Connect with us

Biz & IT

Aptoide, a Play Store rival, cries antitrust foul over Google hiding its app

Published

on

As US regulators gear up to launch another antitrust probe of Google’s business, an alternative Android app store is dialling up its long time complaint of anti-competitive behavior against the search and smartphone OS giant.

Portugal-based Aptoide is launching a campaign website to press its case and call for Google to “Play Fair” — accusing Mountain View of squeezing consumer choice by “preventing users from freely choosing their preferred app store”.

Aptoide filed its first EU antitrust complaint against Google all the way back in 2014, joining a bunch of other complainants crying foul over how Google was operating Android.

And while the European Commission did eventually step in, slapping Google with a $5BN penalty for antitrust abuses last summer after a multi-year investigation, rivals continue to complain the Android maker still isn’t playing fair.

In the case of Aptoide, the alternative Android app store says Google has damaged its ability to compete by unjustifiably flagging its app as insecure.

“Since Summer 2018, Google Play Protect flags Aptoide as a harmful app, hiding it in users’ Android devices and requesting them to uninstall it. This results in a potential decrease of unique Aptoide users of 20%. Google Play Protect is Google’s built-in malware protection for Android, but we believe the way it works damages users’ rights,” it writes on the site, where it highlights what it claims are Google’s anti-competitive behaviors, and asks users to report experiences of the app being flagged.

Aptoide says Google has engaged in multiple behaviors that make it harder for it to gain or keep users — thereby undermining its ability to compete with Google’s own Play Store.

“In 2018, we had 222 million yearly active users. Last month (May’19), we had 56 million unique MAU,” co-founder and CEO Paulo Trezentos tells TechCrunch. “We estimate that the Google Play removal and flagging had cause the loss of 15% to 20% of our user base since June’18.”

(The estimate of how many users Aptoide has lost was performed using Google SafetyNet API which he says allows it to query the classification of an app.)

“Fortunately we have been able to compensate that with new users and new partnerships but it is a barrier to a faster growth,” he adds.

“The googleplayfair.com site hopes to bring visibility to this situation and help other start ups that may be under the same circumstances.”

Among the anti-competitive behaviors Aptoide accuses Google of engaging in are flagging and suspending its app from users’ phones — without their permission and “without a valid reason”.

“It hides Aptoide. User cannot see Aptoide icon and cannot launch. Even if they go to ‘settings’ and say they trust Aptoide, Aptoide installations are blocked,” he says. “If it looks violent, it’s because it’s a really aggressive move and impactful.”

Here’s the notification Aptoide users are shown when trying to override Google’s suspension of Aptoide at the package manager level:

Even if an Aptoide user overrides the warning — by clicking ‘keep app (unsafe)’ — Trezentos says the app still won’t work because Google blocks Aptoide from installing apps.

“The user has to go to Play Protect settings (discover it it’s not easy) and turn off Play protect for all apps.”

He argues there is no justification for Aptoide’s alternative app store being treated in this way.

“Aptoide is considered safe both by security researchers [citing a paper by Japanese security researchers] and by Virus Total (a company owned by Google),” says Trezentos, adding: “Google is removing Aptoide from users phone only due to anticompetitive practices. Doesn’t want anyone else as distribution channel in Android.”

On the website Aptoide has launched to raise awareness and inform users and other startups about how Google treats its app, it makes the claim that its store is “proven… 100% secure” — writing:

We would like to be treated in a fair way: Play Protect should not flag Aptoide as a harmful app and should not ask users to uninstall it since it’s proven that it’s 100% secure. Restricting options for users goes against the nature of the Android open source project [ref10]. Moreover, Google’s ongoing abusive behaviour due to it’s dominant position results in the lack of freedom of choice for users and developers.We would like to keep allowing users and developers to discover and distribute apps in the store of their choice. A healthy competitive market and a variety of options are what we all need to keep providing the best products.

Trezentos stands by the “100% secure” claim when we query it.

