Slashdot Mirror

The entire source code for Android was leaked online.
Rumor has it Google was the one to leak it.

You can find the leaked code at https://source.android.com/

Seriously, somebody posted the entire source code to Android a while back.

Well, considering a "phablet" should have a larger than "normal" screen, less than 10% of all Androids are. And that number would also include tablets. https://developer.android.com/about/dashboards/index.html - so yeah, Phablets not made by Apple are a flop. Deal with the failure.

I'm not clear on how Amazon FreeTime is used or how it relates to Apple devices. I tried searching on it and found a lot of Amazon advertisements but no real information on how it would be used on an iPhone or Android phone.

FreeTime doesn't exist for Apple devices. There have been lots of requests to Amazon for this, but so far complete silence.

It is available for Android devices. You install it from the app store. I'm not an Android expert, but as far as I understand, (1) the Android OS provides the necessary hooks/APIs for restricting access, (2) the Android OS also provides app-specific APIs that each individual app author can use to expose or hide bits of the app. Amazon's FreeTime app provides a user-friendly control panel to control those things. I assume that folks are asking for Apple to provide both. https://forums.developer.amazo...

Think of FreeTime as a customised restricted profile: https://developer.android.com/...

In addition to that, a few other things are disabled (mobile ads, in-app purchasing, browsing the web, opening settings, social networks, etc.) Please look through this high level overview: https://www.amazon.com/b?ie=UT...

Also check this FAQ with regards to app submissions: https://developer.amazon.com/a...

If your patch level isn't at least Nov 6, 2017, then you're still vulnerable to KRACK. Source: Android Security Bulletin -- November 2017

If you're using an Android device with KRACK vuln on a wireless network, then you're compromising everyone on the network, and you deserve to have your device bricked.

It's an american thing - Two choices ought to be enough for everyone

If you're not one to follow the herd and are in fact fed up by the pre-installed shitpiles, have a look at Android One devices. They come with stock android and 2 years of support

Since at least when I started working on AutoInput Google have said that accessibility services could be used for other situations other than to help disabled people. Even now this page lists other use cases: https://developer.android.com/... You can see how there's a note there: Note: Your app should use platform-level accessibility services only for the purpose of helping users with disabilities interact with your app. This note was only added very recently. Check out this version of the page from July: https://web.archive.org/web/20... This means that until a few months ago developers were using these APIs exactly how they were meant to be used: in a way that helps people use their devices in situations that they can't physically touch or otherwise handle their Android device.

Be on the Look-out for devices with Android One. They have nothing added by the manufacturer or carrier and have a longer update-support (at least 2 years)

I've just switched my Nexus 4 (running Android 7.1.2 perfectly well) for a Xiaomi Mi A1. It's not as high spec as the Essential but it's pretty reasonable and only costs $220. While the Nexus hasn't really needed replacing, I've fancied something new for a while (mostly for more space and 4g) but couldn't find anything I thought was an equivalent deal to the Nexus 4 at the time of purchase - decent but not top spec, unlocked (network and bootloader), sensibly priced, no oem bloat and going to get a good user base for roms (hence still able to run latest android). The A1 finally seemed to be the a phone that fit the bill, and so far so good (ok, only on day 2 so far!). Future rom support is of course yet to be seen, but as an android one phone with a promised update to android 8 by the end of the year (which should include Treble) I think the prospects are pretty good.

But I am pretty sure car makers do not want your eyes to have any competition from the crappy entertainment consoles they build in, so they provide no good way to view phones which 99% of people would prefer to use for directions and the like.

Android Auto
iOS CarPlay

It's here.

It sucks.

I've used Apple's CarPlay more recently and can say that the voice prompts are overly verbose and voice recognition is too poor to make using it while driving safe. Attempting to find locations while driving is annoying and attempting to listen to music through CarPlay is a disaster. While CarPlay does technically support third party audio apps, Apple intentionally limits them in an attempt to force people to use Apple Music. Apple doesn't allow you to preload local maps, so if you suddenly realize you don't know where you are, attempting to open the map will frequently get you stuck waiting for it to load, especially if your iPhone saw a weak known wifi connection recently. It gets worse, because CarPlay doesn't have a "Now" screen like Android Auto does, meaning that opening Maps will make it "guess" a location, and instead of showing you where you are, it will show you a route to some place random it thinks you're going to. The problem is that, generally, if it's a place I frequently go to, I know how to get there. If I need Maps, it's because I'm going some place unfamiliar.

