Android Wear Beta

Android Wear Beta

Posted by Hoi Lam, Lead Developer
Advocate, Android Wear

LG Watch Sport

Today, we are launching the beta of the next Android Wear update. As we
mentioned at Google I/O, this will mainly be a technical upgrade to API 26 with
enhancements to background limits and notification channels. LG Watch Sport
users can go to this webpage to sign up and the factory image will automatically be downloaded to the watch you enroll. As this is a beta, please be sure to review the known issues before enrolling. If you don’t have a watch to test on, you can use the Android emulator. For
developers working with Android
Wear for China
, an updated emulator image is also available.

Notification Channels

In this update, users can choose the types of notifications they receive via an
app through notification
channels
. This gives users finer-grained control than muting all
notifications from the app. For notifications generated locally by Android Wear
apps, users will be able to customise the notifications channel they want to
see, right on their watch. Please refer to the Wear
notification sample
for more details. For notifications bridged from the
phone, the phone notifications channel settings will dictate what is shown on
the watch.

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
    mNotificationManager.createNotificationChannel(
        NotificationChannel("1001", "New Follower",
            NotificationManager.IMPORTANCE_DEFAULT))

    mNotificationManager.createNotificationChannel(
        NotificationChannel("1002", "Likes",
            NotificationManager.IMPORTANCE_LOW))
}

Background Limits

There are increased restrictions on background
services
. Developers should assume services can no longer run in the
background without a visible notification. In addition, the background location
update frequency will be reduced. Battery-saving best practices such as using
JobScheduler
should be adopted to ensure your app is battery-efficient and able to perform
background tasks when possible.

Please give us your feedback

We expect this to be the only beta release before the final production release.
Thank you for your feedback so far. Please submit any bugs you find via the Android
Wear issue tracker
. The earlier you submit them, the higher the likelihood
that we can include the fixes in the final release.

Driving the future of digital subscriptions

Driving the future of digital subscriptions

Journalism provides accurate and timely information when it matters most, shaping our understanding of important issues and pushing us to learn more in search of the truth. People come to Google looking for high-quality content, and our job is to help them find it. However, sometimes that content is behind a paywall.

While research has shown that people are becoming more accustomed to paying for news, the sometimes painful process of signing up for a subscription can be a turn off. That’s not great for users or for news publishers who see subscriptions as an increasingly important source of revenue.

To address these problems we’ve been talking to news publishers about how to support their subscription businesses with a focus on the following:

  • First, Flexible Sampling will replace First Click Free. Publishers are in the best position to determine what level of free sampling works best for them. So as of this week, we are ending the First Click Free policy, which required publishers to provide a minimum of three free articles per day via Google Search and Google News before people were shown a paywall.
  • Longer term, we are building a suite of products and services to help news publishers reach new audiences, drive subscriptions and grow revenue.
  • We are also looking at how we can simplify the purchase process and make it easy for Google users to get the full value of their subscriptions across Google’s platforms.

Our goal is to make subscriptions work seamlessly everywhere, for everyone.

First Click Free

We will end our First Click Free policy in favor of a Flexible Sampling model where publishers will decide how many, if any, free articles they want to provide to potential subscribers based on their own business strategies. This move is informed by our own research, publisher feedback, and months-long experiments with the New York Times and the Financial Times, both of which operate successful subscription services.  

“Google’s decision to let publishers determine how much content readers can sample from search is a positive development,” said Kinsey Wilson, an adviser to New York Times CEO Mark Thompson. “We’re encouraged as well by Google’s willingness to consider other ways of supporting subscription business models and we are looking forward to continuing to work with them to craft smart solutions.”

Publishers generally recognize that giving people access to some free content is the way to persuade people to buy their product. The typical approach to sampling is a model called metering, which lets people see a pre-determined number of free stories before a paywall kicks in. We recommend the following approach:

  • Monthly, rather than daily, metering allows publishers more flexibility to experiment with the number of free stories to offer people and to target those more likely to subscribe.
  • For most publishers, 10 articles per month is a good starting point.
  • Please see our Webmaster blog and our guide on Flexible Sampling for more detail on these approaches.

“Try before you buy” underlines what many publishers already know—they need to provide some form of free sampling to be successful on the internet. If it’s too little, then fewer users will click on links to that content or share it, which could have an effect on brand discovery and subsequently may affect traffic over time.