“We think that we have a safer approach. We call it  ‘security by design’: We don’t consider all apps secure in the same way. Each app has a badge depending on the reputation of the developer: Trusted, Unknown, Warning, Critical,” he says.

“We are almost 100% sure that apps with a trusted badge are safe. But new apps from new developers, [carry] more risk in spite of all the technology we have developed to detect it. They keep the badge ‘unknown‘ until the community vote it as trusted. This can take some weeks, it can take some months.”

“Of course, if our anti-malware systems detect problems, we classify it as ‘critical’ and the users don’t see it at all,” he adds.

Almost 100% secure then. But if Google’s counter claim to justify choking off access to Aptoide is that the app “can download potentially harmful apps” the same can very well be said of its Play Store. And Google certainly isn’t encouraging Android users to pause that.

On the competition front, Aptoide presents a clear challenge to Google’s Android revenues because it offers developers a more attractive revenue split — taking just 19%, rather than the 30% cut Google takes off of Play Store wares. (Aptoide couches the latter as “Google’s abusive conditions”.)

So if Android users can be persuaded to switch from Play to Aptoide, developers stand to gain — and arguably users too, as app costs would be lower.

While, on the flip side, Google faces its 30% cut being circumvented. Or else it could be forced to reduce how much it takes from developers to give them a greater incentive to stock its shelves with great apps.

As with any app store business, Aptoide’s store of course requires scale to function. And it’s exactly that scale which Google’s behavior has negatively impacted since it began flagging the app as insecure a year ago, in June 2018, squeezing the rival’s user-base by up to a fifth, as Aptoide tells it.

Trezentos says Google’s flagging of its app store affects all markets and “continues to this day” — despite a legal ruling in its favor last fall, when a court in Portugal ordered Google to stop removing Aptoide without users’ permission.

“Google is ignoring the injunction result and is disregarding the national court. No company, independently of the size, should be above court decisions. But it seems that is the case with Google,” he says.

“Our legal team believe that the decision applies to 82 countries but we are pursuing first the total compliance with the decision in Portugal. From there, we will seek the extension to other jurisdictions.”

“We tried to contact Google several times, via Google Play Protect feedback form and directly through LinkedIn, and we’ve not had any feedback from Google. No reasons were presented. No explanation, although we are talking about hiding Aptoide in millions of users’ phones,” he adds.

“Our point in court it’s simple: Google is using the control at operating system level to block competitors at the services level (app store, in this case). As Google has a dominant position, that’s not legal. Court [in Portugal] confirmed and order Google to stop. Google didn’t obey.”

Aptoide has not filed an antitrust complaint against Google in the US — focusing its legal efforts on that front on local submissions to the European Commission.

But Trezentos says it’s “willing to cooperate with US authorities and provide factual data that shows that Google has acted with anti-competitive behaviour” (although he says no one has come knocking to request such collaboration yet.)

In Europe, the Commission’s 2018 antitrust decision was focused on Android licensing terms — which led to Google tweaking the terms it offers Android OEMs selling in Europe last fall.

Despite some changes rivals continue to complain that its changes do not go far enough to create a level playing field for competition.

There has also not been any relief for Aptoide from the record breaking antitrust enforcement. On the contrary Google appears to have dug in against this competitive threat.

“The remedies are positive but the scope is very limited to OEM partnerships,” says Trezentos of the EC’s 2018 Android antitrust decision. “We proposed additionally that Google would be obliged to give the same access privileges over the operating system to credible competitors.”

We’ve reached out to the Commission for comment on Aptoide’s complaint.

While it’s at least technically possible for an OEM to offer an Android device in Europe which includes key Google services (like search and maps) but preloads an alternative app store, rather than Google Play, it would be a brave device maker indeed to go against the consumer grain and not give smartphone buyers the mainstream store they expect.

So, as yet, there’s little high level regulatory relief to help Aptoide. And it may take a higher court than a Portuguese national court to force Google to listen.

