Thunderbird’s Android app, which is actually the K-9 Mail project reborn, is almost out. You can check it out a bit early in a beta that will feel pretty robust to most users.
Thunderbird, maintained by the Mozilla Foundation subsidiary MZLA, acquired the source code and naming rights to K-9 Mail, as announced in June 2022. The group also brought K-9 maintainer Christian Ketterer (or “cketti”) onto the project. Their initial goals, before a full rebrand into Thunderbird, involved importing Thunderbird’s automatic account setup, message filters, and mobile/desktop Thunderbird syncing.
At the tail end of 2023, however, Ketterer wrote on K-9’s blog that the punchlist of items before official Thunderbird-dom was taking longer than expected. But when it’s fully released, Thunderbird for Android will have those features. As such, beta testers are asked to check out a specific list of things to see if they work, including automatic setup, folder management, and K-9-to-Thunderbird transfer. The beta will not be “addressing longstanding issues,” Thunderbird’s blog post notes.
Launching Thunderbird for Android from K-9 Mail’s base makes a good deal of sense. Thunderbird’s desktop client has had a strange, disjointed life so far and is only just starting to regain a cohesive vision for what it wants to provide. For a long time now, K-9 Mail has been the Android email of choice for people who don’t want Gmail or Outlook, will not tolerate the default “Email” app on non-Google-blessed Android systems, and just want to see their messages.
“Picture a massive football stadium filled with fans month after month,” Reichenstein wrote to Ars. In that stadium, he writes:
5 percent (max) have a two-week trial ticket
2 percent have a yearly ticket
0.5 percent have a monthly ticket
0.5 percent are buying “all-time” tickets
But even if every lifetime ticket buyer showed up at once, that’s 10 percent of the stadium, Reichenstein said. Even without full visibility of every APK—”and what is happening in China at all,” he wrote—iA can assume 90 percent of users are “climbing over the fence.”
“Long story short, that’s how you can end up with 50,000 users and only 1,000 paying you,” Reichenstein wrote in the blog post.
Piracy doesn’t just mean lost revenue, Reichenstein wrote, but also increased demands for support, feature requests, and chances for bad ratings from people who never pay. And it builds over time. “You sell less apps through the [Play Store], but pirated users keep coming in because pirate sites don’t have such reviews. Reviews don’t matter much if the app is free.”
The iA numbers on macOS hint at a roughly 10 percent piracy rate. On iOS, it’s “not 0%,” but it’s “very, very hard to say what the numbers are”; there is also no “reset trick” or trials offered there.
A possible future unfreezing
Reichenstein wrote in the post and to Ars that sharing these kinds of numbers can invite critique from other app developers, both armchair and experienced. He’s seen that happening on Mastodon, Hacker News, and X (formerly Twitter). But “critical people are useful,” he noted, and he’s OK with people working backward to figure out how much iA might have made. (Google did not offer comment on aspects of iA’s post outside discussing Drive access policy.)
iA suggests that it might bring back Writer on Android, perhaps in a business-to-business scenario with direct payments. For now, it’s a slab of history, albeit far less valuable to the metaphorical Darth Vader that froze it.
Five years ago, researchers made a grim discovery—a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads.
Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible.
Clever tradecraft
Software developer kits, better known as SDKs, are apps that provide developers with frameworks that can greatly speed up the app-creation process by streamlining repetitive tasks. An unverified SDK module incorporated into the apps ostensibly supported the display of ads. Behind the scenes, it provided a host of advanced methods for stealthy communication with malicious servers, where the apps would upload user data and download malicious code that could be executed and updated at any time.
The stealthy malware family in both campaigns is known as Necro. This time, some variants use techniques such as steganography, an obfuscation method rarely seen in mobile malware. Some variants also deploy clever tradecraft to deliver malicious code that can run with heightened system rights. Once devices are infected with this variant, they contact an attacker-controlled command-and-control server and send web requests containing encrypted JSON data that reports information about each compromised device and application hosting the module.
The server, in turn, returns a JSON response that contains a link to a PNG image and associated metadata that includes the image hash. If the malicious module installed on the infected device confirms the hash is correct, it downloads the image.
The SDK module “uses a very simple steganographic algorithm,” Kaspersky researchers explained in a separate post. “If the MD5 check is successful, it extracts the contents of the PNG file—the pixel values in the ARGB channels—using standard Android tools. Then the getPixel method returns a value whose least significant byte contains the blue channel of the image, and processing begins in the code.”
