you'll have a user switcher at the bottom of the quick settings. Multiple users all have separate data, separate apps, and separate Google accounts. Child users are probably the most popular reason to use this feature since you can lock kids out of things, like purchasing apps.

Shipping a Google Play system update as a quick Band-Aid is an interesting solution, but as Google's post suggests, this doesn't mean the problem is fixed. Play system updates (these are alternatively called Project Mainline or APEX modules) allow Google to update core system components via the Play Store, but they are really not meant for critical fixes. The big problem is that the Play system updates don't aggressively apply themselves or even let you know they have been downloaded. They just passively, silently wait for a reboot to happen so they can apply. For Pixel users, it feels like the horse has already left the barn anyway -- like most Pixel phones have automatically applied the nearly 13-day-old update by now. Users can force Play system updates to happen themselves by going to the system settings, then "Security & Privacy," then "System & updates," then "Google Play system update." If you have an update, you'll be prompted to reboot the phone. Also note that this differs from the usual OS update checker location, which is in system settings, then "System," then "System update." The system update screen will happily tell you "Your system is up to date" even if you have a pending Google Play system update. It would be great to have a single location for OS updates, Google Play System/Mainline updates, and app updates, but they are scattered everywhere and give conflicting "up to date" messages.

An anonymous reader quotes a report from OPP.Today: Android 14, the latest operating system from Google, is facing a major storage bug that is causing users to be locked out of their devices. This issue is particularly affecting users who utilize the "multiple profiles" feature. Reports suggest that the bug is comparable to being hit with "ransomware," as users are unable to access their device storage. Initially, it was believed that this bug was limited to the Pixel 6, but it has since been discovered that it impacts a wider range of devices upgrading to Android 14. This includes the Pixel 6, 6a, 7, 7a, Pixel Fold, and Pixel Tablet. The Google issue tracker for this bug has garnered over 350 replies, but there has been no response from Google so far. The bug has been assigned the medium priority level of "P2" and remains unassigned, indicating that no one is actively investigating it.

Users who have encountered this storage bug have shared log files containing concerning messages such as "Failed to open directory /data/media/0: Structure needs cleaning." This issue leads to various problematic situations, with some users experiencing boot loops, others stuck on a "Pixel is starting..." message, and some unable to take screenshots or access their camera app due to the lack of storage. Users are also unable to view files on their devices from a PC over USB, and the System UI and Settings repeatedly crash. Essentially, without storage, the device becomes practically unusable.

Android's user-profile system, designed to accommodate multiple users and separate work and personal profiles, appears to be the cause of this rarely encountered bug. Users have reported that the primary profile, which is typically the most important one, becomes locked out.

Ron Amadeo reports via Ars Technica: To help combat the surge of sideloaded malware, Google Play can now pop up a malware scanner at install time if it decides the app you're trying to sideload is interesting. Google Play's malware system, called "Google Play Protect," has always been able to check sideloaded apps for malware, but it used faster techniques like a definition file, and this happened quietly in the background. This new technique will delay your app installation with a full-screen "scanning" interface while Google runs a deep scan of the app code. Google's blog post says this is "real-time scanning at the code-level to combat novel malicious apps" and that Google Play Protect can "recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats."

The scan will involve sending bits and pieces of the app to Google for analysis. Google says: "Scanning will extract important signals from the app and send them to the Play Protect backend infrastructure for a code-level evaluation. Once the real-time analysis is complete, users will get a result letting them know if the app looks safe to install or if the scan determined the app is potentially harmful. This enhancement will help better protect users against malicious polymorphic apps that leverage various methods, such as AI, to be altered to avoid detection." [...] Google is first rolling this feature out in India -- a country that topped the malware distribution charts in that 2018 report -- with the company saying the feature "will expand to all regions in the coming months."

Long-time Slashdot reader couchslug shares a report from Ars Technica, writing: "A new attack on the right to do with one's property as the owner sees fit. First step, threaten without providing evidence." From the report: Before last week, owners of certain Mazda vehicles who also had a Home Assistant setup could create some handy connections for their car. One CX60 driver had a charger that would only power on when it confirmed his car was plugged in and would alert him if he left the trunk open. Another used Home Assistant to control their charger based on the dynamic prices of an Agile Octopus energy plan. Yet another had really thought it through, using Home Assistant to check the gas before their morning commute, alert them if their windows were down before rain was forecast, and remotely unlock and start the car in cold conditions. The possibilities were vast, and purportedly beyond what Mazda's official app offered.

Mazda, however, had issues with the project, which was largely the free-time work of one software developer, Brandon Rothweiler. In a Digital Millennium Copyright Act (DMCA) notice sent to GitHub, Mazda (or an authorized agent) alleges that Rothweiler's integration: contains code that "is violating [Mazda's] copyright ownership"; used "certain Mazda information, including proprietary API information," to "create code and information"; and contained code that "provides functionality same as what is currently" in Mazda's apps posted to the Apple App Store and Google Play Store for Android.