Android Auto is miles ahead of iOS CarPlay, but it still relies on little touch screen buttons that are overly annoying to hit while driving.

Overall, it really doesn't matter: even the generic infotainment systems are distracting to use. There is no good way to use these things while driving, period. It shouldn't be surprising accident rates are going up: modern car interfaces are just distracting and annoying to use. (Ever tried to turn up the AC using a touch screen? Who the hell thought that was a good idea?!)

I'm really fucking concerned about how Google will fix this for Android, the most popular OS in the world.

Recent stats are showing that only 0.2% of users are using Android 8.0, the latest version. Only about 18% are using Android 7.x releases. A whopping 32% are using Android 6.x! About 28% are using Android 5.x! About 21% are using Android 4.x!

And? What's your point? I got an OTA security update for a 5 year old Android 4.4 device in February this year, one which I voluntarily chose not to upgrade to 5 (though that also got a security update at the same time). Just because it isn't the latest OS version doesn't mean that it isn't getting security updates.

And likewise just because it's a security issue doesn't mean that the fix requires an OTA update. A great many are done by patching up drivers and core components through the Play Store.

Read up on how security in Android is handled before you get too concerned. Stress is not healthy.

I had hoped that it would be google, not the carrier or handset manufacturer providing updates. The manufacturer would provide drivers for the hardware, but Google would take care of the rest, similar to how MS rather than a PC manufacturer handles Windows updates.

Android 8 "Oreo" introduces Treble, which begins to refactor Android toward what you expected: a stable driver ABI.

Android Will Be Patched Within Weeks

What percentage of Android will be patched?
The 18% with 7/Nougat or better,
the 50% with 6/Marshmallow or better,
the 78% with 5/Lollipop or better,
the 92% with 4.4/Kitkat or better?
https://developer.android.com/...

The .02% with 8/Oreo or better

Android Will Be Patched Within Weeks

What percentage of Android will be patched?
The 18% with 7/Nougat or better,
the 50% with 6/Marshmallow or better,
the 78% with 5/Lollipop or better,
the 92% with 4.4/Kitkat or better?
https://developer.android.com/...

I'm really fucking concerned about how Google will fix this for Android, the most popular OS in the world.

Recent stats are showing that only 0.2% of users are using Android 8.0, the latest version. Only about 18% are using Android 7.x releases. A whopping 32% are using Android 6.x! About 28% are using Android 5.x! About 21% are using Android 4.x!

So like 80% of Android users are still using Android 6.x and earlier!

If this problem can be avoided with a software fix, I think that Google should do everything they possibly can to get this fix to as many Android devices as possible.

I'm sure some fools here will come along and just tell affected users to "buy a new phone" or some infeasible bullshit like that. Realistically, that's not happening. Users will continue to use their older devices. It will reflect badly on Android if it's susceptible to this wifi security issue, even on older devices.

While they obviously can't provide updates to all of the Android devices out there, I really hope that Google will do what they can to get the fix to at least all Nexus and Pixel devices from the Nexus 4 onward.

The most sensible solution would be to fix it in Android 8.x, and then port Android 8.x to the Nexus 4 and all devices after it. Then this release would be made available to those who wish to upgrade. Not only would this fix this wifi problem, but it would also help fix at least some of the serious version fragmentation that Android is currently experiencing.

https://developer.android.com/...

Hope that helps ....

Not sure what your point is. Everything has a technical barrier. Nothing has NO barriers. For proprietary software you cannot do things for legal reasons. You cannot, not matter how much knowledge you could hope to have, recompile it without features. You can with Foss. Taking about no barriers at all is an extreme fallacy.

You can scream that Android is open source all you want but the reality is any actual functional version of Android that you can use on hardware requires proprietary software:
AOSP cannot be used from pure source code only and requires additional hardware-related proprietary libraries to run, such as for hardware graphics acceleration.
Preparing to build

AN app on a phone can easily get the info. Here's the API on android https://developer.android.com/...

Android is open source. If you don't trust any of the firmwares out there, go put your own together.