The researchers continued:
If we consider the blue channel of the image as a byte array of dimension 1, then the first four bytes of the image are the size of the encoded payload in Little Endian format (from the least significant byte to the most significant). Next, the payload of the specified size is recorded: this is a JAR file encoded with Base64, which is loaded after decoding via DexClassLoader. Coral SDK loads the sdk.fkgh.mvp.SdkEntry class in a JAR file using the native library libcoral.so. This library has been obfuscated using the OLLVM tool. The starting point, or entry point, for execution within the loaded class is the run method.
Follow-on payloads that get installed download malicious plugins that can be mixed and matched for each infected device to perform a variety of different actions. One of the plugins allows code to run with elevated system rights. By default, Android bars privileged processes from using WebView, an extension in the OS for displaying webpages in apps. To bypass this safety restriction, Necro uses a hacking technique known as a reflection attack to create a separate instance of the WebView factory.
This plugin can also download and run other executable files that will replace links rendered through WebView. When running with the elevated system rights, these executables have the ability to modify URLs to add confirmation codes for paid subscriptions and download and execute code loaded at links controlled by the attacker. The researchers listed five separate payloads they encountered in their analysis of Necro.
The modular design of Necro opens myriad ways for the malware to behave. Kaspersky provided the following image that provides an overview.
The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads—known as Max Browser—was also infected. That app is no longer available in Google Play.
The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.
People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.
Enlarge/ Emojipedia sample images of the new Unicode 16.0 emoji.
The Unicode Consortium has finalized and released version 16.0 of the Unicode standard, the elaborate character set that ensures that our phones, tablets, PCs, and other devices can all communicate and interoperate with each other. The update adds 5,185 new characters to the standard, bringing the total up to a whopping 154,998.
Of those 5,185 characters, the ones that will get the most attention are the eight new emoji characters, including a shovel, a fingerprint, a leafless tree, a radish (formally classified as “root vegetable”), a harp, a purple splat that evokes the ’90s Nickelodeon logo, and a flag for the island of Sark. The standout, of course, is “face with bags under eyes,” whose long-suffering thousand-yard stare perfectly encapsulates the era it has been born into. Per usual, Emojipedia has sample images that give you some idea of what these will look like when they’re implemented by various operating systems, apps, and services.
We last got new emoji in 2023’s Unicode 15.1 update, though all of these designs were technically modifications of existing emoji rather than new characters—many emoji, most notably for skin and hair color variants, use a base emoji plus a modifier emoji, combined together with a “zero-width joiner” (ZWJ) character that makes them display as one character instead. The lime emoji in Unicode 15.1 was actually a lemon emoji combined with the color green; the phoenix was a regular bird joined to the fire emoji. This was likely because 15.1 was only intended as a minor update to 2022’s Unicode 15.0 standard.
Most of the Unicode 16.0 emoji, by contrast, are their own unique characters. The one exception is the Sark flag emoji; flag sequences are created by placing two “regional indicator letters” directly next to each other and don’t require a ZWJ character between them.
Incorporation into the Unicode standard is only the first step that new emoji and other characters take on their journey from someone’s mind to your phone or computer; software makers like Apple, Google, Microsoft, Samsung, and others need to design iterations that fit with their existing spin on the emoji characters, they need to release software updates that use the new characters, and people need to download and install them.
We’ve seen a few people share on social media that the Unicode 16.0 release includes a “greenwashing” emoji designed by Shepard Fairey, an artist best known for the 2008 Barack Obama “Hope” poster. This emoji, and an attempt to gin up controversy around it, is all an elaborate hoax: there’s a fake Unicode website announcing it, a fake lawsuit threat that purports to be from a real natural gas industry group, and a fake Cory Doctorow article about the entire “controversy” published in a fake version of Wired. These were all published to websites with convincing-looking but fake domains, all registered within a couple of weeks of each other in August 2024. The face-with-bags-under-eyes emoji feels like an appropriate response.
Enlarge/ It’s never explained what this collection of app icons quite represents. A disorganized app you tossed together by sideloading? A face that’s frowning because it’s rolling down a bar held up by app icons? It’s weird, but not quite evocative.
You might sideload an Android app, or manually install its APK package, if you’re using a custom version of Android that doesn’t include Google’s Play Store. Alternately, the app might be experimental, under development, or perhaps no longer maintained and offered by its developer. Until now, the existence of sideload-ready APKs on the web was something that seemed to be tolerated, if warned against, by Google.
