Connect with us

Biz & IT

Aptoide, a Play Store rival, cries antitrust foul over Google hiding its app

Published

on

As US regulators gear up to launch another antitrust probe of Google’s business, an alternative Android app store is dialling up its long time complaint of anti-competitive behavior against the search and smartphone OS giant.

Portugal-based Aptoide is launching a campaign website to press its case and call for Google to “Play Fair” — accusing Mountain View of squeezing consumer choice by “preventing users from freely choosing their preferred app store”.

Aptoide filed its first EU antitrust complaint against Google all the way back in 2014, joining a bunch of other complainants crying foul over how Google was operating Android.

And while the European Commission did eventually step in, slapping Google with a $5BN penalty for antitrust abuses last summer after a multi-year investigation, rivals continue to complain the Android maker still isn’t playing fair.

In the case of Aptoide, the alternative Android app store says Google has damaged its ability to compete by unjustifiably flagging its app as insecure.

“Since Summer 2018, Google Play Protect flags Aptoide as a harmful app, hiding it in users’ Android devices and requesting them to uninstall it. This results in a potential decrease of unique Aptoide users of 20%. Google Play Protect is Google’s built-in malware protection for Android, but we believe the way it works damages users’ rights,” it writes on the site, where it highlights what it claims are Google’s anti-competitive behaviors, and asks users to report experiences of the app being flagged.

Aptoide says Google has engaged in multiple behaviors that make it harder for it to gain or keep users — thereby undermining its ability to compete with Google’s own Play Store.

“In 2018, we had 222 million yearly active users. Last month (May’19), we had 56 million unique MAU,” co-founder and CEO Paulo Trezentos tells TechCrunch. “We estimate that the Google Play removal and flagging had cause the loss of 15% to 20% of our user base since June’18.”

(The estimate of how many users Aptoide has lost was performed using Google SafetyNet API which he says allows it to query the classification of an app.)

“Fortunately we have been able to compensate that with new users and new partnerships but it is a barrier to a faster growth,” he adds.

“The googleplayfair.com site hopes to bring visibility to this situation and help other start ups that may be under the same circumstances.”

Among the anti-competitive behaviors Aptoide accuses Google of engaging in are flagging and suspending its app from users’ phones — without their permission and “without a valid reason”.

“It hides Aptoide. User cannot see Aptoide icon and cannot launch. Even if they go to ‘settings’ and say they trust Aptoide, Aptoide installations are blocked,” he says. “If it looks violent, it’s because it’s a really aggressive move and impactful.”

Here’s the notification Aptoide users are shown when trying to override Google’s suspension of Aptoide at the package manager level:

Even if an Aptoide user overrides the warning — by clicking ‘keep app (unsafe)’ — Trezentos says the app still won’t work because Google blocks Aptoide from installing apps.

“The user has to go to Play Protect settings (discover it it’s not easy) and turn off Play protect for all apps.”

He argues there is no justification for Aptoide’s alternative app store being treated in this way.

“Aptoide is considered safe both by security researchers [citing a paper by Japanese security researchers] and by Virus Total (a company owned by Google),” says Trezentos, adding: “Google is removing Aptoide from users phone only due to anticompetitive practices. Doesn’t want anyone else as distribution channel in Android.”

On the website Aptoide has launched to raise awareness and inform users and other startups about how Google treats its app, it makes the claim that its store is “proven… 100% secure” — writing:

We would like to be treated in a fair way: Play Protect should not flag Aptoide as a harmful app and should not ask users to uninstall it since it’s proven that it’s 100% secure. Restricting options for users goes against the nature of the Android open source project [ref10]. Moreover, Google’s ongoing abusive behaviour due to it’s dominant position results in the lack of freedom of choice for users and developers.We would like to keep allowing users and developers to discover and distribute apps in the store of their choice. A healthy competitive market and a variety of options are what we all need to keep providing the best products.

Trezentos stands by the “100% secure” claim when we query it.

“We think that we have a safer approach. We call it  ‘security by design’: We don’t consider all apps secure in the same way. Each app has a badge depending on the reputation of the developer: Trusted, Unknown, Warning, Critical,” he says.

“We are almost 100% sure that apps with a trusted badge are safe. But new apps from new developers, [carry] more risk in spite of all the technology we have developed to detect it. They keep the badge ‘unknown‘ until the community vote it as trusted. This can take some weeks, it can take some months.”

“Of course, if our anti-malware systems detect problems, we classify it as ‘critical’ and the users don’t see it at all,” he adds.