One day later, Rothweiler made a pull request to the Home Assistant core project: "I'm removing the Mazda integration due to a legal notice sent to me by Mazda." The Home Assistant project pushed an update to remove the integration, posted about the removal, and noted that they were "disappointed that Mazda has decided to take this position" and that "Mazda's first recourse was not to reach out to us and the maintainer but to send a cease and desist letter instead." One of the many commenters confused by Mazda's code claims said they couldn't find any of the copyrighted code the company referenced. Additionally, Ars Technica suggests the project "could be considered a fair use exception to the DMCA, as explained by the Electronic Frontier Foundation."

"When Mazda contacted me, my options were to either comply or open myself up to potential legal risk," said Rothweiler. "Even if I believe that what I'm doing is morally correct and legally protected, legal processes still have a financial cost. I can't afford to take on that financial risk for something that I do in my spare time to help others."

An anonymous reader quotes a report from Ars Technica: You can now reply to an email just like it's an instant messaging chat, tacking on a "crying laughing" emoji to an email instead of replying. Google has a whole support article detailing the new feature, which allows you to "express yourself and quickly respond to emails with emojis." Like a messaging app, a row of emoji reaction counts will appear below your email now, and other people on the thread can tap to add to the reaction count. Currently, it's only on the Android Gmail app, but it's presumably coming to other Gmail clients.

Of course, email is from the 1970s and does not natively support emoji reactions. That makes this a Gmail-proprietary feature, which is a problem for federated emails that are expected to work with a million different clients and providers. If you send an emoji reaction and someone on the email chain is not using an official Gmail client, they will get a new, additional email containing your singular reactive emoji. Google is not messing with the email standard, so people not using Gmail will be the most affected.

Another weird quirk is that because emoji reactions are just emails (that Gmail sends to other clients and hides for itself), any emoji reactions you send can't be taken back. There's only Gmail's "Undo send" feature for taking back reactions, which delays sending emails for about 30 seconds, so you can second-guess yourself. After that, you're creating a permanent emoji reaction paper trail. [...] If the idea of emoji reactions to email has you selecting the puke emoji, as far as we can tell, there's no way to just turn this off. The report notes that this new feature won't work on business or school accounts. "Emoji reactions also aren't available for group email lists, messages with more than 20 recipients, emails on which you're BCC'd, encrypted emails, and emails where the sender has a custom reply-to address."

Android 14 is out today, along with a new Pixel phone. The OS is shipping to supported Pixel devices now, which means the Pixel 4a (5G) and every variant of the Pixel 5, 6, and 7, plus the Fold and Tablet. From a report: The big feature this year is a somewhat customizable home screen. You can pick from several different lock screen clock styles and customize the two bottom app shortcuts. This feels like a response to iOS 16's lock screen widgets (a feature Android used to have back in the 4.2 days) but not nearly as customizable. It's honestly hard to highlight a second Android 14 feature because this is one of the smallest Android releases ever. The first feature Google mentions in its blog post is a new wallpaper picker. On the Pixel 8, Android now has a built-in text-to-image AI wallpaper maker, presumably a feature that lets the Android team adhere to Google's "mandatory AI" company mandate. There's also a new monochrome theme if you're tired of all those "Material You" colors.

An anonymous reader quotes a report from Ars Technica: Even more Google products are getting the ax this week. Next up is Google Jamboard, a $5,000 digital whiteboard (and its $600-a-year fee) and software ecosystem marketed to schools and corporations. Google has a new post detailing the "Next phase of digital whiteboarding for Google Workspace," and the future for Jamboard is that there is no future. In "late 2024," the whole project will shut down, and we don't just mean the hardware will stop being for sale; the cloud-based apps will stop working, too.

Most people probably haven't ever heard of Jamboard, but this was a giant 55-inch, 4K touchscreen on a rolling stand that launched in 2016. Like most Google touchscreens, this ran Android with a locked-down custom interface on top instead of the usual phone interface. The digital whiteboard could be drawn on using the included stylus or your fingers, and it even came with a big plastic "eraser" that would remove items. The SoC was an Nvidia Jetson TX1 (a quad-core Cortex-A57 CPU attached to a beefy Maxwell GPU), and it had a built-in camera, microphone, and speakers for video calls. There was HDMI input and Google cast support, and it came in whimsical colors like red, gray, and blue (it feels like Google was going for an iMac rainbow and quit halfway). "We're grateful to the consumers, educators, students, and businesses who have used Jamboard since its launch in 2016," says Google. "While Jamboard users make up a small portion of our Workspace customer base, we understand that this change will impact some of you, and we're committed to helping you transition..."

"Over the coming months, we'll provide Jamboard app users and admins clear paths to retain their Jamboard data or migrate it," Google tells users in its blog post. Third-party options include Figma's FigJam, Lucid Software's Lucidspark, and Miro.

Ars Technica notes: "[T]he whole cloud system is going down, too, so all of your existing $5,000 whiteboards will soon be useless, and you won't be able to open the cloud data on other devices."