major release</td>	fixed version</td> </thead>
26</td>	26.2.1</a> </td> </tr>
25</td>	25.8.1</a> </td> </tr>
24</td>	24.8.3</a> </td> </tr>
23</td>	unsupported. upgrade! </td> </tr>
22</td>	22.3.24</a> </td> </tr> </tbody> </table> Signal followed a few more hours later, with their release of Signal Desktop</a> on 2023-09-13T06:04:12Z. If we're at the changelogs, this one was as descriptive as all of their patch notes:</p> Keep tabs on your calls with the new calls tab. Start a new call or return a call that you missed without having to find the corresponding chat. Now you can say hello with your voice without also saying goodbye to the unread marker for messages in that thread.</li> </ul> </blockquote> And that would be the end of developer self-realization in this post.</p> In case of Element Desktop, a tranny that doesn't sleep at night had realized first, and it had submitted a pull request</a> on 2023-09-15T02:17:03Z. That's almost 3 whole days later. This was then released</a> on 2023-09-15T11:23:33Z.</p> (The tranny is the author of this text. Hi, reader! Don't mind me, just reclaiming some slurs</a>.)</p> More friction? Fuck yes. If you use Element Desktop from Flathub, that's even more waiting. Flathub simply downloads tarballs with builds. There is a bot that downloads a webpage and runs a regex over it. It has detected the release and made a PR with the update on 2023-09-15T13:13:36Z. Then, the PR has been merged manually on 2023-09-15T15:10:06Z. That has finally triggered a rebuild (or rather, re-repack). The notice about a security fix has disappeared on the way, and this update on Flathub is not marked with a higher urgency (as is an option on there), but it's there.</p> To be clear, Element had a good response once they finally heard about it. But it still took days in friction between multiple projects having to fix publicly known</em> vulnerabilities. This system of distribution is just broken.</strong></p> Another real chat app has released the security fix on the beta channel</em>, and everyone went on a weekend. The Jira ticket for this states "No testing required", but, oh well.</p> *Similar stories with Flutter. In this case, you'd need to know where to find* these release notes</a> - they're on a special GitHub Wiki page, separate from the other release notes. (The fixed release is 3.13.4</a>.) Now just wait for all app developers to release it on Google Play...</p> This doesn't have to be broken like this.</h2> Software distributions work. In Alpine Linux, where I'm a contributor, a hotfix got merged</a> into edge on 2023-09-13T17:42:01.841Z, and then backported to earlier versions. That's just what a distribution does. The information flow is free here. In this case, Alpine has followed NixOS</a>. Another time Arch will follow Alpine. But that's ok, we don't like having secrets.</p> The hotfix I mentioned was merged to the libwebp package. It's a shared object</em> getting reused by other packages. Once you run `apk upgrade</code>, the old /usr/lib/libwebpdemux.so.2.0.14</code> on your disk gets replaced with a new one. Also, Chromium, Electron, Firefox, Flutter, Thunderbird, all depend on it. You don't have to rebuild or redownload all of them (and the apps they're a part of). Better. As a package maintainer for 2 of these, I didn't even have to know about it. Cool, isn't it?</p>` `On a sidenote. I've` `submitted the changes</a> adding an option to unbundle dependencies back to Flutter, back when I made them.</p>` We can't do this.</p> Most of these libraries do not provide stable ABI. And Flutter does not guarantee that it plays nicely - sometimes we use private API even though we're not supposed to.</p> If you arbitrarily change the versions of these dependencies, you could get anything from reduced performance to completely broken/crashing binaries.</p> </blockquote> I keep applying that patch in Alpine anyway. Guess what. It works without issues, and we got this patched earlier as a consequence.</p> Trusting clients is probably a security flaw lnl — Fri, 28 Jul 2023 00:00:00 +0000 I looked at a discussion on blink-dev Google Group and saw the message</a>:</p> Perhaps it is a good thing for user choice to have a browser that is fully open to any use and allows anonymous user actions.</p> The result of such open-ness is that an entire series of services that need to trust the client (used in the oauth sense of the word) are not available to web apps. […]</p> I have recently worked on a fork of Chromium that is designed to have this functionality and on Native Wallet apps to get it. The lack of this functionality in Chrome will drive developers away from Chrome and fragment the user experience. We already have the problem of directing users away from Chrome to a secure wallet and being unable to bring the original user session back to Chrome. Of course Google and Apple get to solve this problem with their own wallets, but that will not fly in Europe and now the US DHS is asking for solutions that are more open as well.</p> </blockquote> My understanding of security started an internal screaming.</p> Meet the McDonald's app</h2> Hold on, I'm not at all joking. The McDonald's app developers put a lot of effort into policing the clients allowed to even dream about running the app. The app was checking for:</p> whether you have a directory called TWRP</code> in your internal storage. TWRP is a custom recovery, and by default, stores device backups you generate from recovery in there. You have a device backup? Then no deals for you, nerd.</li> whether you have the com.topjohnwu.magisk</code> app installed. You like modifying your devices, don't you?</em> Pay full price, nerd.</li> whether you have installed the app from com.android.vending</code>, more widely known as Google Play. What, you don't have it? That'll be €14,50, nerd.</li> check your device with RootBeer, a library that tries to check whether you have root access. Not passing? Card or cash, nerd?</li> and finally, using the SafetyNet API (now being rebranded into Play Integrity, specifically the Device Integrity and App Integrity parts, with some minor changes). Not passing? Pay. Nerd.</li> </ul> This is more annoying than any financial app I've had, and I have 5 of them on my phone. mBank.pl uses Play Integrity API, but that's to use contactless payments via BLIK, and the rest of the app works. IKO, the app of PKO BP, seeing that I have root access, disabled logging in with biometry, requiring me to log in with a PIN code. bunq told me that maybe my device should not be rooted. The worst one seems to be Revolut, which blocked my access, clearly stating the reason to be root access.</p> The McDonald's app only displays a generic error message, and an error code that tells you nothing.</p> And what are guarding so much?</h2> What are the Deals</em> inside the app? Currently, I can get a free burger for 650 points, that is, if I spend 65 Euro in McDonald's first. What a deal. But that's not what brings me here.</p> There once was a promotion</a> in collaboration between Coca-Cola and McDonald's, specifically available in Poland. It boiled down to this:</p> Buy 3 bottles of Coca-Cola.</li> Enter 3 codes (from each bottle) into the Coca-Cola app.</li> Enter the code you got from the Coca-Cola app into the McDonald's app.</li> In return, you get a free meal with a Big Mac.</li> </ol> Ignore this unnecessary duplication with copying the code between 2 apps. Actually, ignore the Coca-Cola part as a whole. So, what happens in the McDonald's app? As with many things in that app, this deal was operated by a page opened in a WebView. The config for the country was set to point to the deal's page from the main screen. On the page, there was a pretty simple form:</p> </picture> </figure> Obscurity is not security</h2> From now on, this is basically a post mortem, except it's not McDonald's writing it.</p> The page opened in the WebView was sending the entered code in a request to a McDonald's server. But here's the flaw: the request checking and invalidating the code, was doing just that. It just returned whether the code is valid. The page was requesting a check whether the code was valid, and the client</em> was assigning the coupon to the user.</strong></p> It turns out that the company's servers do not verify this and take the app "for its word"</em>, reported android.com.pl</a>.</p> When you say you need to check whether the request is coming from a "trustworthy client", I say trust no client, use a rubber.</strong></p> An untouched device can exploit your service, too</h3> Oh, right, I said earlier about some measures? This whole exploit could (at least at that time) be executed from an unmodified device</strong>. Open the app, go to privacy policy (opens in a WebView), find an external link. Be creative. Find a link to Google's privacy policy, and tap their logo to go to Google Search. Find a link to YouTube, and search for a video with a link somewhere else. Whatever gets you to a page that can execute a little bit of JavaScript for you</strong>.