This quiet standstill is being shaken up by a new feature in Google’s Play Integrity API. As reported by Android Authority, developer tools to push “remediation” dialogs during sideloading debuted at Google’s I/O conference in May, have begun showing up on users’ phones. Sideloaders of apps from the British shop Tesco, fandom app BeyBlade X, and ChatGPT have reported “Get this app from Play” prompts, which cannot be worked around. An Android gaming handheld user encountered a similarly worded prompt from Diablo Immortal on their device three months ago.
Google’s Play Integrity API is how apps have previously blocked access when loaded onto phones that are in some way modified from a stock OS with all Google Play integrations intact. Recently, a popular two-factor authentication app blocked access on rooted phones, including the security-minded GrapheneOS. Apps can call the Play Integrity API and get back an “integrity verdict,” relaying if the phone has a “trustworthy” software environment, has Google Play Protect enabled, and passes other software checks.
Graphene has questioned the veracity of Google’s Integrity API and SafetyNet Attestation systems, recommending instead standard Android hardware attestation. Rahman notes that apps do not have to take an all-or-nothing approach to integrity checking. Rather than block installation entirely, apps could call on the API only during sensitive actions, issuing a warning there. But not having a Play Store connection can also deprive developers of metrics, allow for installation on incompatible devices (and resulting bad reviews), and, of course, open the door to paid app piracy.
Google
“Unknown distribution channels” blocked
Google’s developer video about “Automatic integrity protection” (at the 12-minute, 24-second mark on YouTube) notes that “select” apps have access to automatic protection. This adds an automatic checking tool to your app and the “strongest version of Google Play’s anti-tamper protection.” “If users get your protected app from an unknown distribution channel,” a slide in the presentation reads, “they’ll be prompted to get it from Google Play,” available to “select Play Partners.”
LocalThunk, the pseudonymous lead developer of the surprise smash hit deckbuilding/roguelike/poker-math-simulation game Balatro, has long given the impression that he understands that his game, having sold 2 million copies, might be a little too good.
To that end, LocalThunk has made the game specifically not about actual gambling, or microtransactions, or anything of the kind. Shortly after it arrived in February 2024 (but after it already got its hooks into one of us), some storefronts removed or re-rated the game on concerns about its cards and chips themes, causing him to explain his line between random number generation (RNG), risk/reward mechanics, and actual gambling. He literally wrote it into his will that the game cannot be used in any kind of gambling or casino property.
So LocalThunk has done everything he can to ensure Balatro won’t waste people’s money. Time, though? If you’re a Balatro fan already, or more of a mobile gamer than a console or computer player, your time is in danger.
Balatro is coming to iOS, both in the Apple Arcade subscription and as a stand-alone title, and the Google Play Store on September 26. The pitch-perfect reveal trailer slowly ratchets up the procrastinatory terror, with the word “MOBILE” punctuating scenes of gameplay, traditional businessmen crying, “Jimbo Stonks” rising upward (Jimbo being the moniker of Balatro’s joker), and a world laid to waste by people chasing ever-more-elusive joker combos.
Please note in the trailer, at the 36-second mark, the “Trailer Ideas” for Balatro on Mobile, including “Announcing Balatro is now a Soulslike,” “Romanceable Jimbo Reveal,” and “It’s like that apocalypse movie with the meteor but instead Jimbo is in the sky.”
Playstack
Even more Balatro content is coming
The mobile version of Balatro is one of three updates LocalThunk has planned for 2025. A gameplay update is still due to arrive sometime this year, one that will be completely free for game owners. It won’t feel like a different game, or even a 1.5 version, LocalThunk told Polygon last month, but “extending that vision to, I think, its logical bounds instead of shifting directions … [M]ore about filling out the design space that currently exists, and then extending that design space in interesting directions that I think people are going to love.”
As we noted in our attempt to explain the ongoing popularity of roguelike deckbuilders, Balatro is LocalThunk’s first properly released game. He claims to have not played any such games before making Balatro but was fascinated by streams of Luck Be a Landlord, a game about “using a slot machine to earn rent money and defeat capitalism.” That game, plus influences of Cantonese game Big Two and the basics of poker (another game LocalThunk says he didn’t actually play), brought about the time-melting game as we know it.