Almost 100% secure then. But if Google’s counter claim to justify choking off access to Aptoide is that the app “can download potentially harmful apps” the same can very well be said of its Play Store. And Google certainly isn’t encouraging Android users to pause that.

On the competition front, Aptoide presents a clear challenge to Google’s Android revenues because it offers developers a more attractive revenue split — taking just 19%, rather than the 30% cut Google takes off of Play Store wares. (Aptoide couches the latter as “Google’s abusive conditions”.)

So if Android users can be persuaded to switch from Play to Aptoide, developers stand to gain — and arguably users too, as app costs would be lower.

While, on the flip side, Google faces its 30% cut being circumvented. Or else it could be forced to reduce how much it takes from developers to give them a greater incentive to stock its shelves with great apps.

As with any app store business, Aptoide’s store of course requires scale to function. And it’s exactly that scale which Google’s behavior has negatively impacted since it began flagging the app as insecure a year ago, in June 2018, squeezing the rival’s user-base by up to a fifth, as Aptoide tells it.

Trezentos says Google’s flagging of its app store affects all markets and “continues to this day” — despite a legal ruling in its favor last fall, when a court in Portugal ordered Google to stop removing Aptoide without users’ permission.

“Google is ignoring the injunction result and is disregarding the national court. No company, independently of the size, should be above court decisions. But it seems that is the case with Google,” he says.

“Our legal team believe that the decision applies to 82 countries but we are pursuing first the total compliance with the decision in Portugal. From there, we will seek the extension to other jurisdictions.”

“We tried to contact Google several times, via Google Play Protect feedback form and directly through LinkedIn, and we’ve not had any feedback from Google. No reasons were presented. No explanation, although we are talking about hiding Aptoide in millions of users’ phones,” he adds.

“Our point in court it’s simple: Google is using the control at operating system level to block competitors at the services level (app store, in this case). As Google has a dominant position, that’s not legal. Court [in Portugal] confirmed and order Google to stop. Google didn’t obey.”

Aptoide has not filed an antitrust complaint against Google in the US — focusing its legal efforts on that front on local submissions to the European Commission.

But Trezentos says it’s “willing to cooperate with US authorities and provide factual data that shows that Google has acted with anti-competitive behaviour” (although he says no one has come knocking to request such collaboration yet.)

In Europe, the Commission’s 2018 antitrust decision was focused on Android licensing terms — which led to Google tweaking the terms it offers Android OEMs selling in Europe last fall.

Despite some changes rivals continue to complain that its changes do not go far enough to create a level playing field for competition.

There has also not been any relief for Aptoide from the record breaking antitrust enforcement. On the contrary Google appears to have dug in against this competitive threat.

“The remedies are positive but the scope is very limited to OEM partnerships,” says Trezentos of the EC’s 2018 Android antitrust decision. “We proposed additionally that Google would be obliged to give the same access privileges over the operating system to credible competitors.”

We’ve reached out to the Commission for comment on Aptoide’s complaint.

While it’s at least technically possible for an OEM to offer an Android device in Europe which includes key Google services (like search and maps) but preloads an alternative app store, rather than Google Play, it would be a brave device maker indeed to go against the consumer grain and not give smartphone buyers the mainstream store they expect.

So, as yet, there’s little high level regulatory relief to help Aptoide. And it may take a higher court than a Portuguese national court to force Google to listen.

But with US authorities fast dialling up their scrutiny of Mountain View, Aptoide may find a new audience for its complaint.

“The increased awareness to Google practices is reaching the regulators,” Trezentos agrees, adding: “Those practices harm competition and in the end are bad for developers and mobile users.”

We reached out to Google with questions about its treatment of Aptoide’s rival app store — but at the time of writing the company had not responded with any comment. 

There have also been some recent rumors that Aptoide is in talks to supply its alternative app store for Huawei devices — in light of the US/China trade uncertainties, and the executive order barring US companies from doing business with the Chinese tech giant, which have led to reports that Google intends to withdraw key Android services like Play from the company.

But Trezentos pours cold water on these rumors, suggesting there has been no change of cadence in its discussions with Huawei.

“We work with three of top six mobile OEMs in the world. Huawei is not one of them yet,” he tells us. “Our Shengzhen office had been in conversations for some months and they are testing our APIs. This process has not been accelerated or delayed by the recent news.”