</p> COLA.offerActivation.send({ loyaltyId: 2424, rewardId: 95275, }) </code></pre> This was the thing.</p> But don't worry. If this is fixed, nothing is lost. You remember the measures I talked about? They indeed check signs that might indicate you're not trustworthy. But really, passing these checks might just mean you know how these checks work. What can and does go wrong?</p> You can just comply with the checks.</h3> TWRP backups? Change the directory name.</p> Magisk Manager app? Change the package name in the settings.</p> Not installed from Google Play? Open terminal and run pm set-installer com.mcdonalds.mobileapp com.android.vending</code>. Or install with pm install -i com.android.vending [file]</code>. Or the same with adb</code>.</p> Root checks? Add McDonald's to Zygisk Denylist.</p> You can just not run the checks.</h3> Oh, that was just the way where we obediently fulfil these checks. But if this runs on your device, you are the one in control of it.</strong> You can inject into the process with tools like Zygisk or LSPosed, and remove these checks. I have injected into 2137 processes on my phone today. Nobody controls this.</em></p> You can just tell the checks what they want to hear.</h3> And the last check. SafetyNet/Play Integrity. Check whether you pass with SPIC</a>. If you don't pass basic SafetyNet, install MagiskHide Props Config</a>, run props</code> in console, change signature to something from the available list. Now, if you don't pass CTS SafetyNet, install Universal SafetyNet Fix</a>. Yes, my phone really just passes SafetyNet and Play Integrity like this (Integrity up to MEETS_DEVICE_INTEGRITY</code>, without MEETS_STRONG_INTEGRITY</code>).</p> No labels (a blank value): The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).</p> </blockquote> This is a fragment of the Play Integrity documentation</a>. But the problem with checking if the user is a god, is that the user is a god. They can just tell you what you want to hear.</p> (On a side note, if you speak Polish, I recommend reading "Aplikacja mobilna nie wie, czy telefon jest zhackowany" from Informatyk Zakładowy</a>)</p> But typical users will not study your app if it doesn't work</h3> Mass exploitation was, in the end, stopped by ending the deal, because of how out of control it was. So who was</em> stopped?</p> Unaware users. Every time you introduce a stupid check, there is a user with a false positive result. For example, some of the RootBeer checks will trigger</a> on some unmodified Xiaomi, Asus, or Fairphone, or random cheap phones that happened to be in someone's nearest Tesco. The biggest irony is that some of these users will root their phones</em> to bypass these checks instead.</p> If your app starts looking for the MEETS_STRONG_INTEGRITY</code> label from Play Integrity, even more users will be affected like this.</p> Literally look at the Google Play reviews of the McDonald's app. This app has a 2,8/5 rating and you have to keep scrolling them to find positive ones, from the very few users who managed to get the app running.</p> </li> Users with root access to their own phones. First of all, why? What's bad about having administrator access to your own phone</em>?</p> Second, this is ineffective if they know how to workaround. They can inject into your process and tell you it's a good phone ma'am</em>.</p> </li> Huawei users. Or Amazon Fire users. Or any Android device made for China market users. Or users of a mobile Linux distribution, trying to run an app over Waydroid. Their devices by default do not have Google Play Services that can be tricked like this, and will require more work than I described to pass these checks.</p> </li> </ul> But will it at least stop fraud?</h3> Hell no.</p> </picture> </figure> Android is not free, let's get to work about it lnl — Sat, 08 Jul 2023 00:00:00 +0000 In the standards field, Embrace, Extend, and Extinguish</em></a> is a strategy for gaining users of an open standard, and breaking it to lock them in. This does not exactly match Android, as it is a software project, rather than a standard. But it resonates with its story of making the open source effectively unusable without proprietary extensions.</p> Warning:</strong> if I wasn't enough of a techie to do some action, this would be a lot of doomerism. Thank fuck</em> I'm autistic and this is my special interest?</p> </div> </div> I've been an Android user for, I think over 10 years by now. Well, still am, out of necessity. But I'm fed up with it as a user. I feel like instead of empowerment, I have to fight with this device on every step to keep some control over my own device, and to not send more of my data to corporations.</p> Google hardly even bothers to keep the Android Open Source Project documentation separate from one for their proprietary Google Play Services.</p> Does any of your mobile apps send you push notifications? You can be almost certain they go through Google servers. More namely, Firebase Cloud Messaging</a>. Google has made it easy to just add FCM libraries to your Android app, and made it hard to not use FCM.</p> Android 6 introduced Doze mode</a>: "If a user leaves a device unplugged and stationary for a period of time, with the screen off, the device enters Doze mode. In Doze mode, the system attempts to conserve battery by restricting apps' access to network and CPU-intensive services. It also prevents apps from accessing the network and defers their jobs, syncs, and standard alarms.</em>" As you might guess, this breaks background processes listening for notifications.</p> Solutions? "If possible, use Firebase Cloud Messaging (FCM) for downstream messaging.</em>"</a></p> </li> Android 8 introduced background execution limits</a>. "Apps that are running in the background now have limits on how freely they can access background services.</em>"</p> Solutions? "Use FCM to selectively wake your application up when network events occur, rather than polling in the background.</em>"</a></p> </li> Android 12? "Apps that target Android 12 or higher can't start foreground services while running in the background, except for a few special cases.</em>"</a></p> And yes, the point is that you use WorkManager</code></a>. But you probably get the drill by now. "Your app receives a high priority message using Firebase Cloud Messaging.</em>"</a></p> </li> OEMs who heavily modify Android they ship are notorious for making it worse</a>, by creating issues specific to their devices. "They kill background processes and render alarm clocks and other apps which rely on background processing useless.</em>"</p> </li> </ul> Do any of your apps use location? There are system APIs for this! Oh, wait, what's this? "Note: The Google Location Services APIs, part of Google Play services, is the preferred way to access location services for apps. […] Clients of the traditional Android location APIs are encouraged to switch to the Google Location Services APIs wherever possible.</em>"</a></p> Anything scanning QR codes? Remember the old days of ZXing? Not anymore</a>. And of course with incentives: "The Google code scanner API provides a complete solution for scanning codes without requiring your app to request camera permission</em>"</a>. You don't have it? I hope you enjoy typing your password and SMS codes, because you're not logging in with the DigiD app.</p> And now, I couldn't just leave out SafetyNet, and its new replacement, Play Integrity API here. What do these do? I think the most important check: "tells you whether your app is running on a genuine Android device powered by Google Play services</em>"</a>. What does "genuine Android device" even mean? I guess not that much control of your device, because you get an accordingly lower device integrity label of MEETS_BASIC_INTEGRITY</code> if your device "may have an unlocked bootloader"</a>.</p> Is there really no hope in Android world?</h3> microG Project is trying to reimplement these proprietary APIs. There are 2 problems with that:</p> Google keeps making new ones, requiring more work to reimplement them. We're talking about complicated stuff like ML models or speech synthesis.</li> Google makes all the engineering choices that suit them. To work, microG has to make requests the same way as the Google Play services. microG allows you to e.g. get push notifications without using Google's proprietary code on your device. But this is still the same, fundamentally flawed way, where Google servers are in the middle. Good riddance, but not quite enough.</li> </ol> I've previously had some faith that Huawei shipping Android phones without the proprietary Google parts is gonna change something. Because, e.g. if you have to scan a QR code on both Google and Huawei, you could just use ZXing, which does not depend on either's environment, right? In reality, of course, developers really just do depend on both, write handling dependent on whether it's Google or Huawei, and ship it like that to the app stores. The whole difference is that instead of a Google ML Kit</a> there is a Huawei ML Kit</a>, and so on.</p> So, yeah. Hope, left me.</em></a></p>