Now, where is the source code for Windows 10 so I can strip out all of that spyware, adware, bloatware and crippleware that Microsoft put in there?

Screen recording is fully supported and available to any app. Note however that the system will ask you nicely if you want to allow a particular app to start capturing screen and this prompt can not be suppressed by the app. The user has a checkbox to allow the same app to do it silently in future. I don't know if Apple allows such access without user warning.

Amazon is making an explicit play to be the home hub because it can automatically discover and set up lights, locks, plugs, and switches without the need for additional hubs or apps.

This is so exciting!

The editor-in-chief at ZDNET just discovered Network Service Discovery (NDS)

Please no one tell him that non-Amazon devices can also do the same thing, he will surely have a stroke once he finds this out.

On the AOSP Preparing to Build page under the heading Obtain proprietary binaries:
"AOSP cannot be used from pure source code only and requires additional hardware-related proprietary libraries to run, such as for hardware graphics acceleration."
https://source.android.com/source/building

Yes the code is there but you can't really use it in a practical sense without proprietary binaries and that's even before you get to real world uses cases of actually using Android applications that depend on the play services binary.

From a theoretical standpoint yes the Android source code in the form of AOSP is there and it is open source but in the real world nobody actually uses it that way.

Well except that Google has already issued a patch going back to Android Marshmallow. But since it seems Apple never had the vulnerability this is +1 for Apple although I don't have any long-running statistics on security.

The problem as I am sure you know though is that most Android devices will never get that patch. The manufacturer has to take it, then the carrier has to certify it, then the customer has to update it.

https://developer.apple.com/su...

89% of iOS users are on iOS 10.

https://developer.android.com/...

Android users who are eligible for the patch make up 48% of the user base. What percentage of those will actually end up with it on their phones is much lower.

The Android usage stats prove you're in the tiny minority.

Over 89% of Android phones are classified as having a "normal" screen size, meaning they have a resolution below 640dp x 480dp (which would be classified as "large").

Despite Android 7 and later being out for more than a year, we still see over 32% of Android users running Android 6.x, over 29% running Android 5.x, and 16% running Android 4.4.

So 77% of Android users are running older versions of Android that run on the smaller phones that were common in the past.

People aren't using the newer versions of Android that only run on larger phones because people don't want larger phones.

People want smaller Android phones.

I realize that Apple probably has the term 'Secure Enclave' copyrighted, similar to 'Altivec Unit' and various other buzzwords from the past.

You don't "copyright" a brand name. You "trademark" it. Using "copyright" to mean "trademark" is about as bad as using "copywritten" to mean "encumbered by copyright". "Copywritten" is a word, but it refers to the state of an advertisement once its text has been created.

So anyway, Android's developer documentation appears to refer to a similar hardware device in Android phones called a "Secure Element". Different name, same function.

Project Treble, basically a hardware abstraction layer to stop the SoC manufacturers holding up patching etc.
(https://source.android.com/devices/architecture/treble)

The "Treble resources" are terrible. It's like EE-written word salad, with some necktie powerpoint diagrams thrown on top. It keeps referring to the "ideal world" and "required to pass CTS," but does not make clear what's in between, so the actual facts are obscured by their passive-aggressive approach to the adversarial context. The examples are incomplete.

The big-picture is incomplete, in that it's unclear the means by which the project will achieve its goals, what code can be left alone during a dessert upgrade and what cannot, and what code runs in the kernel and what in userspace. Does it achieve, "all code linked into the kernel is open source and upstreamed, so kernel can be upgraded without manufacturer cooperation"? I'm guessing no, but can't tell. It says, "devices must pass CTS with AOSP." Does that truly mean with no proprietary bits? I don't think Qualcomm can even boot without proprietary bits, so probably not. Will there be no radio? How much is allowed to change between the token CTS-with-AOSP pass and the shipping phone, ex. can the kernel be downgraded and loaded up with blobs? I can't tell.

How can people work with this stuff? If I had to work with this API for undergrad OS class, I'd be in full panic mode right now. As /. reader concerned about PSP/FSP backdoors undermining verified boot anti-persistence on ChromeOS, I want to know how significant this is, and can't tell that, either.

At least it's all open instead of behind NDAs, and seems to have an incredible amount of attention to detail and thoughtfulness toward the "ecosystem" behind it. I take the Android devs a little more seriously now than I did before reading the Treble docs. But if it were not for the money involved I would not choose to work with these tools.