Subscription support

Subscribing to great content should not be as hard as it is today. Registering on a site, creating and remembering multiple passwords, and entering credit card information—these are all hassles we hope to solve.

As a first step we’re taking advantage of our existing identity and payment technologies to help people subscribe on a publication’s website with a single click, and then seamlessly access that content anywhere— whether it’s on that publisher site or mobile app, or on Google Newsstand, Google Search or Google News.

And since news products and subscription models vary widely, we’re collaborating with publishers around the world on how to build a subscription mechanism that can meet the needs of a diverse array of approaches—to the benefit of the news industry and consumers alike.  

We’re also exploring how Google’s machine learning capabilities can help publishers recognize potential subscribers and present the right offer to the right audience at the right time.

“It’s extremely clear that advertising alone can no longer pay for the production and distribution of high quality journalism—and at the same time the societal need for sustainable independent journalism has never been greater.  Reader-based revenue, aka paid-content, or subscription services, are therefore not just a nice-to-have, but an essential component of a publisher’s revenue composition,” said Jon Slade, FT Chief Commercial Officer.

“The Financial Times is welcoming of Google’s input and actions to help this critical sector of the media industry, and we’ve worked very closely with Google to aid understanding of the needs that publishers have and how Google can help. That mutual understanding includes the ability to set controls over the amount of free content given to readers, a level playing field for content discovery, optimised promotion and payment processes. It is important that we now build and accelerate on the discussions and actions to date.”  

We are just getting started and want to get as much input from publishers—large, small, national, local, international—to make sure we build solutions together that work for everyone.  

The more things change, the more the pastrami stays the same: a Talks at Google roundup

The more things change, the more the pastrami stays the same: a Talks at Google roundup

As the seasons change, we started thinking about other types of change. This month’s Talks at Google roundup delves into everything from changing habits to how two famous Jewish delis balance classic dishes amidst a changing food scene.

Author, podcaster and expert habit-former Gretchen Rubin talks about “Better Than Before,” her book that offers a new perspective on habits. She explains how to form habits, why we break them, and the four types of habit tendencies.

Bollywood star Farhan Akhtar wanted to do something about the mounting violence against women in the world. He shares how he used creative arts to create social change, and talks about his creative process along the way.

Hear from Matthew Claudel—author of “City of Tomorrow”—whose job is to imagine the future of cities, and how technology is changing that future.

Jennifer Brown, author of “Inclusion: Diversity, the New Workplace & the Will to Change,” shares her strategies for empowering employees and harnessing the power of diversity in today’s ever-changing world of business.

Disclaimer: this one might make you hungry. Jake Dell (owner of Katz’s Deli in New York) and Evan Bloom (co-owner of Wise Sons Deli in San Francisco) chat about the evolution of the Jewish deli, and how they maintain tradition while staying current (especially when it comes to pastrami sandwiches). They may not be in lox-step in their approach to food, but we think you’ll like this talk a latke.

The High Five: insights on the top search trends of the week

The High Five: insights on the top search trends of the week

This week people searched for free coffee, the death of a media mogul, help with IKEA tasks and new wheels from Ford. And as Puerto Rico reels from the devastation of Hurricane Maria, people want to know how they can help. Here are the top trends of the week, with data from Google News Lab.

Hurricane Maria

Puerto Rico continues to grapple with the aftermath of Hurricane Maria, which left many without power and desperate for food, electricity and communication services. People in the U.S. continue to search for “hurricane donation” (interest went up 185% this week), as well as “How powerful was Hurricane Maria?” “How to donate to Puerto Rico” and “What is the Jones Act?” (A law that was waived to get relief to Puerto Rico quicker). The top regions searching for Puerto Rico were Florida, Connecticut and New Jersey.

Caffeine fiends

Wake up and smell the coffee—it’s National Coffee Day! And everyone is after the free java, with searches like, “Is Starbucks doing anything for National Coffee Day?” “Who gives free coffee on National Coffee Day?” and “What is National Coffee Day at Dunkin Donuts?” Cold brew coffee, butter coffee, and Irish coffee (for those starting early…) are the most searched types of coffee this week.