lnl's weblog

Time to break some habits

isf — Tue, 05 Nov 2024 21:30:00 +0100

I've made lots of mistakes. The hard part was realizing not just the fact, but the extent. Sure, I've been hurt by others, but there also are quite many things I've just done to myself.

It's time to learn on mistakes. Here's my recent life rule:

Make time work in your favor.</h1>
Its strongest power is that it's vague, it can be universal. On the other hand, the biggest issue with it is that it's so vague, you might have no idea what to do with it.
Can't go wrong with some examples. No-brainer: don't keep 500 euro on your PayPal account. Put it somewhere that has interest rates. Bank deposit, savings account. Really.
Staying at a bad job is probably better than quitting it without finding a new one first. Or, to show my point: time passing with a job is better (on CV, for your budget, ...) than time passing while jobless.
Much easier said than done: time works in your favor if you work on your goal a lot, systematically, ahead of your deadlines. The other way is also true: it works increasingly against you if you leave it over - your deadlines will approach you.

To reach a goal, you have to set it.</h2>
Ok, all of this so far was probably rather obvious, but here's the big part: it was only about reaching goals. Thing is, I haven't had goals I failed to fulfill. I've just barely had any goals at all.
It only hit me when put different. Stagnation is not staying at a flat, stable level, there's no such thing. It means to slowly become worse. Oh, sorry, did I say something about the time again?
If you're sad about the clocks ticking, it's not about the time itself. It's about what you're doing with it. Noone will do it for you.

"War on WPE", or the single-member community of Automattic CEOs

lnl — Fri, 18 Oct 2024 01:00:00 +0200

On October 17, a blog post was published on WordPress.org, attributed vaguely to "WordPress.org", titled "WP Engine Promotions."</a>

Given the egregious legal attacks by WP Engine against WordPress co-founder Matt Mullenweg, </blockquote>
Fact check: WP Engine's lawsuit first names Automattic</a>, and only then Mullenweg. "Mullenweg also controls and serves as the CEO and President of Automattic," says WPE's complaint.</a>

a number of their customers have been looking for alternative hosting, and in return a number of hosts have created specials and promotions for WP Engine customers looking to migrate to a host that has great relations with WordPress.org. </blockquote>
What is "WordPress.org?" Sounds like a community organization. An obvious guess would be the WordPress Foundation, the non-profit, right? Betteridge wins, as usually.
"WordPress.org just belongs to me personally," says Matt Mullenweg, asked by The Verge.</a> </blockquote>
Putting it simple, it's competitors to WPE that Matt Mullenweg personally likes, and who are specifically trying to take over WPE's customers.