But with US authorities fast dialling up their scrutiny of Mountain View, Aptoide may find a new audience for its complaint.

“The increased awareness to Google practices is reaching the regulators,” Trezentos agrees, adding: “Those practices harm competition and in the end are bad for developers and mobile users.”

We reached out to Google with questions about its treatment of Aptoide’s rival app store — but at the time of writing the company had not responded with any comment. 

There have also been some recent rumors that Aptoide is in talks to supply its alternative app store for Huawei devices — in light of the US/China trade uncertainties, and the executive order barring US companies from doing business with the Chinese tech giant, which have led to reports that Google intends to withdraw key Android services like Play from the company.

But Trezentos pours cold water on these rumors, suggesting there has been no change of cadence in its discussions with Huawei.

“We work with three of top six mobile OEMs in the world. Huawei is not one of them yet,” he tells us. “Our Shengzhen office had been in conversations for some months and they are testing our APIs. This process has not been accelerated or delayed by the recent news.”

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Biz & IT

The cryptopocalypse is nigh! NIST rolls out new encryption standards to prepare

Published

on

Enlarge / Conceptual computer artwork of electronic circuitry with blue and red light passing through it, representing how data may be controlled and stored in a quantum computer.

Getty Images

In the not-too-distant future—as little as a decade, perhaps, nobody knows exactly how long—the cryptography protecting your bank transactions, chat messages, and medical records from prying eyes is going to break spectacularly with the advent of quantum computing. On Tuesday, a US government agency named four replacement encryption schemes to head off this cryptopocalypse.

Some of the most widely used public-key encryption systems—including those using the RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman algorithms—rely on mathematics to protect sensitive data. These mathematical problems include (1) factoring a key’s large composite number (usually denoted as N) to derive its two factors (usually denoted as P and Q) and (2) computing the discrete logarithm that keys are based on.

The security of these cryptosystems depends entirely on classical computers’ difficulty in solving these problems. While it’s easy to generate keys that can encrypt and decrypt data at will, it’s impossible from a practical standpoint for an adversary to calculate the numbers that make them work.

In 2019, a team of researchers factored a 795-bit RSA key, making it the biggest key size ever to be solved. The same team also computed a discrete logarithm of a different key of the same size.

The researchers estimated that the sum of the computation time for both of the new records was about 4,000 core-years using Intel Xeon Gold 6130 CPUs (running at 2.1GHz). Like previous records, these were accomplished using a complex algorithm called the Number Field Sieve, which can be used to perform both integer factoring and finite field discrete logarithms.

Quantum computing is still in the experimental phase, but the results have already made it clear it can solve the same mathematical problems instantaneously. Increasing the size of the keys won’t help, either, since Shor’s algorithm, a quantum-computing technique developed in 1994 by the American mathematician Peter Shor, works orders of magnitude faster in solving integer factorization and discrete logarithmic problems.

Researchers have known for decades these algorithms are vulnerable and have been cautioning the world to prepare for the day when all data that has been encrypted using them can be unscrambled. Chief among the proponents is the US Department of Commerce’s National Institute of Standards and Technology (NIST), which is leading a drive for post-quantum cryptography (PQC).

On Tuesday, NIST said it selected four candidate PQC algorithms to replace those that are expected to be felled by quantum computing. They are: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+.

CRYSTALS-Kyber and CRYSTALS-Dilithium are likely to be the two most widely used replacements. CRYSTALS-Kyber is used for establishing digital keys two computers that have never interacted with each other can use to encrypt data. The remaining three, meanwhile, are used for digitally signing encrypted data to establish who sent it.

“CRYSTALS-Kyber (key-establishment) and CRYSTALS-Dilithium (digital signatures) were both selected for their strong security and excellent performance, and NIST expects them to work well in most applications,” NIST officials wrote. “FALCON will also be standardized by NIST since there may be use cases for which CRYSTALS-Dilithium signatures are too large. SPHINCS+ will also be standardized to avoid relying only on the security of lattices for signatures. NIST asks for public feedback on a version of SPHINCS+ with a lower number of maximum signatures.”