RIP Hef

Hugh Hefner passed away this week at the age of 91. Upon hearing the news, people searched to find out more about Hefner’s fortune and infamous love life: “How much was Hugh Hefner worth?” “Who gets Hugh Hefner’s money?” and “Who was Hugh Hefner married to?” Hefner will be buried next to Marilyn Monroe, Playboy’s first cover girl (search interest in Monroe went up 570% this week as well).

But will they assemble the meatballs, too?

This week, two of the top searched questions about IKEA were: “How to build IKEA Tarva nightstand” and “How to remove IKEA drawer front.” Well, now you can get some help with that. This week, IKEA closed a deal to buy the online errand company TaskRabbit so that the dreaded phrase “assembly required” will become slightly less scary. Those who are keen on IKEA are searching the most for dressers, desks, rugs, kitchen cabinets and beds.

Riding in style

Ford is getting revved up with its new F-450 Super Duty Limited truck, which can cost as much as $100,000 and tows 15 tons … talk about luxury. Search interest for the new truck went into overdrive—“Ford Truck” was searched 2000% more than “Ford SUV.” People are doing their due diligence on the Super Duty, searching “Where is the F-250 Super Duty made?” “What is the MPG of a Ford Super Duty Diesel?” and “What roof bars fit a Ford Super Duty?”

The FlashStack Revolution

The FlashStack Revolution

Modern companies need to move quick. And to do so, they need things to be streamlined. From hosting 40,000 people at a big game, to churning out thousands of newspapers hot-off-the-press, to delivering millions of pizzas right on time. To keep up, companies need an integrated solution powering their IT that’s fast…REALLY fast. Learn how […]

Igniting business transformation, reinventing the data center and helping nonprofits move to the cloud — Weekend Reading: Sept. 29 edition

Igniting business transformation, reinventing the data center and helping nonprofits move to the cloud — Weekend Reading: Sept. 29 edition

This week was testament to the transformative power of technology, both collectively and individually — from the thousands of business leaders gathered at Microsoft’s annual IT conference to a Philippine teenager whose blindness isn’t stopping her from pursuing a dream of creating her own software. A leader in digital transformation, Microsoft is launching a group…

The post Igniting business transformation, reinventing the data center and helping nonprofits move to the cloud — Weekend Reading: Sept. 29 edition appeared first on The Official Microsoft Blog.

Innovating and Winning Awards

Innovating and Winning Awards

The Best of Interop 2017 award winners were announced at the MGM Grand in Las Vegas. As the innovator and leader of these technologies, I was asked by several media representatives for an interview. Here is a short interview by Information Week news desk. Best of Interop Awards are like the Oscars of the Networking […]

#teampixel proves you can take a good photo anywhere

#teampixel proves you can take a good photo anywhere

We’re always excited to see what #teampixel photographs next. This week’s photos capture everything from the tombs and temples in Jordan to the crestfallen leaves of autumn, proving a good photo can be taken anywhere.   

Special shout out to today’s Instagram feature, @oxykostin, for a magical photo that takes us under the sea. Don’t forget to tag your photos with #teampixel, and you might see yourself featured next!

Keystore Key Attestation

Keystore Key Attestation

Posted by Shawn Willden, Software Engineer

Android’s keystore has been available for many years, providing app developers
with a way to use cryptographic keys for authentication and encryption. Keystore
keeps the key material out of the app’s process space, so that the app cannot
inadvertently reveal it to the user where it could be phished, leak it through
some other channel, or have it compromised in the event of a compromise of the
app. Many devices also provide hardware-based security for keystore keys in
secure hardware, which keeps the key material out of the Android system
entirely, so that the key material cannot be leaked even by a Linux kernel
compromise. In the vast majority of Android devices, secure hardware is a
special mode of the main CPU, with hardware-enforced isolation from the Linux
kernel and Android userspace. Alternatively, some devices use a separate secure
microprocessor.

Android provides APIs that allow the app to determine whether a given keystore
key is in secure hardware, but these APIs could be unreliable if the operating
system has been compromised. Key attestation provides a way for a device’s
secure hardware to verify that an asymmetric key is in secure hardware,
protected against compromise of the Android OS.

History of Keystore

Keystore was originally introduced in Android 4.0 and keys were encrypted with
the user’s passcode. In Android 4.1 the infrastructure to use device secure
hardware was added.