Here they are, in alphabetical order.
We’ll update this post if any new offers come online, get in touch and we’ll link it.

Bluehost will cover migration costs, and buy out your existing contract. They offer 24/7 phone support, you can call them at 844-699-3907. Their wp.cloud-powered Cloud hosting starts at $29.99/mo.</li> </ul> </blockquote>
Hold on, WP Cloud? Bluehost Cloud? What's all this? Let me check press releases.</a>

the WP Cloud team is excited to confirm our new partnership with Bluehost, a proven leader in the hosting community.
This collaboration culminates in the form of a new product, Bluehost Cloud, that is redefining WordPress cloud hosting forever.
WP Cloud was built by Automattic, the team behind WordPress.com, WooCommerce, Jetpack, and other great products, with a singular vision in mind: to build a cloud platform exclusively tailored for WordPress.
Or as co-founder of WordPress and CEO of Automattic, Matt Mullenweg, puts it, […] </blockquote>
Oh. Matt, the CEO of Automattic, has good relations with a hosting product that depends entirely on the infrastructure of Automattic. But that's just the first one from the list, we gotta check the rest.

Dreamhost is offering free migrations, with plans starting at $16.95/mo.</li> </ul> </blockquote>
That's a hosting older than WordPress, running since 1997. Alright, that's one inde- Wait, no!</a> [emboldened by lnl]

Well, thanks to our friends at Automattic — the company behind WordPress.com […] — […] I’m excited to announce that customers on our DreamPress Plus and Advanced plans, along with everyone on our legacy offerings, will now have access to Jetpack Professional (worth $299/year)! </blockquote>
Ugh, another one? Who else is left?

Pressable will buy out your current WP Engine contract and match their pricing, so if you’re in the middle of a long contract with WP Engine, you don’t need to wait until your renewal time.</li>
WordPress.com will give you a free year of any plan they offer, and donate 5% of your purchase price to the WordPress Foundation. Their relevant plans start at $25/mo.</li>
For large-scale enterprise customers, WordPress VIP will cover the cost of migration. Their plans generally start at $2k/mo.</li> </ul> </blockquote>
That's it, that's the whole list. All last 3 are literally just different brands of Matt's own company. It's symptomattic.

Don't all the prices above sound ridiculously expensive for a page that is mostly contact info and occassionally publishes posts? Short read: The Static Site Paradox</a>.