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

US government strikes back at Kremlin for SolarWinds hack campaign

Published

on

Matt Anderson Photography/Getty Images

US officials on Thursday formally blamed Russia for backing one of the worst espionage hacks in recent US history and imposed sanctions designed to mete out punishments for that and other recent actions.

In a joint advisory, the National Security Agency, FBI, and Cybersecurity and Information Security Agency said that Russia’s Foreign Intelligence Service, abbreviated as the SVR, carried out the supply-chain attack on customers of the network management software from Austin, Texas-based SolarWinds.

The operation infected SolarWinds’ software build and distribution system and used it to push backdoored updates to about 18,000 customers. The hackers then sent follow-up payloads to about 10 US federal agencies and about 100 private organizations. Besides the SolarWinds supply-chain attack, the hackers also used password guessing and other techniques to breach networks.

After the massive operation came to light, Microsoft President Brad Smith called it an “act of recklessness.” In a call with reporters on Thursday, NSA Director of Cybersecurity Rob Joyce echoed the assessment that the operation went beyond established norms for government spying.

“We observed absolutely espionage,” Joyce said. “But what is concerning is from that platform, from the broad scale of availability of the access they achieved, there’s the opportunity to do other things, and that’s something we can’t tolerate and that’s why the US government is imposing costs and pushing back on these activities.”

Thursday’s joint advisory said that the SVR-backed hackers are behind other recent campaigns targeting COVID-19 research facilities, both by infecting them with malware known as both WellMess and WellMail and by exploiting a critical vulnerability in VMware software.

The advisory went on to say that the Russian intelligence service is continuing its campaign, in part by targeting networks that have yet to patch one of the five following critical vulnerabilities. Including the VMware flaw, they are:

  • CVE-2018-13379 Fortinet FortiGate VPN
  • CVE-2019-9670 Synacor Zimbra Collaboration Suite
  • CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
  • CVE-2019-19781 Citrix Application Delivery Controller and Gateway
  • CVE-2020-4006 VMware Workspace ONE Access

“Mitigation against these vulnerabilities is critically important as US and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors,” the advisory stated. It went on to say that the “NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations.”

CISA

The US Treasury Department, meanwhile, imposed sanctions to retaliate for what it said were “aggressive and harmful activities by the Government of the Russian Federation.” The measures include new prohibitions on Russian sovereign debt and sanctions on six Russia-based firms that the Treasury Department said “supported the Russian Intelligence Services’ efforts to carry out malicious cyber activities against the United States.”

The firms are:

  • ERA Technopolis, a research center operated by the Russian Ministry of Defense for transferring the personnel and expertise of the Russian technology sector to the development of technologies used by the country’s military. ERA Technopolis supports Russia’s Main Intelligence Directorate (GRU), a body responsible for offensive cyber and information operations.
  • Pasit, a Russia-based information technology company that has conducted research and development supporting malicious cyber operations by the SVR.
  • SVA, a Russian state-owned research institute specializing in advanced systems for information security located in that country. SVA has done research and development in support of the SVR’s malicious cyber operations.
  • Neobit, a Saint Petersburg, Russia-based IT security firm whose clients include the Russian Ministry of Defense, SVR, and Russia’s Federal Security Service. Neobit conducted research and development in support of the cyber operations conducted by the FSB, GRU, and SVR.
  • AST, a Russian IT security firm whose clients include the Russian Ministry of Defense, SVR, and FSB. AST provided technical support to cyber operations conducted by the FSB, GRU, and SVR.
  • Positive Technologies, a Russian IT security firm that supports Russian Government clients, including the FSB. Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies and hosts recruiting events for the FSB and GRU.

“The reason they were called out is because they’re an integral part and participant in the operation that the SVR executes,” Joyce said of the six companies. “Our hope is that by denying the SVR the support of those companies, we’re impacting their ability to project some of this malicious activity around the world and especially into the US.”

Russian government officials have steadfastly denied any involvement in the SolarWinds campaign.

Besides attributing the SolarWinds campaign to the Russian government, Thursday’s release from the Treasury Department also said that the SVR was behind the August 2020 poisoning of Russian opposition leader Aleksey Navalny with a chemical weapon, the targeting of Russian journalists and others who openly criticize the Kremlin, and the theft of “red team tools,” which use exploits and other attack tools to mimic cyber attacks.