A number of Ars writers have kept coming back to Balatro, time and again, since its release. It’s such a compelling game, especially for its indie-scale price, that none of us could really think of a way to write a stand-alone “review” of it. With its imminent arrival on iPhones, iPads, and Android devices, we’re due to re-educate ourselves on how much time is really in each day and which kinds of achievements our families and communities need to see from us.
Maybe the game won’t sync across platforms, and the impedance of having to start all over will be enough to prevent notable devolution. Maybe.
Phishers are using a novel technique to trick iOS and Android users into installing malicious apps that bypass safety guardrails built by both Apple and Google to prevent unauthorized apps.
Both mobile operating systems employ mechanisms designed to help users steer clear of apps that steal their personal information, passwords, or other sensitive data. iOS bars the installation of all apps other than those available in its App Store, an approach widely known as the Walled Garden. Android, meanwhile, is set by default to allow only apps available in Google Play. Sideloading—or the installation of apps from other markets—must be manually allowed, something Google warns against.
When native apps aren’t
Phishing campaigns making the rounds over the past nine months are using previously unseen ways to workaround these protections. The objective is to trick targets into installing a malicious app that masquerades as an official one from the targets’ bank. Once installed, the malicious app steals account credentials and sends them to the attacker in real time over Telegram.
“This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation,” Jakub Osmani, an analyst with security firm ESET, wrote Tuesday. “For iOS users, such an action might break any ‘walled garden’ assumptions about security. On Android, this could result in the silent installation of a special kind of APK, which on further inspection even appears to be installed from the Google Play store.”
The novel method involves enticing targets to install a special type of app known as a Progressive Web App. These apps rely solely on Web standards to render functionalities that have the feel and behavior of a native app, without the restrictions that come with them. The reliance on Web standards means PWAs, as they’re abbreviated, will in theory work on any platform running a standards-compliant browser, making them work equally well on iOS and Android. Once installed, users can add PWAs to their home screen, giving them a striking similarity to native apps.
While PWAs can apply to both iOS and Android, Osmani’s post uses PWA to apply to iOS apps and WebAPK to Android apps.
Enlarge/ Installed phishing PWA (left) and real banking app (right).
ESET
Enlarge/ Comparison between an installed phishing WebAPK (left) and real banking app (right).
ESET
The attack begins with a message sent either by text message, automated call, or through a malicious ad on Facebook or Instagram. When targets click on the link in the scam message, they open a page that looks similar to the App Store or Google Play.
Example of a malicious advertisement used in these campaigns.
ESET
Phishing landing page imitating Google Play.
ESET
ESET’s Osmani continued:
From here victims are asked to install a “new version” of the banking application; an example of this can be seen in Figure 2. Depending on the campaign, clicking on the install/update button launches the installation of a malicious application from the website, directly on the victim’s phone, either in the form of a WebAPK (for Android users only), or as a PWA for iOS and Android users (if the campaign is not WebAPK based). This crucial installation step bypasses traditional browser warnings of “installing unknown apps”: this is the default behavior of Chrome’s WebAPK technology, which is abused by the attackers.
Example copycat installation page.
ESET
The process is a little different for iOS users, as an animated pop-up instructs victims how to add the phishing PWA to their home screen (see Figure 3). The pop-up copies the look of native iOS prompts. In the end, even iOS users are not warned about adding a potentially harmful app to their phone.
Figure 3 iOS pop-up instructions after clicking “Install” (credit: Michal Bláha)
ESET
After installation, victims are prompted to submit their Internet banking credentials to access their account via the new mobile banking app. All submitted information is sent to the attackers’ C&C servers.
The technique is made all the more effective because application information associated with the WebAPKs will show they were installed from Google Play and have been assigned no system privileges.
WebAPK info menu—notice the “No Permissions” at the top and “App details in store” section at the bottom.
ESET
So far, ESET is aware of the technique being used against customers of banks mostly in Czechia and less so in Hungary and Georgia. The attacks used two distinct command-and-control infrastructures, an indication that two different threat groups are using the technique.
“We expect more copycat applications to be created and distributed, since after installation it is difficult to separate the legitimate apps from the phishing ones,” Osmani said.
Back in July 2022, when mobile app metrics firm Branch acquired the popular and well-regarded Nova Launcher for Android, the app’s site put up one of those self-directed FAQ posts about it. Under the question heading “What does Branch want with Nova?,” Nova founder and creator Kevin Barry started his response with, “Not to mess it up, don’t worry!”