Hatch, change, rewind. 5 years as myself

lnl — Sat, 27 Jul 2024 20:30:00 +0200

Nothing felt right. The more I've changed, the more I hated what I was turning into, even though it was out of my control.
One day, a seemingly minor event broke something in me. I suddenly understood how much gender dysphoria was eating me alive. All I knew was that I had to act.
I needed a new nickname to start social changes. Being a weeb, I ended up with selfisekai, and quickly got a new domain.
lauren@shinonome ~ $ whois selfisekai.rocks | rg Creation Creation Date: 2019-07-27T20:33:35Z </code></pre> Today's an anniversary. A trannyversary, if you will. It's been 5 years. Did coming out make other things worse? It did. Did I ever regret it? No. Big thanks to all who helped me through this time. Also now, when nothing feels right.
Building Chromium at a distro? Here's your copium lnl — Sun, 19 May 2024 19:45:00 +0200 Here's the thing: Google does not test whether Chromium still works any further than on the tip of their nose. If they can build it to ship Google Chrome, the rest doesn't matter. This is not what a healthy free software project with such an impact should work like. And yet, well, nothing has changed. If you struggle to run Chromium, you will ultimately struggle to use the Chromium-shaped web</a>. Therefore, it's your own problem. More web, less web apps! Some thoughts on the web. On web engines, web content, and web rent. </a> 2023-11-08T17:15:00+01:00</time> </div> </article> Distributions have for long separately maintained their own sets of patches. This got changed by Gentoo maintainers, who have started putting the most short-living patches in separate git repositories, which many other distros have similarly started to make use of. What happened then was, Chromium M120 broke it. This release in particular has brought, at the same time, both V8 not building with GCC</a>, and absl::optional</code> becoming replaced with std::optional</code>, which hits a bug in either LLVM clang++</a> or GNU libstdc++</a>, not sure, activating if the combination of 2 is used. The outcome? Most distros, including Alpine (maintained by me), Arch, Gentoo, and Fedora, started building the whole Chromium with the source code of LLVM's libc++ that Chromium is shipped with by default. This came at the cost of unbundling dependencies with C++ interfaces, which we do to deduplicate code and effectively provide security fixes in third-party libraries used in packages. </picture> </div> </figure> You are still vulnerable to the WebP exploits, by the way Software distribution is broken without maintenance on scale </a> 2023-09-18T07:15:00+02:00</time> </div> </picture> </div> </figure> </article> (Noteworthy: Debian took a different approach and overrode their libstdc++ <optional></code> header, to a copy of it where triggering asserts got removed</a>.) Some of you could ask: ok, lnl, but Chromium M120 was released as stable in December 2023. It's April</del> May 2024 now. Hasn't anything changed in the meantime? No, not really, and you're a fool for thinking otherwise. Nothing will really change without fundamental changes of Chromium's purpose. In turn, that won't change under its current ownership of Google. But while this is the status quo, let's cope together. It's my turn on rolling the stone</h1> I've patched Chromium enough to build with GCC and libstdc++. Here's your copium</code></a>, a common set of Chromium patches. How original is this? To be fair, a lot of it consists of cherry-picks from main, but there's not that few patches I made myself (trying to upstream it as well). Does it have problems? A lot. It still doesn't work with clang (see above). Also it doesn't work on aarch64 and armv7, for different reasons. No idea if it works anywhere outside x86_64, really. But it's something. How long is it gonna last? I don't know. But I'll be the Chromium doll for now. 2024 February 15, raid notice lnl — Fri, 16 Feb 2024 02:00:00 +0100 I, lauren n. liberda, editor-in-chief of liberda.nl, have been raided at the place of my long-term residence on 2024-02-15 after 07:00 (morning) by the Dutch police, in coordination with Polish prosecutors. My electronic devices have been seized. Out of necessary caution, please distrust the SSH keys with following fingerprints, previously found on https://keys.selfisekai.rocks/ssh</code></a>: 256 SHA256:D5dT45SUx3TY5ke4iqzcDPDRfSAjxZk8Q3olvIfLrtE lauren@shinomiya (ED25519) 4096 SHA256:huOtbBVoqrKtEqIEcLe2CjvTlZC7o4NOmxIa00+HYzQ JuiceSSH (RSA) 256 SHA256:DZ7sY1NHtF2THmN0RqxIl7ec2zz0xQVZ1QFvEjqYXas lauren@matoi (ED25519) 256 SHA256:WFAFP902Wl4ZC2Yqje00XXSmCqOk7nrmfOORwSj0ihk lauren@joestar (ED25519) </code></pre> the following OpenPGP key, previously found on https://keys.selfisekai.rocks/gpg</code></a>: pub ed25519/734C629FD04BD319 2021-11-27 Lauren N. Liberda <lauren@liberda.nl> Primary key fingerprint: A16F 3AB1 39AE E4A3 635D 19ED 734C 629F D04B D319 </code></pre> Also assume any other previous communication, including Matrix and Signal, to be compromised. No public comment on the investigation. New government, new TVP. News from the same reality? lnl — Sat, 23 Dec 2023 11:30:00 +0100 Little background, because it's a big legal mess. In 2015, when Law and Justice (PiS) took over, having parliament majorities on their own (with 37.5% votes) and their President, they went on a run through institutions, including courts. The judges-members of the National Council of the Judiciary (KRS), are getting chosen by the Sejm (lower parliament house), instead of judges, as it was previously. This itself is believed to be unconstitutional, considering Constitution's article 186.1: "The National Council of the Judiciary upholds the independence of the courts and the independence of judges". Captured over KRS, Supreme Court, Constitutional Tribunal. Judges replaced during their valid term, together with law changes about their courts. Prime minister not publishing judgements in the Journal of Laws.</a> We've seen it all, and I'm surely missing a lot of it here, it's hard to follow through and describe the whole process. Members of parliament from PiS have turned to the captured Constitutional Tribunal, with a question whether the law allowing to dismiss the boards of state media is constitutional. On 2023-12-14, Przyłębska's Tribunal has decided in a pre-judgment proceeding to secure their claims, by forbidding to dismiss the members of the boards. First of all, the government rejects the Przyłębska Tribunal's rulings. But even then, the Minister of Culture cites experts, saying that the decision cannot impact him as a minister, since he's not a side in the proceeding. Quick rewind, 2023-12-19</h2> Sejm has received, processed, and voted through the resolution on the restoration of legal order, impartiality, and reliability of public media and the Polish Press Agency</a>. The resolution concludes that the citizens' constitutional right to reliable and impartial information is being violated, and the National Media Council is unconstitutional by Constitutional Tribunal's unexecuted judgement, which the state is supposed to finally execute. It calls for all state institutions to act on this, and especially State Treasury as the owner of these companies (in this context represented by the Minister of Culture and National Inheritance). It's happening, 2023-12-20</h2> The Minister of Culture and National Heritage, as the body exercising the ownership rights of the State Treasury, which holds 100% of the shares in the Companies, acting pursuant to the provisions of the Commercial Companies Code, on December 19, 2023 dismissed the existing chairpersons of the Management Boards of Telewizja Polska S.A., Polskie Radio S.A. and Polska Agencja Prasowa S.A. and their Supervisory Boards. The