Up until Android 6.0, Keystore supported RSA and ECDSA. In Android 6.0, Keystore
was significantly enhanced, adding support for AES and HMAC. Also, other crucial
elements of cryptographic operations, such as RSA padding1 and AES block chaining2 modes were moved into secure hardware.

In Android 6.0, Keystore also gained the ability to restrict the ways in which a
particular key could be used. The most obviously useful restriction that can be
applied is user authentication binding. This allows a key’s usage to be
“bound” to the user’s passcode—their PIN, pattern, or password—or fingerprint.
For passcode authentication binding, the app developer can specify a timeout in
seconds. If more than the specified time has elapsed since the user last entered
their passcode, the secure hardware refuses any requests to use the key.
Fingerprint-bound keys require a new user authentication each time the key is
used.

Other, more technical, restrictions can be applied to Android 6.0+ keys as well.
In particular, at point of key creation or import, it is necessary to specify
the cryptographic purposes (encrypt, decrypt, sign, or verify) for which the key
may be used, as well as padding and block modes, digests, source of entropy for
initialization vectors or nonces, and other details of the cryptographic
operation. Because the specified information is permanently and
cryptographically bound to the key material, Keystore won’t allow the key to be
used in any other way. Therefore, an attacker who gains control of the app or
the system can’t misuse the key. To help prevent attacks, developers should
specify the narrowest possible range of uses for a given key.

One of the most important changes to Android Keystore was introduced in Android
7.0. New devices that launch with Android 7.0+ with a secure lock screen must
have secure hardware and support hardware-based passcode authentication and
keystore keys. Prior to Android 7.0, secure hardware support was widespread, but
over the next few years it will become universal.

In Android 8.0, key attestation was made mandatory for all new devices that ship
with Google Play installed.

Why use key attestation?

Suppose you’re developing an app to provide a bank’s customers with access to
their bank balance, transaction history, and bill pay system. Security is
important; you don’t want anyone who picks up the user’s phone to have access to
their the bank account. One approach would be to use the user’s web site
password. But that’s often inconvenient for the user because web sites often
demand long, complex passwords, which are inconvenient on a small touchscreen.

With Android Keystore, you can generate an asymmetric authentication key, such
as a 256-bit ECDSA key, and have each user sign in with their complex web
password once, then register the public key in the bank’s customer account
database. Each time they open the app, you can execute a challenge-response
authentication protocol using that ECDSA key. Further, if you make the key
authentication-bound, the user can authenticate with their lock screen passcode
or fingerprint each time they open the app. That allows them to use the simpler
and more convenient authentication mechanism on their phone.

If an attacker compromises Android and attempts to extract the key, they
shouldn’t be able to because the key is in secure hardware.

As an app developer, key attestation allows you to verify on your server that
the ECDSA key your app requested actually lives in secure hardware. Note that
there’s little point in using the attestation in your app itself; if the Android
OS is uncompromised and trustworthy, then you can just use the KeyInfo
class introduced in 6.0 to discover whether the key is in secure hardware. If it
is compromised, then that API and any attempt you make to validate the
attestation on device are both unreliable.

Note that key attestation is distinct from SafetyNet
attestation
. They’re the same concept, but attest to different things and
come from different places. Keystore key attestation affirms that a crypto key
lives in secure hardware and has specific characteristics. SafetyNet attestation
affirms that a device is real (not an emulator) and that it’s running known
software. SafetyNet uses Keystore key attestation under the covers, so if you
want to know about device integrity use that. If you want to confirm that your
key is in secure hardware, use key attestation.

For details and sample code, see the key
attestation training article
on developer.android.com.

Notes


  1. Keystore supports the recommended OAEP and PSS padding modes for RSA encryption and
    signing, respectively, as well as the older PKCS#1 v1.5 modes. 

  2. Keystore supports GCM, CBC and ECB block chaining modes. 

Posted in Uncategorized
Preparing Today for Tomorrow’s Threats

Preparing Today for Tomorrow’s Threats

For the European Union, the U.S., and many countries around the world, October is Cyber Security Awareness Month, a time to broaden awareness and expand the conversation on staying safe and secure online. This time of year presents an opportunity to reflect on the state of cybersecurity – how we’re dealing with today’s challenges and […]