The selections announced today are likely to have significant influence going forward.

“The NIST choices certainly matter because many large companies have to comply with the NIST standards even if their own chief cryptographers don’t agree with their choices,” said Graham Steel, CEO of Cryptosense, a company that makes cryptography management software. “But having said that, I personally believe their choices are based on sound reasoning, given what we know right now about the security of these different mathematical problems, and the trade-off with performance.”

Nadia Heninger, an associate professor of computer science and engineering at University of California, San Diego, agreed.

“The algorithms NIST chooses will be the de facto international standard, barring any unexpected last-minute developments,” she wrote in an email. “A lot of companies have been waiting with bated breath for these choices to be announced so they can implement them ASAP.”

While no one knows exactly when quantum computers will be available, there is considerable urgency in moving to PQC as soon as possible. Many researchers say it’s likely that criminals and nation-state spies are recording massive amounts of encrypted communications and stockpiling them for the day they can be decrypted.

Continue Reading

Biz & IT

Google allowed sanctioned Russian ad company to harvest user data for months

Published

on

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

The day after Russia’s February invasion of Ukraine, Senate Intelligence Committee Chairman Mark Warner sent a letter to Google warning it to be on alert for “exploitation of your platform by Russia and Russian-linked entities,” and calling on the company to audit its advertising business’s compliance with economic sanctions.

But as recently as June 23, Google was sharing potentially sensitive user data with a sanctioned Russian ad tech company owned by Russia’s largest state bank, according to a new report provided to ProPublica.

Google allowed RuTarget, a Russian company that helps brands and agencies buy digital ads, to access and store data about people browsing websites and apps in Ukraine and other parts of the world, according to research from digital ad analysis firm Adalytics. Adalytics identified close to 700 examples of RuTarget receiving user data from Google after the company was added to a US Treasury list of sanctioned entities on Feb. 24. The data sharing between Google and RuTarget stopped four months later on June 23, the day ProPublica contacted Google about the activity.

RuTarget, which also operates under the name Segmento, is owned by Sberbank, a Russian state bank that the Treasury described as “uniquely important” to the country’s economy when it hit the lender with initial sanctions. RuTarget was later listed in an April 6 Treasury announcement that imposed full blocking sanctions on Sberbank and other Russian entities and people. The sanctions mean US individuals and entities are not supposed to conduct business with RuTarget or Sberbank.

Of particular concern, the analysis showed that Google shared data with RuTarget about users browsing websites based in Ukraine. This means Google may have turned over such critical information as unique mobile phone IDs, IP addresses, location information, and details about users’ interests and online activity, data that US senators and experts say could be used by Russian military and intelligence services to track people or zero in on locations of interest.

Last April, a bipartisan group of US senators sent a letter to Google and other major ad technology companies warning of the national security implications of data shared as part of the digital ad buying process. They said this user data “would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”

Google spokesperson Michael Aciman said that the company blocked RuTarget from using its ad products in March and that RuTarget has not purchased ads directly via Google since then. He acknowledged the Russian company was still receiving user and ad buying data from Google before being alerted by ProPublica and Adalytics.

“Google is committed to complying with all applicable sanctions and trade compliance laws,” Aciman said. “We’ve reviewed the entities in question and have taken appropriate enforcement action beyond the measures we took earlier this year to block them from directly using Google advertising products.”

Aciman said this action includes not only preventing RuTarget from further accessing user data, but from purchasing ads through third parties in Russia that may not be sanctioned. He declined to say whether RuTarget had purchased ads via Google systems using such third parties, and he did not comment on whether data about Ukrainians had been shared with RuTarget.

Krzysztof Franaszek, who runs Adalytics and authored the report, said RuTarget’s ability to access and store user data from Google could open the door to serious potential abuse.