Minister appointed new Supervisory Boards of the aforementioned Companies, which in turn appointed new Management Boards of the Companies. The necessity for such actions and the rationale was determined by the Resolution of the Sejm of the Republic of Poland from December 19, 2023 on the restoration of legal order and the impartiality and credibility of the public media and the Polish Press Agency. </blockquote> -- tweeted Ministry's account on 10:44</a>. This process is controversial. The Helsinki Foundation for Human Rights agrees with the urgent need for public media reforms, but says the method "raises serious legal doubts"</a>. "However, we note that the issue of appointing and canceling the compositions of personal bodies of public media is currently regulated by the Radio and Television Broadcasting Act, and the Act on the Polish Press Agency." "It is a violation of the law, which was created in violation of the Constitution after the 2015 elections. It is illegitimate in the sense that it violates an illegitimate law and undermines the competence of the institutions that uphold the unconstitutional order", </blockquote> says Piotr Pacewicz</a> from OKO.press. To put it another way: there is no clear way to restore the rule of law. The new parliament decided to make an attack on the laws that are not legitimate - same way as it has started, also because of the impact that the public media have on the elections. A president willing to proceed with these reforms might be crucial - presidential elections are in 2025. The justification submitted with this resolution directly calls it a "transition process", which should end with a proper public media regulation. But let me be clear. Many don't care much about the legality or illegality of it, but are just happy that the alternative reality is gone from the terrestial broadcast, from being paid by the state money, from being this big. There's a lot of things that can go better, and not that many can go worse. And so, on 11:18, the plug was pulled on TVP Info. </video> Interrupted TVP Info broadcast. [Telewizja Polska S.A. 2023]</figcaption> </figure> The channels and websites turned off, and still off as of 2023-12-23, include: TVP Info, TVP3 (all 16 regional channels), TVP Parlament, TVP World. Everything scheduled has aired, except almost all news programs. Aired programs are: Belsat's Vot Tak - a program in Belarusian, TVP Wilno - targeted at the Polish ethnic minority in Lithuania, and... a part of Agrobiznes, agrarian business news, which has aired partially, and got interrupted by a TVP Info host. </video> Interrupted Agrobiznes broadcast on TVP1. [Telewizja Polska S.A. 2023]</figcaption> </figure> TVP employees have tried to broadcast where they could. There have been Facebook live streams made from phones, inside the main headquarters on Woronicza. There has been a YouTube livestream, started by Samuel Pereira, TVP Info editor-in-chief, who was broadcasting a TV from his phone's camera, "deleted by uploader" during the stream. </video> Fragment of the YouTube broadcast [Telewizja Polska S.A., 2023, supposedly]</figcaption> </figure> YouTube and Twitter accounts seem to still be in control of the previous team, though. They also still occupy the Powstańców Warszawy building, from which Television Information Agency (TAI) has operated, broadcasting TVP Info and all news programs. Instead of the top news program, viewers have seen this: </video> Replacement speech for The News on 2023-12-20 [Telewizja Polska S.A. 2023]</figcaption> </figure> The pretty quick takeover was possible due to the technic and security workers, who willingly cooperated with the new bosses. Supposedly, they either didn't support PiS in the first place, or didn't want to lose work due to this bullshit. More interestingly, the previous TVP chairman, Mateusz Matyszkowicz, simply left his office</a>. And there comes the news, again, 2023-12-21</h2> Next day, as promised, the new news have aired. I'm doing a thing no serious news org would do - publishing the whole, 0.5h material, with translated captions. I could talk much about it, what it contains, what's wrong about it, but it might be best, if I simply let you watch it. It's a news program made in 24 hours, and looks exactly like it. Or worse, because the reporting got edited only a few hours earlier, with source materials brought by taxis</a>. Reportedly, it still doesn't have a proper studio. TAI is still occupied, and after a PiS MP has entered the studio after the previous day's broadcast, TVP feared sabotage, and it was aired from a studio rented from ZPR Media</a>. </video> The 19:30 program on 2023-12-20 [Telewizja Polska S.A. 2023]</figcaption> </figure> I'm not sure what to think about it myself. The only opinion I'll cite, if you want a TL;DR, is a joint statement of OKO.press journalists: "No longer propaganda, but not quite yet a good TV".</a> Edited to correct the studio More web, less web apps! Some thoughts on the web. lnl — Wed, 08 Nov 2023 17:15:00 +0100 The dominance of Chromium, and Google's dominance over the project, started being a more widely discussed issue. Not without reasons: Google increasingly prioritizes their own interests over the users'. Take a look at the Web Topics API</a>, rolled out to some portion of stable users since Chromium 115, as a very good example (bold mine). Topics is a proposal in the Privacy Sandbox designed to preserve privacy while showing relevant content and ads. The browser will infer a handful of recognizable, interest-based categories based on recent browsing history to help sites serve relevant ads. With Topics, the specific sites you’ve visited are no longer shared across the web, like they might have been with third-party cookies. </blockquote> This entire proposal assumes that either the web browser is not a tool acting on behalf of a user, or that being shown (relevant) ads is the user's interest when browsing the web. </blockquote> The former sounds like Google, whose browser had an almost 65% share of web traffic in 2022</a>, according to StatCounter, is not afraid of acting against their own users. This goes against principles shown in IETF's standards specifications, fundamental for the web, where a more broad term for a web browser is "user agent". (IETF's RFC 8890</a> is a good read.) The latter sounds weirdly unlikely, but convenient to Google, as a company in the advertising industry. To be clear, Google Play Services on Android have for a long time had Advertising IDs</a>, effectively making the same assumptions for an operating system. Even worse, since this provides a unique identifier for a particular user. Why limit to a pre-defined set of interests now, instead of an ID? I can only imagine GDPR having something to do here. Maybe this way there's no user identifier, or database holding it, thus no responsible data controller? Maybe if this data is only provided to an advertising network when loading ads, without any other identifiers, it can suddenly just be processed within the legal basis of legitimate interest (instead of user consent), by removing the part where a user is identified by some party? snorts drugs. This is just the tip of the iceberg. Web standards ultimately die or thrive by Google's decision. If Google doesn't like, say, an image format, it won't get support in Chromium. Almost 65% of web users in 2022 have used Google Chrome. But it doesn't even stop here. Microsoft Edge, another 4% share, is also based on Chromium. Almost 3% to Samsung Internet, based on Chromium. Opera - 2%. UC Browser, Android WebView - almost 1% each. Summed up, that's 75,6% of the market share. This is not a theoretical issue or even example - it was the fate of JPEG XL. (Surely nothing to do with Google being a major contributor to AV1, and AVIF, the biggest competition of JXL.) The web is, by now, Chromium-shaped. </blockquote> In some ways, the web seems to be healing. Servo, a Rust-based web engine, got moved from the hands of Mozilla, who got bored with it, into Linux Foundation Europe, where its development got revived. Ladybird, the engine developed as a part of SerenityOS, gained some traction too, including a 100,000 USD sponsorship from... Shopify</a>. I can only speculate that Chromium dropping support for JPEG XL contributed to this. Shopify has, in fact, praised JXL</a> months before in the Chromium bugtracker: We are eager for this feature to I2S [intent to ship - annot. lnl]. [...] A few general observations we have found through our implementation (again from a commerce focus): Encoding jxl, when bucketed by megapixal size of images, is significantly faster to encode compared to AVIF.