You don't download or install a full app. Instead, they send you just the code needed to run the feature you want to try out.

E.g. If you want to try out the new fart app, you can just try out the new fart sounds, without all the other features of the app like PoopcamTM, Fart GalleryTM, Fart-outTM message app, FratfartTM map plugins for tracking parties based on the data on number of people gathered in one place after 7 PM local time...

Then, after you're done with it, code you tried out gets deleted from your phone.

An evolution in app sharing and discovery, Android Instant Apps allows Android users to run your apps instantly, without installation.

The real problem with Android is how users aren't using the new releases.

Why is that a problem?

It's a problem if users want new OS versions and can't get them, yes. But there are a lot of users (I would even say most of them) who don't really care if they're using the latest version or not, as long as the one they are using is still doing the job.

Oreo, for instance, does not provide anything that I consider compelling enough to make me want to update to it, so I'm very likely not going to.

The real problem with Android is how users aren't using the new releases.

Only 13.5% of Android users are currently using Android 7.x.

32.3% are still on Android 6.x.

29.2% are still on Android 5.x.

Even 16% are still on Android 4.4!

Maybe it has to do with a lack of decent Android phones.

Maybe it has to do with users hating the new versions.

Maybe it has to do with it being too difficult, or perhaps even impossible, to upgrade to a newer version.

I really can't say for sure what the reasons are.

What I can say, however, is that this poses a huge problem for us app developers.

We're stuck targeting Android 4.4, despite there being Android 5.x, Android 6.x, Android 7.x and now Android 8.x that came after it!

Something is seriously fucked up when there are more users on an ancient release like Android 4.x than there are using Android 7.x, which has itself already been out for almost a year.

This should be a good indication to Google that something is really wrong.

They need to release a phone that people will want to buy, and that people will be able to buy, in order to get more users using a more recent version of Android.

It has more to do w/ the difficulty in upgrading. Before 5.x - Lollipop, it was impossible to upgrade b/w major Android versions. From Lollipop onwards, they ostensibly made it so that one could upgrade from 5 to 6 to 7 to 8, but my Verizon Ellipsis 10 is still stuck on 5.1. I'd love to upgrade to 6 or above, so that I can make my 128GB SD card the primary storage. So far, can't do it!

But it always pisses me off that it's necessary to do that. Just go with version numbers, people!

Google Android engineer here: In most cases I don't actually know what the numbers are without looking them up. I kind of get the complaint in Debian's case, since the choice of Toy Story character is arbitrary, but both Ubuntu and Android have been going in alphabetical order (though Ubuntu has to wrap, or something, in October), so it's just as easy to tell which release is before or after another as if they were numbered. Internally, we pretty much only use the code names (or letters, before the names are announced).

Actually, Android does have a number sequence that I track closely: API level. The OS version number doesn't mean that much to me.

I do know 8.0, though. I added a feature to Nougat that binds Keystore keys to OS version and security patch level as another layer of defense against rollback attacks (where the attacker pushes a legitimate but old OS that has known vulnerabilities). Keystore is used for disk encryption keys, among other things, so when Keystore keys break, the device doesn't boot. Due to an error in the version number management on internal testing devices (which are used by large numbers of employees as their everyday phones), we had to roll back the version number. I found a workaround, but for a while it looked like we might have to wipe everyone's phones.

But it always pisses me off that it's necessary to do that. Just go with version numbers, people!

Google Android engineer here: In most cases I don't actually know what the numbers are without looking them up. I kind of get the complaint in Debian's case, since the choice of Toy Story character is arbitrary, but both Ubuntu and Android have been going in alphabetical order (though Ubuntu has to wrap, or something, in October), so it's just as easy to tell which release is before or after another as if they were numbered. Internally, we pretty much only use the code names (or letters, before the names are announced).

Actually, Android does have a number sequence that I track closely: API level. The OS version number doesn't mean that much to me.

I do know 8.0, though. I added a feature to Nougat that binds Keystore keys to OS version and security patch level as another layer of defense against rollback attacks (where the attacker pushes a legitimate but old OS that has known vulnerabilities). Keystore is used for disk encryption keys, among other things, so when Keystore keys break, the device doesn't boot. Due to an error in the version number management on internal testing devices (which are used by large numbers of employees as their everyday phones), we had to roll back the version number. I found a workaround, but for a while it looked like we might have to wipe everyone's phones.