Branch (formerly/sometimes Branch Metrics) is a firm concerned with helping businesses track the links that lead into their apps, whether from SMS, email, marketing, or inside other apps. Nova, with its Sesame Search tool that helped users find and access deeper links—like heading straight to calling a car, rather than just opening a rideshare app—seemed like a reasonable fit.
Barry wrote that he had received a number of acquisition offers over the years, but he didn’t want to be swallowed by a giant corporation, an OEM, or a volatile startup. “Branch is different,” he wrote then, because they wanted to add staff to Nova, keep it available to the public, and mostly leave it alone.
Two years later, Branch has left Nova Launcher a bit too alone. As documented on Nova’s official X (formerly Twitter) account, and transcripts from its Discord, as of Thursday Nova had “gone from a team of around a dozen people” to just Barry, the founder, working alone. The Nova cuts were part of “a massive layoff” of purportedly more than 100 people across all of Branch, according to now-former Nova workers.
Barry wrote that he would keep working on Nova, “However I have less resources.” He would need to “cut scope” on an upcoming Nova release, he wrote. Other employees noted that customer support, marketing, and even correspondence would likely be strained or disappear.
Ars has reached out to Branch for comment and will update this post with response.
Some of the icon customization options, shown here on a tablet, inside Nova Launcher.
Nova Launcher
Custom, clean Android home screens
It’s hard to tell if Nova would have been better off without ever having been inside Branch, or if it might have inevitably run into the vexing question of how to get people to continually pay for an Android utility. But for Nova to be endangered, or at least heavily constrained, is a sad state for a very useful tool.
Installing a launcher on Android allows you to ignore whatever home screen, app tray, and search bars your phone came with and design your own. Nova Launcher allowed people to change how many icons showed up on their screen, and how big. It allowed for hiding default apps that could not be uninstalled. It was, and still is, one of the best ways to save your phone of bad skins, cruddy OEM software, and stuff for which you never asked.
In more than a dozen Ars reviews of Android devices touting organization concepts that people might not like—including Google’s own Pixels—Nova Launcher was recommended (minus one weird Razer/Nextbit phone that came with it by default). In his Pixel 7 Pro review, Ron Amadeo spells out one such way Nova saved the day:
The worst part of the Pixel software package is the home screen launcher, the primary interface of the phone, which is not nearly configurable enough. All I’m asking for is two things. First, I’d like many more icon grid size adjustments—the default 4×4 grid was fine when we were using 3.2-inch, 480p displays, but I now run a 7×5 grid in Nova launcher, and the Pixel launcher looks ridiculous. Second, I want to remove Google’s useless “At a Glance” widget, which takes up an incredible four icon slots to show the date and current outdoor temperature.
For the more than a decade that I used (and sometimes reviewed) Android phones, I maintained an exported Nova configuration file that I brought from phone to phone. I could experiment with theming, icon packs, and custom widgets (complete with deep links into app actions), but what that export really did was allow me to feel comfortable tinkering and messing with layout ideas. I could always go back to my rock-solid, no-nonsense layout of apps, spaced just how I liked them.
While Nova is not dead (despite mine and others‘ eulogistic tones), it’s certainly not positioned to launch bold new features or plot new futures. Here’s hoping Barry can make a go of Nova Launcher for as long as it’s viable for him.
After US District Judge Amit Mehta ruled that Google has a monopoly in two markets—general search services and general text advertising—everybody is wondering how Google might be forced to change its search business.
Specifically, the judge ruled that Google’s exclusive deals with browser and device developers secured Google’s monopoly. These so-called default agreements funneled the majority of online searches to Google search engine result pages (SERPs), where results could be found among text ads that have long generated the bulk of Google’s revenue.
At trial, Mehta’s ruling noted, it was estimated that if Google lost its most important default deal with Apple, Google “would lose around 65 percent of its revenue, even assuming that it could retain some users without the Safari default.”
Experts told Ars that disrupting these default deals is the most obvious remedy that the US Department of Justice will seek to restore competition in online search. Other remedies that may be sought range from least painful for Google (mandating choice screens in browsers and devices) to most painful (requiring Google to divest from either Chrome or Android, where it was found to be self-preferencing).