</li> Commerce is very colour sensitive and we have found jxl produces much higher fidelity and colour accurate images.</li> Quality/bytewise: jxl produces higher quality images when normalizing for target filesizes and produces smaller files when normalizing for experience quality.</li> </ul> </blockquote> And I do wish all the best to Servo and Ladybird. But this is just the engines. Engineers keep building all these open browser engines. And what for? Oh, right, for all the closed projects to work in them. In its early days, the web was markup. The browser was to meant to display text with some basic formatting and hyperlinks. At some point in the later evolution, JavaScript was created, allowing websites to dynamically change their content on the device. What happened in the meantime? A mess. Websites got replaced with web apps. We call news sites "sites" out of habit, but when we open them, they don't just display a page with an article. We get greeted with banners asking to consent to ad profiling. The browser is fetching 9 MBs of unreadable, pre-processed JavaScript for an app (that's with uBlock Origin on, without the blocked 13 script requests). I see a view inside the app, that happens to be showing an article (together with an autoplaying video, and trying to display ads). All this code with functions rendering a new article is ready, if I want to read another article, so it only loads data instead of a page. Except the whole page rendered would be less data, really. (Yes, this is a real, major news publisher.) Web apps became just apps. Web is the most obvious target for most new apps, with the popularity of web technologies. Uncomparable to any native platforms. Web app technologies became incoherent, prioritizing developer experience over user, and not making the former great either. Web browsers introduced cascade stylesheets a lot of time ago, to allow separating the styling from the content and stop repeating it all the time. Moders developers went back, using the class field to define styles for each item separately again. I'm not kidding. The CSS1 specification from 2008</a>: While the paragraph is green. </code></pre> a 'STYLE' attribute on an element inside 'BODY' [...] mixes style with content and loses the corresponding advantages of traditional style sheets. </blockquote> To increase the granularity of control over elements, a new attribute has been added to HTML: 'CLASS'. All elements inside the 'BODY' element can be classed, and the class can be addressed in the style sheet [...]. One can address all elements of the same class [...] in the selector: .pastoral { color: green } /* all elements with CLASS pastoral */ </code></pre> </blockquote> A lot of modern web now works on styles with content again, where the styles are contained in the "class" attribute. Yes, I am subposting Tailwind CSS</a> right now. This is real HTML on a real website (added whitespace for convenience): <blockquote class=" typography__blockquote mt-6 font-serif font-bold text-[1.8125rem] leading-[2.75rem] text-gray-900 before:inline-block before:mr-3 before:h-[0.8125rem] before:w-24 before:bg-red-700 dark:text-gray-50 dark:before:bg-red-400 print:dark:text-black before:print:dark:bg-black "> </code></pre> Q: "how long before someone invents the css of tailwind where you can put all the classes in a separate file next to element selectors? would make it way easier to have consistent use of classes across a document without repeating yourself all the time /s" A: This has already happened!</a> A monster straight up from Tailwind's documentation: @tailwind base; @tailwind components; @tailwind utilities; @layer components { .btn-primary { @apply py-2 px-4 bg-blue-500 text-white font-semibold rounded-lg shadow-md hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-400 focus:ring-opacity-75; } } </code></pre> Native apps are like the web apps. Modern applications - no matter what platform you are running them on - shape their behavior strictly following the possibilities on the web. Any new voice or video chat is WebRTC, any instant 2-way communication with a server is WebSockets, any server requests are HTTP requests, any server response with data is JSON. Web apps are the "native" apps. 300 MB binaries, containing a full browser implementation with little change to supported Web APIs, even though most are not getting used by the app, are shipped together with web apps that have bindings to smaller pieces of native code, to be run locally, instead of actual platform native apps. Nobody actually knows what's needed for screen share to work on Wayland. Apps don't even try to fight for users by improving a horrible user experience like this. I think what's most important about this evolution is that, instead of apps, everything becomes a service. The category that saw the highest increase in switching to web apps was communication - this always was a service by its nature, but we've also seen a switch away from vendor-independent, standardized protocols like IMAP and SMTP, into proprietary webmails, provided by vendors as part of the service. But even things that could perfectly be a normal app, become web apps. Document editors are a good example. Microsoft Word has long been a native application - you could just open it on your Windows machine and operate on doc files. They've been earning on the sales of Microsoft Office - software for you to run on your machine. What were the issues? The format got reverse engineered, first by Apple, as Office for Mac started being incompatible with documents produced on the Windows equivalent, to create compatible apps. Oh no, not a competitor in my network effect! Also piracy. Oh, and you have to innovate in some ways, so new versions get bought. Yeah, can't keep up like that, can we? Office 365 is great! Just not for you. It's a monthly or yearly rent, paid upfront! A document editor very often is a tool to perform work, that is, it's a necessity for you to earn money, so you can pay rent and live. How far can the prices go? Well... how much of your salary do you spend on rent? The web keeps evolving. What's in the queue? Web apps going "lower level", using WebAssembly, WebGPU, WebHID, and zero WebHTML. The vision</a> comes from Hixie, the tech lead of Flutter, formerly - specification editor in WHATWG. All this vision has to do with the web as it was invented, is that it runs on web browsers. In pretty much any other ways, it's not much different than any native app. In fact, you literally can run the same Flutter apps using GLFW or Skia. The consequences of the first browser war are still haunting us all. You are still vulnerable to the WebP exploits, by the way lnl — Mon, 18 Sep 2023 07:15:00 +0200 I've been writing a different blog post recently. I wanted to talk a bit about a project I'm making. I started it to make my work as a package maintainer easier, and so, I wrote a bit about why I think this matters. Dynamic linking. If you install Chromium, Firefox, and ffmpeg on a typical Linux distribution, all of them will use the same, shared libwebp to show a webp picture. You only need one libwebp on your machine. And the list goes on! A build provided by Electron weighs 251.7 MB. The same version in Alpine Linux repositories is just 173.3 MB. (32.32 MB is saved by making support for more languages optional. Still >50 MB less). We don't have to copy nightmares in distributions. </blockquote> Yes, I really mentioned libwebp specifically here. I opened the lists of dependencies, and thought this one is gonna be a nice, simple example that is actually true for all packages. Just before. For once, I hate being right. If it can display an image, it can execute code</h2> A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.6.9, macOS Big Sur 11.7.10, macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, iOS 15.7.9 and iPadOS 15.7.9. