Kotlin 1.8.0 Released

The Kotlin 1.8.0 release is out.
Here are some of its biggest highlights:

  • New experimental functions for JVM: recursively copy or delete directory content
  • Improved kotlin-reflect performance
  • New -Xdebug compiler option for better debugging experience
  • kotlin-stdlib-jdk7 and kotlin-stdlib-jdk8 merged into kotlin-stdlib
  • Improved Objective-C/Swift interoperability
  • Compatibility with Gradle 7.3

more: https://kotlinlang.org/docs/whatsnew18.html

Google Home speakers were vulnerable to eavesdropping hackers

Earlier last week, a researcher/programmer/ethical hacker Matt Kunze released a blog post detailing a severe vulnerability of Google smart home speakers that could give hackers remote control over the devices. In his blog post, Matt details how the vulnerability was discovered and then explains in frightening detail exactly how this backdoor could be used to access a wide range of commands and actions using the affected Google speaker.

The potential for attack stemmed from a vulnerability that could allow someone to add themselves to the Google Home App. From there, a hacker could control devices connected to the account. Once connected, an attacker could utilize voice commands to activate the microphone on a given device. You can imagine how much chaos could ensue from that point. The device could potentially be used to do anything that the Google speaker was capable of as it relates to any other connected devices in the home.

more:

https://downrightnifty.me/blog/2022/12/26/hacking-google-home.html

Google plans to boost Fuchsia OS development in 2023

Google is ramping up the development of the Fuchsia OS. While it remains the primary author of Fuchsia, it is now opening up more parts of the OS's development to the public. Interested developers can take a peek at the open source project's bug tracker, for example, and can even submit patches.

Google also made public the project's roadmap to prove that it isn't simply a skunkworks endeavor. Interestingly, a lot of it involves a "version 2" of the operating system's major components, indicating that the current state of the project is far from the form that Google has envisioned for it.

We can also expect Fuchsia on Nest speakers to Fuchsia, with new models hinted for 2023. Everything shows that Fuchsia can start its popularity soon.

KotlinDL 0.5 is out!

According to the latest blog post we now have quite interesting features on Android:

Version 0.5 of our deep learning library, KotlinDL, is now available! This release focuses on the new API for the flexible and easy-to-use deployment of ONNX models on Android. We have reworked the Preprocessing DSL, introduced support for ONNX runtime execution providers, and more. Here’s a summary of what you can expect from this release: […]

More:
https://blog.jetbrains.com/kotlin/2022/12/kotlindl-0-5-has-come-to-android/

Samsung, LG, Mediatek certificates compromised to sign Android malware

Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications have also been used to sign Android apps containing malware.

The biggest problem here is the fact that, are signed with the same platform certificate and assigned the highly privileged 'android.uid.system' user id, these apps will also gain system-level access to the Android device. Which mean that they can check and do much more than standard apps.

more:

https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/

List of hashes: https://bugs.chromium.org/p/apvi/issues/detail?id=100

Weekend good reads for Android developers, issue #40 (45/2022)

The weekend is coming so we have some reads for you:

SIMPLE IS NOT EASY

Unfortunately, most of the examples showing Clean Architecture and Hexagonal Architecture show that this is the model way. Abstraction on top of abstraction and next abstraction. But still, writing simple and easy to read code is not easy. It requires multiple iterations and effort. Read more in this article.

Mastering Android Dialogs: Don’t follow official Google Guides

This article explains why Google Guides for Dialogs are bad and what risks you and your apps may face if you follow them.

Performance Considerations for Memory Leaks: An Android Cookbook

Memory leaks can be found everywhere, in application code, dependencies, the Android operating system, and even in the JVM. It is difficult to come up with a complete list of the reasons why these problems occur, but showing a broad range can help us better characterize what they may be like. This great article gives you a better understanding of what memory leaks are.

Declarative UI — What, How, and Why?

This short but succinct post perfectly explains Declarative programming paradigm.

Library of the week:

https://github.com/touchlab/xcode-kotlin

The xcode-kotlin plugin allows debugging of Kotlin code running in an iOS application, directly from Xcode.

Have a nice Weekend!

Google Play services – update

Google has begun previewing the latest changes to Android as part of November’s Google Play System updates, including improvements for Wallet and parental controls. Google is also bringing its updated photo picker to nearly every Android device, including ones that are quite outdate (Kitkat).

Google has now announced that Android’s photo picker UI — the one that debuted with Android 13 is becoming available for almost all Android device. According to the patch notes, phones and tablets as far back as Android 4.4 KitKat, released in 2013, will be able to use Android 13’s photo picker. (Originally, Google had only said that devices on Android 11 and newer would get the new design.)

Google Pixel – Lock Screen Bypass

Have you ever had a situation that you suddenly forgot your password, which you typed automatically hundreds of times?

One researcher encountered this very problem when his phone had a battery life of 1%. After a while, the phone turned off, and after recharging, the researcher wanted to unlock the SIM card with a PIN … but something did not work: / So he looked for the PUK code, entered it and … the phone asked him to set a new PIN (for the SIM card).

This does not look like an obvious security issue, but the hacker tried to work out the cause of strange phone behavior. At one point, he performed such an operation:

  • His phone was unlocked
  • He blocked it
  • He pulled out the SIM card and inserted it again
  • He launched the procedure for changing the code to the SIM card (he used the PUK)
  • and suddenly boom - the phone is unlocked!

The researcher commented it like this:

My hands started to shake at this point. WHAT THE F**K? IT UNLOCKED ITSELF (…) full lock screen bypass, on the fully patched Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too.

The CVE-2022-20465 vulnerability was patched according to the November Android security bulletin. The patch was prepared for Android 10, 11, 12, 12L, 13.

Absolutely CRITICAL vulnerability in OpenSSL (versions 3.x only)

The security gap is so serious that the OpenSSL team decided to announce that and the patch is coming:

https://twitter.com/iamamoose/status/1584908434855628800

Full information on the details of the vulnerability (and probably the exploit …) will be available on November 1st. As you can see, the whole thing only touches the 3.x OpenSSL line.

It is also worth noting that the OpenSSL team retains the 'Critical' status for really serious occasions. Since the beginning of the vulnerability assessment (end of 2014), this label has only been used once so far.

more:

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html