The “red team tools” reference was likely related to the offensive tools taken from FireEye, the security firm that first identified the Solar Winds campaign after discovering its network had been breached.
The Treasury department went on to say that the Russian government “cultivates and co-opts criminal hackers” to target US organizations. One group, known as Evil Corp. was sanctioned in 2019. That same year, federal prosecutors indicted the Evil Corp kingpin Maksim V. Yakubets and posted a $5 million bounty for information that leads to his arrest or conviction.

Although overshadowed by the sanctions and the formal attribution to Russia, the most important takeaway from Thursday’s announcements is that the SVR campaign remains ongoing and is currently leveraging the exploits mentioned above. Researchers said on Thursday that they’re seeing Internet scanning that is intended to identify servers that have yet to patch the Fortinet vulnerability, which the company fixed in 2019. Scanning for the other vulnerabilities is also likely ongoing.

People managing networks, particularly any that have yet to patch one of the five vulnerabilities, should read the latest CISA alert, which provides extensive technical details about the ongoing hacking campaign and ways to detect and mitigate compromises.

Continue Reading

Biz & IT

100 million more IoT devices are exposed—and they won’t be the last

Published

on

Elena Lacey

Over the last few years, researchers have found a shocking number of vulnerabilities in seemingly basic code that underpins how devices communicate with the Internet. Now, a new set of nine such vulnerabilities are exposing an estimated 100 million devices worldwide, including an array of Internet-of-things products and IT management servers. The larger question researchers are scrambling to answer, though, is how to spur substantive changes—and implement effective defenses—as more and more of these types of vulnerabilities pile up.

Dubbed Name:Wreck, the newly disclosed flaws are in four ubiquitous TCP/IP stacks, code that integrates network communication protocols to establish connections between devices and the Internet. The vulnerabilities, present in operating systems like the open source project FreeBSD, as well as Nucleus NET from the industrial control firm Siemens, all relate to how these stacks implement the “Domain Name System” Internet phone book. They all would allow an attacker to either crash a device and take it offline or gain control of it remotely. Both of these attacks could potentially wreak havoc in a network, especially in critical infrastructure, health care, or manufacturing settings where infiltrating a connected device or IT server can disrupt a whole system or serve as a valuable jumping-off point for burrowing deeper into a victim’s network.

All of the vulnerabilities, discovered by researchers at the security firms Forescout and JSOF, now have patches available, but that doesn’t necessarily translate to fixes in actual devices, which often run older software versions. Sometimes manufacturers haven’t created mechanisms to update this code, but in other situations they don’t manufacture the component it’s running on and simply don’t have control of the mechanism.

“With all these findings, I know it can seem like we’re just bringing problems to the table, but we’re really trying to raise awareness, work with the community, and figure out ways to address it,” says Elisa Costante, vice president of research at Forescout, which has done other, similar research through an effort it calls Project Memoria. “We’ve analyzed more than 15 TCP/IP stacks both proprietary and open source and we’ve found that there’s no real difference in quality. But these commonalities are also helpful, because we’ve found they have similar weak spots. When we analyze a new stack, we can go and look at these same places and share those common problems with other researchers as well as developers.”

The researchers haven’t seen evidence yet that attackers are actively exploiting these types of vulnerabilities in the wild. But with hundreds of millions—perhaps billions—of devices potentially impacted across numerous different findings, the exposure is significant.

Siemens USA chief cybersecurity officer Kurt John told Wired in a statement that the company “works closely with governments and industry partners to mitigate vulnerabilities … In this case we’re happy to have collaborated with one such partner, Forescout, to quickly identify and mitigate the vulnerability.”

The researchers coordinated disclosure of the flaws with developers releasing patches, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and other vulnerability-tracking groups. Similar flaws found by Forescout and JSOF in other proprietary and open source TCP/IP stacks have already been found to expose hundreds of millions or even possibly billions of devices worldwide.

Issues show up so often in these ubiquitous network protocols because they’ve largely been passed down untouched through decades as the technology around them evolves. Essentially, since it ain’t broke, no one fixes it.

“For better or worse, these devices have code in them that people wrote 20 years ago—with the security mentality of 20 years ago,” says Ang Cui, CEO of the IoT security firm Red Balloon Security. “And it works; it never failed. But once you connect that to the Internet, it’s insecure. And that’s not that surprising, given that we’ve had to really rethink how we do security for general-purpose computers over those 20 years.”

The problem is notorious at this point, and it’s one that the security industry hasn’t been able to quash, because vulnerability-ridden zombie code always seems to reemerge.