But the remedies phase of litigation may have to wait until after Google’s appeal, which experts said could take years to litigate before any remedies are ever proposed in court. Whether Google could be successful in appealing the ruling is currently being debated, with anti-monopoly advocates backing Mehta’s ruling as “rock solid” and critics suggesting that the ruling’s fresh takes on antitrust law are open to attack.
Google declined Ars’ request to comment on appropriate remedies or its plan to appeal.
Previously, Google’s president of global affairs, Kent Walker, confirmed in a statement that the tech giant would be appealing the ruling because the court found that “Google is ‘the industry’s highest quality search engine, which has earned Google the trust of hundreds of millions of daily users,’ that Google ‘has long been the best search engine, particularly on mobile devices,’ ‘has continued to innovate in search,’ and that ‘Apple and Mozilla occasionally assess Google’s search quality relative to its rivals and find Google’s to be superior.'”
“Given this, and that people are increasingly looking for information in more and more ways, we plan to appeal,” Walker said. “As this process continues, we will remain focused on making products that people find helpful and easy to use.”
But Mehta found that Google was wielding its outsize influence in the search industry to block rivals from competing by locking browsers and devices into agreements ensuring that all searches went to Google SERPs. None of the pro-competitive benefits that Google claimed justified the exclusive deals persuaded Mehta, who ruled that “importantly,” Google “exercised its monopoly power by charging supra-competitive prices for general search text ads”—and thus earned “monopoly profits.”
While experts think the appeal process will delay litigation on remedies, Google seems to think that Mehta may rule on potential remedies before Google can proceed with its appeal. Walker told Google employees that a ruling on remedies may arrive in the next few months, The Wall Street Journal reported. Ars will continue monitoring for updates on this timeline.
As the DOJ’s case against Google’s search business has dragged on, reports have long suggested that a loss for Google could change the way that nearly the entire world searches the Internet.
Adam Epstein—the president and co-CEO of adMarketplace, which bills itself as “the largest consumer search technology company outside of Google and Bing”—told Ars that innovations in search could result in a broader landscape of more dynamic search experiences that draw from sources beyond Google and allow searchers to skip Google’s SERPs entirely. If that happens, the coming years could make Google’s ubiquitous search experience today a distant memory.
“By the end of this decade, going to a search engine results page will seem quaint,” Epstein predicted. “The court’s decision sets the stage for a remedy that will dramatically improve the search experience for everyone connected to the web. The era of innovation in search is just around the corner.”
The DOJ has not meaningfully discussed potential remedies it will seek, but Jonathan Kanter, assistant attorney general of the Justice Department’s antitrust division, celebrated the ruling.
“This landmark decision holds Google accountable,” Kanter said. “It paves the path for innovation for generations to come and protects access to information for all Americans.”
Enlarge/ Graphene is a remarkable allotrope, deserving of further study. GrapheneOS is a remarkable ROM, one that Google does not quite know how to accommodate, due to its “tiny, tiny” user numbers compared to mainstream Android.
“If it’s not an official OS, we have to assume it’s bad.”
That’s how Shawn Wilden, the tech lead for hardware-backed security in Android, described the current reality of custom Android-based operating systems in response to a real security conundrum. GrapheneOS users discovered recently that Authy, a popular (and generally well-regarded) two-factor authentication manager, will not work on their phones—phones running an OS intended to be more secure and hardened than any standard Android phone.
“We don’t want to punish users of alternative OSes, but there’s really no other option at the moment,” Wilden added before his blunt conclusion. “Play Integrity has absolutely no way to guess whether a given custom OS completely subverts the Android security model.”
Play Integrity, formerly SafetyNet Attestation, essentially allows apps to verify whether an Android device has provided permissions beyond Google’s intended models or has been rooted. Root access is not appealing to the makers of some apps involving banking, payments, competitive games, and copyrighted media.]
There are many reasons beyond cheating and skulduggery that someone might root or modify their Android device. But to prove itself secure, an Android device must contact Google’s servers through an API in Google Play Services and then have its bootloader, ROM signature, and kernel verified. GrapheneOS, like most custom Android ROMs, does not contain a Google Play Services package by default but will let users install a sandboxed version of Play Services if they wish.
Wilden offered some hope for a future in which ROMs could vouch for their non-criminal nature to Google, noting “some discussions with makers of high-quality ROMs” about passing the Compatibility Test Suite, then “establishing some kind of relationship we can use to trust them.” But it’s “a lot of work on both sides, including by lawyers,” Wilden notes. And while his team is happy to help, higher-level support is tough because “modders are such a tiny, tiny fraction of the user base.”