“For all we know they are taking that data and combining it with 20 other data sources they got from God knows where,” he said. “If RuTarget’s other data partners included the Russian government or intelligence or cybercriminals, there is a huge danger.”

In a statement to ProPublica, Warner, a Virginia Democrat, called Google’s failure to sever its relationship with RuTarget alarming.

“All companies have a responsibility to ensure that they are not helping to fund or even inadvertently support Vladimir Putin’s invasion of Ukraine. Hearing that an American company may be sharing user data with a Russian company—owned by a sanctioned, state-owned bank no less—is incredibly alarming and frankly disappointing,” he said. “I urge all companies to examine their business operations from top to bottom to ensure that they are not supporting Putin’s war in any way.”

Continue Reading

Biz & IT

Google closes data loophole amid privacy fears over abortion ruling

Published

on

Google is closing a loophole that has allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort welcomed by privacy campaigners in the wake of the US Supreme Court’s decision to end women’s constitutional right to abortion.

It also took a further step on Friday to limit the risk that smartphone data could be used to police new abortion restrictions, announcing it would automatically delete the location history on phones that have been close to a sensitive medical location such an abortion clinic.

The Silicon Valley company’s moves come amid growing fears that mobile apps will be weaponized by US states to police new abortion restrictions in the country.

Companies have previously harvested and sold information on the open market including lists of Android users using apps related to period tracking, pregnancy and family planning, such as Planned Parenthood Direct.

Over the past week, privacy researchers and advocates have called for women to delete period-tracking apps from their phones to avoid being tracked or penalised for considering abortions.

The US tech giant announced last March that it would restrict the feature, which allows developers to see which other apps are installed and deleted on individuals’ phones. That change was meant to be implemented last summer, but the company failed to meet that deadline citing the pandemic among other reasons.

The new deadline of July 12 will hit just weeks after the overturning of Roe vs Wade, a ruling that has thrown a spotlight on how smartphone apps could be used for surveillance by US states with new anti-abortion laws.

“It’s long overdue. Data brokers have been banned from using the data under Google’s terms for a long time, but Google didn’t build safeguards into the app approvals process to catch this behavior. They just ignored it,” said Zach Edwards, an independent cyber security researcher who has been investigating the loophole since 2020.

“So now anyone with a credit card can purchase this data online,” he added.

Google said: “In March 2021, we announced that we planned to restrict access to this permission, so that only utility apps, such as device search, antivirus, and file manager apps, can see what other apps are installed on a phone.”

It added: “Collecting app inventory data to sell it or share it for analytics or ads monetisation purposes has never been allowed on Google Play.”

Despite widespread usage by app developers, users remain unaware of this feature in Android software—a Google-designed programming interface, or API, known as the “Query All Packages.” It allows apps, or snippets of third-party code inside them, to query the inventory of all other apps on a person’s phone. Google itself has referred to this type of data as high-risk and “sensitive,” and it has been discovered being sold on to third parties.

Researchers have found that app inventories “can be used to precisely deduce end users interests and personal traits,” including gender, race and marital status, among other things.

Edwards has found that one data marketplace, Narrative.io, was openly selling data obtained by intermediaries in this way, including smartphones using Planned Parenthood, and various period tracking apps.

Narrative said it removed pregnancy tracking and menstruation app data from its platform in May, in response to the leaked draft outlining the Supreme Court’s forthcoming decision.

Another research company, Pixalate, discovered that consumer apps, like a simple weather app, were running bits of code that exploited the same Android feature and were harvesting data for a Panamanian company with ties to US defense contractors.

Google said it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we discover violations we take action,” adding it had sanctioned multiple companies believed to be selling user data.

Google said it would restrict the Query All Packages feature to only those who require it from July 12. App developers will be required to fill out a declaration explaining why they need access, and notify Google of this before the deadline so it can be vetted.

“Deceptive and undeclared uses of these permissions may result in a suspension of your app and/or termination of your developer account,” the company warned.

Additional reporting by Richard Waters.

© 2022 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Trending