The real problem with Android is how users aren't using the new releases.

Only 13.5% of Android users are currently using Android 7.x.

32.3% are still on Android 6.x.

29.2% are still on Android 5.x.

Even 16% are still on Android 4.4!

Maybe it has to do with a lack of decent Android phones.

Maybe it has to do with users hating the new versions.

Maybe it has to do with it being too difficult, or perhaps even impossible, to upgrade to a newer version.

I really can't say for sure what the reasons are.

What I can say, however, is that this poses a huge problem for us app developers.

We're stuck targeting Android 4.4, despite there being Android 5.x, Android 6.x, Android 7.x and now Android 8.x that came after it!

Something is seriously fucked up when there are more users on an ancient release like Android 4.x than there are using Android 7.x, which has itself already been out for almost a year.

This should be a good indication to Google that something is really wrong.

They need to release a phone that people will want to buy, and that people will be able to buy, in order to get more users using a more recent version of Android.

Uhh, you do know that AOSP is THE official Android project that is the basis of Google's Android and for almost all official manufacturer's Android builds, right? You can download and compile it yourself if you for some reason don't trust LineageOS builds.

According to this info on the dex format, the base size of a class in the binary (the size of a class_def_item) is 32 bytes - 8 fields at 4 bytes each; more if it's not just a marker interface (and I think even for that there's type name data elsewhere).

Yes, quite unconscionable of Google to not credit the source of by far the most important (and most reliable) component of their proprietary platform, don't you think? Or don't you.

How much do they need to talk about it. It isn't as if Apple talks about Darwin much either, since it doesn't matter to the end user. BTW if you want to see Linux referenced, you need to see the developer oriented stuff, such as the diagram on this page: https://source.android.com/sou...

They use the Linux kernel, but they slap a whole other layer on top of it. It is similar to MacOS X where you have an OS over an OS (the base being Darwin, which a fork of BSD).

The source is here: https://source.android.com/sou...

GhostCtrl is not a bug, it's a new daemon for systemd.

No, it's not. It's an app that requests a bunch of permission. And gets them, if the user accepts. It's nothing more than an app. An app you had to sideload, only after going into settings and allowing apps to be be sideloaded and accepting the various scary warnings you will see in the process.

It can do things like lock the screen because it requests to be a device policy admin.
https://developer.android.com/...

This is what allows Android to be used in for example enterprise environments where the lock screen needs to have enterprise-specific policy. Note there's a UI flow *required* for any app to escalate to being a device policy admin. The user had to explicitly allow it. Note that it couldn't disguise itself or otherwise attempt to trick the user.

These articles are published by corporations who have an interest in scaring you into buying their products and services. They never explain all the hoops they had to jump through to have the device compromised.

Hardware VP9 decoding is rare enough of a feature already.

It's not that rare. Intel's been shipping VP9 decode acceleration for two years now. Android has supported VP9 decoding since Android 4.4, which was released in late 2013. If you have an Android phone, you probably have VP9 hardware acceleration. Plenty of AV1 hardware will be released in late 2018.

But also don't underestimate today's mobile devices. I have an iPhone 7 and I can play VP9 video in software in VLC for iOS without issue. A future VLC update will add AV1 support.

HEVC is out now

VP9 is out now and has broader use than HEVC.

as well as software players like Microsoft and Apple

Microsoft supports VP9 in Edge.

VP9 has virtually zero mindshare outside the Googleplex

Netflix uses VP9. Wikipedia uses VP9. And, of course, even though it's inside the Googleplex it's difficult to ignore that YouTube uses VP9. YouTube no longer offers 4K video to Safari by default due to Safari's lack of VP9 support.

set top boxes, etc. that support VP9

Roku has VP9 support, Chromecast Ultra has VP9 support, Android phones have VP9 support, etc, etc.

AV1, on the other hand, looks very compelling... it actually has broad industry support, from big players like Microsoft, Cisco, Netflix, Google, all the way down to silicon makers like Broadcom, Xilinx, RealTek, ARM, AMD, and NVIDIA.