The official GrapheneOS X account was less hopeful. It noted that another custom ROM, LineageOS, disabled verified boot at installation, and “rolls back security in a lot of other ways,” contributing to “a misconception that every alternate OS rolls back security and isn’t production quality.” A typical LineageOS installation, like most custom ROMs, does disable verified boot, though it can be re-enabled, except it’s risky and complicated. GrapheneOS has a page on its site regarding its stance on, and criticisms of, Google’s attestation model for Android.
Ars has reached out to Google, GrapheneOS, and Authy (via owner Twilio) for comment. At the moment, it doesn’t seem like there’s a clear path forward for any party unless one of them is willing to majorly rework what they consider proper security.
Enlarge/ If you get hired for this position, you’ll be provided an assistant. It’s this guy. This guy is your assistant. His name is “Googly.”
Google is a company in transformation—but “from what“ and “to what“ are not always clear. To catalog and examine Google’s moves in this new era of generative AI, Ars Technica is hiring a Senior Technology Reporter to focus on Google, AI, Android, and search. While attention to so-called “consumer products” will be important, this role will be more focused on Google’s big moves as a technology and infrastructure company, moves often made to counter perceived threats from companies like OpenAI, Microsoft, and Perplexity. Informed skepticism is the rule around here, so we’re looking for someone with the chops to bring a critical eye to some deep technical and business issues.
As this is a senior role owning an important beat, it is not an entry-level position. We’re looking for someone who can primarily self-direct when it comes to their reporting and someone who is comfortable working remotely within a similarly remote team. We’d also like someone who can bring to the table deep and intelligent analyses on broader Google topics while also hitting smaller daily news stories.
This is a full-time union job with benefits.
All candidates:
Must have prior professional experience in technology journalism
Must be living in and eligible to work in the United States
Should expect to travel two to three times per year for major event coverage
Epic is suggesting that competition on the Android mobile platform would be opened up if the court orders Google to allow third-party app stores to be distributed for six years in the Google Play Store and blocks Google from entering any agreements with device makers that would stop them from pre-loading third-party app stores. This would benefit both mobile developers and users, Epic argued in a wide-sweeping proposal that would greatly limit Google’s control over the Android app ecosystem.
US District Court Judge James Donato will ultimately decide the terms of the injunction. Google has until May 3 to respond to Epic’s filing.
“Epic’s filing to the US Federal Court shows again that it simply wants the benefits of Google Play without having to pay for it,” Google’s spokesperson said. “We’ll continue to challenge the verdict, as Android is an open mobile platform that faces fierce competition from the Apple App Store, as well as app stores on Android devices, PCs, and gaming consoles.”
If Donato accepts Epic’s proposal, Google would be required to grant equal access to the Android operating system and platform features to all developers, not just developers distributing apps through Google Play. This would allow third-party app stores to become the app update owner, updating any apps downloaded from their stores as seamlessly as Google Play updates apps.
Under Epic’s terms, any app downloaded from anywhere would operate identically to apps downloaded from Google Play, without Google imposing any unnecessary distribution fees. Similarly, developers would be able to provide their own in-app purchasing options and inform users of out-of-app purchasing options, without having to use Google’s APIs or paying Google additional fees.
Notably, Epic filed its lawsuit after Google removed the Epic game Fortnite from the Google Play Store because Epic tried to offer an “Epic Direct Payment” option for in-game purchases.
“Google must also allow developers to communicate directly with their consumers, including linking from their app to a website to make purchases and get deals,” Epic said in a blog post. “Google would be blocked from using sham compliance programs like User Choice Billing to prevent competing payment options inside an app or on a developer’s website.”
Unsurprisingly, Epic’s proposed injunction includes an “anti-retaliation” section specifically aimed at protecting Epic from any further retaliation. If Donato accepts the terms, Google would be violating the injunction order if the tech giant fails to prove that it is not “treating Epic differently than other developers” by making it “disproportionately difficult or costly” for Epic to develop, update, and market its apps on Android.
That part of the injunction would seem important since, last month, Epic announced that an Epic Games Store was “coming to iOS and Android” later this year. According to Inc, Epic told Game Developers Conference attendees that its app-distribution platform will be the “first ever game-focused, multiplatform store,” working across “Android, iOS, PC and macOS.”