“There are lots of examples of unintentionally recreating these low-level network bugs from the ’90s,” says Kenn White, co-director of the Open Crypto Audit Project. “A lot of it is about lack of economic incentives to really focus on the quality of this code.”

There’s some good news about the new slate of vulnerabilities the researchers found. Though the patches may not proliferate completely anytime soon, they are available. And other stopgap mitigations can reduce the exposure, namely keeping as many devices as possible from connecting directly to the Internet and using an internal DNS server to route data. Forescout’s Costante also notes that exploitation activity would be fairly predictable, making it easier to detect attempts to take advantage of these flaws.

When it comes to long-term solutions, there’s no quick fix given all the vendors, manufacturers, and developers who have a hand in these supply chains and products. But Forescout has released an open source script that network managers can use to identify potentially vulnerable IoT devices and servers in their environments. The company also maintains an open source library of database queries that researchers and developers can use to find similar DNS-related vulnerabilities more easily.

“It’s a widespread problem; it’s not just a problem for a specific kind of device,” Costante says. “And it’s not only cheap IoT devices. There’s more and more evidence of how widespread this is. That’s why we keep working to raise awareness.”

This story originally appeared on wired.com.

Continue Reading

Biz & IT

Microsoft acquires Nuance—makers of Dragon speech rec—for $16 billion

Published

on

Enlarge / In this 2011 photo, Dr. Michael A. Lee uses Dragon Medical voice-recognition software to enter his notes after seeing a patient.

Earlier today, Microsoft announced its plans to purchase Nuance for $56 per share—23 percent above Nuance’s closing price last Friday. The deal adds up to a $16 billion cash outlay and a total valuation for Nuance of about $19.7 billion, including that company’s assumed debt.

Who is Nuance?

In this 2006 photo, Rollie Berg—who has extremely limited use of his hands due to multiple sclerosis—uses Dragon NaturallySpeaking 8 to interact directly with his PC.
Enlarge / In this 2006 photo, Rollie Berg—who has extremely limited use of his hands due to multiple sclerosis—uses Dragon NaturallySpeaking 8 to interact directly with his PC.

Nuance is a well-known player in the field of natural language recognition. The company’s technology is the core of Apple’s Siri personal assistant. Nuance also sells well-known personal speech-recognition software Dragon NaturallySpeaking, which is invaluable to many people with a wide range of physical disabilities.

Dragon NaturallySpeaking, originally released in 1997, was one of the first commercially continuous dictation products—meaning software that did not require the user to pause briefly between words. In 2000, Dragon Systems was acquired by ScanSoft, which acquired Nuance Communications in 2005 and rebranded itself as Nuance.

Earlier versions of Dragon software used hidden Markov models to puzzle out the meaning of human speech, but this method had serious limitations compared to modern AI algorithms. In 2009, Stanford researcher Fei-Fei Li created ImageNet—a massive training data set that spawned a boom in deep-learning algorithms used for modern, core AI tech.

After Microsoft researchers Dong Yu and Frank Seide successfully applied deep-learning techniques to real-time automatic speech recognition in 2010, Dragon—now Nuance—applied the same techniques to its own speech-recognition software.

Fast forward to today, and—according to both Microsoft and Nuance—medically targeted versions of Dragon are in use by 77 percent of hospitals, 75 percent of radiologists, and 55 percent of physicians in the United States.

Microsoft’s acquisition play

Microsoft and Nuance began a partnership in 2019 to deliver ambient clinical intelligence (ACI) technologies to health care providers. ACI technology is intended to reduce physician burnout and increase efficiency by offloading administrative tasks onto computers. (A 2017 study published in the Annals of Family Medicine documented physicians typically spending two hours of record-keeping for every single hour of actual patient care.)

Acquiring Nuance gives Microsoft direct access to its entire health care customer list. It also gives Microsoft the opportunity to push Nuance technology—currently, mostly used in the US—to Microsoft’s own large international market. Nuance chief executive Mark Benjamin—who will continue to run Nuance as a Microsoft division after the acquisition—describes it as an opportunity to “superscale how we change an industry.”

The move doubles Microsoft’s total addressable market (TAM) in the health care vertical to nearly $500 billion. It also marries what Microsoft CEO Satya Nadella describes as “the AI layer at the healthcare point of delivery” with Microsoft’s own massive cloud infrastructure, including Azure, Teams, and Dynamics 365.

The acquisition has been unanimously approved by the Boards of Directors of both Nuance and Microsoft, and it is expected to close by the end of 2021.

Continue Reading

Trending