Right. Just like VP9. When will Apple add VP9 support?

It's disingenuous to complain that Apple isn't going to include AV1 when it isn't - and won't be - ready before High Sierra.

Show me where I complained that AV1 won't be in High Sierra. Quote me. Maybe re-read what I wrote.

In the meantime, let's acknowledge that Apple hasn't joined the Alliance for Open Media. When will Apple join?

Is this even allowed with the current Android terms? Given they maintain an active fork of Android, I think they would be excluded from participating

Every manufacturer has a fork of Android. To be able to call it "Android", you just need to pass CTS,
https://source.android.com/com...

Which isn't hard, proof being the vast number of Android devices out there.

Hopefully Amazon is getting smart. Their devices should be subsidized standard Android + Google devices that are cheap $-wise at the expense of having Amazon crap pushed in your face night and day. Not a trade off that's particularly attractive to me, but I think there's a market for it.

Google tries to keep malware out of the play store but malware does make it's way into the play store.

Not much, not often. 0.15% of devices that only use Google Play have any "potentially harmful apps", which is actually a broader category than "malware".

And if you have Verified Apps enabled, you'll be warned if you have malware installed.

See: https://source.android.com/sec...

The 2016 report will be out soon, I expect.

Perhaps it's not a walled garden,. but the gardeners walk around with uzis and firehoses of DDT. The fact that super scary permissions like manage documents require firmware signing or root means that we probably need a new metaphor to differentiate the freedom a program (and thus a user) has in a given OS.

Unless, of course, the report assumes that anything running Lollipop or older is not recently patched, which seems like a reasonable assumption.

According to Google, 65.9% of users are on Lollipop or older. That means 29% of up-to-date Androids would have to come from 34.1% of users, or that 85% of Marshmallow and Nougat users are fully patched. I'm skeptical.

Also, nearly half of Android users are using an OS at least 2.5 years old. :-/ Compare with 79% of iOS users on a 6 month old OS, and 95% of iOS users on an OS less than 1.5 years old.

I believe they meant which tasty treat starting with the letter O would become the codename.

N if for Nougat
O is for O.....

But how do you do this on a phone?

By installing an app that extends android.net.VpnService . Or by tethering your GNU/Linux laptop.

SSH only tunnels TCP, DNS is UDP.

DNS can run over TCP. In fact, many DNSSEC responses are so big that they have to (source).

Probably not anywhere near as bad as Android

Yes, the Android situation is much different. I presume this is carrier indifference more than user indifference. One good thing about the Apple situation is that Apple does not give the carriers any control. And of course the manufacturer control is also not an issue, obviously.

Android is open source under the Apache 2.0 license

The problem is, only Google gets to decide what goes in there, unless you go to the extensive effort of forking it and maintaining your own separate lineage of android-like OS.
That might be uncomfortably too much control to one single US company.

On the other hand, Jolla's Sailfish OS is build on the "mer" core, a descendant of the Meego / Maemo that the same engineer were designing back when they were still at Nokia :
it's a fairly standard GNU/Linux platform, with much more diverse contributors.

Google has no control over existing Android code. The only thing they control is new versions of Android, right up until it's released. Android is open source under the Apache 2.0 license (free, as in beer - you don't have to release your modifications). If you don't like what Google is doing with it, just grab a copy of the Android source and fork it. Like Amazon did for Fire OS.

The only reasons for not starting with Android (where 99% of the work has already been done) is if you don't like Android's core design, or if you want to add all sorts of other "features" that you don't want users to know about (like back doors), or if you deliberately want to make it incompatible with existing Android apps.

Adopted storage is actually automatically encrypted with a 128 bit AES key. Assuming gp is using the correct terminology. Adoptable storage is the name that android gave to the ability to store entire apps on a specially formatted portion of the microSD card rather than the previous implementation of some developers allowing a small portion of the app to be moved to an encrypted container file on the card. I think it was meant to allow people to supplement those really tiny entry level phones that may only give you like 4 GB of storage for your apps.
It makes sense, though, that you could put all your sensitive apps/data on adoptable storage so you would end up with a seemingly innocuous phone if you erased/destroyed the SD card. In fact, you could mail the SD card, instead, so that you would have a fully functioning phone while traveling but none of your sensitive data would be available at your border "interview."