Connect with us

Biz & IT

Google launches new Assistant developer tools

Published

on

At its I/O conference, Google today announced a slew of new tools for developers who want to build experiences for the company’s Assistant platform. These range from the ability to build games for smart displays, like the Google Home Hub and the launch of App Actions for taking users from an Assistant answer to their native apps, to a new Local Home SDK that allows developers to run their smart home code locally on Google Home Speakers and Nest Displays.

This Local Home SDK may actually be the most important announcement in this list, given that it turns these devices into a real hardware hub for these smart home devices and provides local compute capacity without the round-trip to the cloud. The first set of partners include Philips, Wemo, TP-Link and LIFX, but the SDK will become available to all developers next month.

In addition, this SDK will make it easier for new users to set up their smart devices in the Google Home app. Google tested this feature with GE last October and is now ready to roll it out to additional partners.

For developers who want to take people from the Assistant to the right spot inside of their native apps, Google announced a preview of App Actions last year. Health and fitness, finance, banking, ridesharing and food ordering apps can now make use of these built-in intents. “If I wanted to track my run with Nike Run Club, I could just say ‘Hey Google, start my run in Nike Run Club’ and the app will automatically start tracking my run,” Google explains in today’s announcement.

For how-to sites, Google also announced extended markup support that allows them to prepare their content for inclusion in Google Assistant answers on smart displays and in Google Search using standard schema.org markup.

You can read more about the new ability to write games for smart displays here, but this is clearly just a first step and Google plans to open up the platform to more third-party experiences over time.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Biz & IT

Update Chrome now to patch actively exploited zero-day

Published

on

Enlarge / It’s a good time to restart or update Chrome—if your tabs love you, they’ll come back.

Getty Images

Google announced an update on Wednesday to the Stable channel of its Chrome browser that includes a fix for an exploit that exists in the wild.

CVE-2022-2856 is a fix for “insufficient validation of untrusted input in Intents,” according to Google’s advisory. Intents are typically a way to pass data from inside Chrome to another application, such as the share button on Chrome’s address bar. As noted by the Dark Reading blog, input validation is a common weakness in code.

The exploit was reported by Ashley Shen and Christian Resell of the Google Threat Analysis Group, and that’s all the information we have for now. Details of the exploit are currently tucked behind a wall in the Chromium bugs group and are restricted to those actively working on related components and registered with Chromium. After a certain percentage of users have applied the relevant updates, those details may be revealed.

Google says the update—104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows—will “roll out over the coming days/weeks,” but you can (and should) manually update Chrome now (check the “About” section of your settings).

There are 10 other security fixes included in the update. Dark Reading notes that this is Chrome’s fifth zero-day vulnerability disclosed in 2022.

Listing image by Getty Images

Continue Reading

Biz & IT

iOS VPNs have leaked traffic for more than 2 years, researcher claims

Published

on

Getty Images

A security researcher says that Apple’s iOS devices don’t fully route all network traffic through VPNs, a potential security issue the device maker has known about for years.

Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly—if contentiously—in a continually updated blog post. “VPNs on iOS are broken,” he says.

Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz’s findings with advanced router logging, can still send data outside the VPN tunnel while it’s active.

In other words, you’d expect a VPN to kill existing connections before establishing a connection so they can be re-established inside the tunnel. But iOS VPNs can’t seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020.

“Data leaves the iOS device outside of the VPN tunnel,” Horowitz writes. “This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6.”

Security blogger Michael Horowitz's logs show a VPN-connected iPad reaching out to both his VPN provider (37.19.214.1) and Apple Push (17.57.144.12). The Apple connection is outside the VPN and could potentially expose his IP address if seen by an ISP or other parties.

Security blogger Michael Horowitz’s logs show a VPN-connected iPad reaching out to both his VPN provider (37.19.214.1) and Apple Push (17.57.144.12). The Apple connection is outside the VPN and could potentially expose his IP address if seen by an ISP or other parties.

Privacy company Proton previously reported an iOS VPN bypass vulnerability that started at least in iOS 13.3.1. Like Horowitz’s post, ProtonVPN’s blog noted that a VPN typically closes all existing connections and reopens them inside a VPN tunnel, but that didn’t happen on iOS. Most existing connections will eventually end up inside the tunnel, but some, like Apple’s push notification service, can last for hours.

The primary issue with non-tunneled connections persisting is that they could be unencrypted and that the IP address of the user and what they’re connecting to can be seen by ISPs and other parties. “Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common,” ProtonVPN wrote at the time.

ProtonVPN confirmed that the VPN bypass persisted in three subsequent updates to iOS 13. ProtonVPN indicated in its blog post that Apple would add functionality to block existing connections, but this functionality as added did not appear to make a difference in Horowitz’s results.

Horowitz tested ProtonVPN’s app in mid-2022 on an iPad iOS 15.4.1 and found that it still allowed persistent, non-tunneled connections to Apple’s push service. The Kill Switch function added to ProtonVPN, which describes its function as blocking all network traffic if the VPN tunnel is lost, did not prevent leaks, according to Horowitz.

Horowitz tested again on iOS 15.5 with a different VPN provider and iOS app (OVPN, running the WireGuard protocol). His iPad continued to make requests to both Apple services and to Amazon Web Services.

ProtonVPN had suggested a workaround that was “almost as effective” as manually closing all connections when starting a VPN: Connect to a VPN server, turn on airplane mode, then turn it off. “Your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%,” ProtonVPN wrote. Horowitz suggests that iOS’s Airplane Mode functions are so confusing as to make this a non-answer.

We’ve reached out to both Apple and OpenVPN for comment and will update this article with any responses.

Horowitz’s post doesn’t offer specifics on how iOS might fix the issue. For his part, Horowitz recommends a $130 dedicated VPN router as a truly secure VPN solution.

VPNs, especially commercial offerings, continue to be a complicated piece of Internet security and privacy. Picking a “best VPN” has long been a challenge. VPNs can be brought down by vulnerabilities, unencrypted servers, greedy data brokers, or by being owned by Facebook.

Continue Reading

Biz & IT

Chrome “Feed” is tantalizing, but it’s not the return of Google Reader

Published

on

Enlarge / Digging into bleeding-edge Chrome code has made some bloggers hopeful, but Google has been focused on its own feeds for a while now. (credit: Getty Images)

Does Google enjoy teasing and sometimes outright torturing some of its products’ most devoted fans? It can seem that way.

Tucked away inside a recent bleeding-edge Chrome build is a “Following feed” that has some bloggers dreaming of the return of Google Reader. It’s unlikely, but never say never when it comes to Google product decisions.

Chrome added a sidebar for browsing bookmarks and Reading List articles back in March. Over the weekend, the Chrome Story blog noticed a new flag in Gerrit, the unstable testing build of Chrome’s open source counterpart Chromium. Enabling that #following-feed-sidepanel flag (now also available in Chrome’s testing build, Canary) adds another option to the sidebar: Feed.

Read 7 remaining paragraphs | Comments

Continue Reading

Trending