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. </blockquote> — CVE-2023-41064 on NVD</a>, 2023-09-07 Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) </blockquote> — CVE-2023-4863 on NVD</a>, 2023-09-12T14:24:59.275Z Google is aware that an exploit for CVE-2023-4863 exists in the wild. </blockquote> — Chrome release notes</a>, 2023-09-12T20:33:48.361Z Security Vulnerability fixed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2. CVE-2023-4863: Heap buffer overflow in libwebp Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. </blockquote> — Mozilla Foundation Security Advisory 2023-40</a>, 2023-09-12 Acrobat Reader versions 23.003.20284 (and earlier), 20.005.30516 (and earlier) and 20.005.30514 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. </blockquote> — CVE-2023-26369 on NVD</a> Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader. </blockquote> — Adobe security bulletin APSB23-34</a> God's enterprisiest software got pretty loud fixes. Good. But the vuln is almost everywhere.</h3> Do you use any Electron-based apps? Are they built by your software distribution? If not... do you think they even know what's happening? Electron got a release for the current version</a> a few hours later - on 2023-09-12T19:23:24Z (Chrome CVE got published on 2023-09-12T14:24:59.275Z). But you'd need to read Chrome release notes to know this. The Electron changelog entry was: Other Changes: Updated Chromium to 116.0.5845.188. #39828</a> </blockquote> Yes. Really. No other announcements either. The vulnerability is only mentioned in release notes for older major (but still supported) versions, where the fix got backported. If you have an Electron app, fixed version cheat sheet: major release</td> fixed version</td> </thead> 26</td> 26.2.1</a> </td> </tr> 25</td> 25.8.1</a> </td> </tr> 24</td> 24.8.3</a> </td> </tr> 23</td> unsupported. upgrade! </td> </tr> 22</td> 22.3.24</a> </td> </tr> </tbody> </table> Signal followed a few more hours later, with their release of Signal Desktop</a> on 2023-09-13T06:04:12Z. If we're at the changelogs, this one was as descriptive as all of their patch notes: Keep tabs on your calls with the new calls tab. Start a new call or return a call that you missed without having to find the corresponding chat. Now you can say hello with your voice without also saying goodbye to the unread marker for messages in that thread.</li> </ul> </blockquote> And that would be the end of developer self-realization in this post. In case of Element Desktop, a tranny that doesn't sleep at night had realized first, and it had submitted a pull request</a> on 2023-09-15T02:17:03Z. That's almost 3 whole days later. This was then released</a> on 2023-09-15T11:23:33Z. (The tranny is the author of this text. Hi, reader! Don't mind me, just reclaiming some slurs</a>.) More friction? Fuck yes. If you use Element Desktop from Flathub, that's even more waiting. Flathub simply downloads tarballs with builds. There is a bot that downloads a webpage and runs a regex over it. It has detected the release and made a PR with the update on 2023-09-15T13:13:36Z. Then, the PR has been merged manually on 2023-09-15T15:10:06Z. That has finally triggered a rebuild (or rather, re-repack). The notice about a security fix has disappeared on the way, and this update on Flathub is not marked with a higher urgency (as is an option on there), but it's there. To be clear, Element had a good response once they finally heard about it. But it still took days in friction between multiple projects having to fix publicly known vulnerabilities. This system of distribution is just broken. Another real chat app has released the security fix on the beta channel, and everyone went on a weekend. The Jira ticket for this states "No testing required", but, oh well. Similar stories with Flutter. In this case, you'd need to know where to find these release notes</a> - they're on a special GitHub Wiki page, separate from the other release notes. (The fixed release is 3.13.4</a>.) Now just wait for all app developers to release it on Google Play... This doesn't have to be broken like this.</h2> Software distributions work. In Alpine Linux, where I'm a contributor, a hotfix got merged</a> into edge on 2023-09-13T17:42:01.841Z, and then backported to earlier versions. That's just what a distribution does. The information flow is free here. In this case, Alpine has followed NixOS</a>. Another time Arch will follow Alpine. But that's ok, we don't like having secrets. The hotfix I mentioned was merged to the libwebp package. It's a shared object getting reused by other packages. Once you run apk upgrade</code>, the old /usr/lib/libwebpdemux.so.2.0.14</code> on your disk gets replaced with a new one. Also, Chromium, Electron, Firefox, Flutter, Thunderbird, all depend on it. You don't have to rebuild or redownload all of them (and the apps they're a part of). Better. As a package maintainer for 2 of these, I didn't even have to know about it. Cool, isn't it? On a sidenote. I've submitted the changes</a> adding an option to unbundle dependencies back to Flutter, back when I made them. We can't do this. Most of these libraries do not provide stable ABI. And Flutter does not guarantee that it plays nicely - sometimes we use private API even though we're not supposed to. If you arbitrarily change the versions of these dependencies, you could get anything from reduced performance to completely broken/crashing binaries. </blockquote> I keep applying that patch in Alpine anyway. Guess what. It works without issues, and we got this patched earlier as a consequence. Trusting clients is probably a security flaw lnl — Fri, 28 Jul 2023 00:00:00 +0000 I looked at a discussion on blink-dev Google Group and saw the message</a>: Perhaps it is a good thing for user choice to have a browser that is fully open to any use and allows anonymous user actions. The result of such open-ness is that an entire series of services that need to trust the client (used in the oauth sense of the word) are not available to web apps. […] I have recently worked on a fork of Chromium that is designed to have this functionality and on Native Wallet apps to get it. The lack of this functionality in Chrome will drive developers away from Chrome and fragment the user experience. We already have the problem of directing users away from Chrome to a secure wallet and being unable to bring the original user session back to Chrome. Of course Google and Apple get to solve this problem with their own wallets, but that will not fly in Europe and now the US DHS is asking for solutions that are more open as well. </blockquote> My understanding of security started an internal screaming. Meet the McDonald's app</h2> Hold on, I'm not at all joking. The McDonald's app developers put a lot of effort into policing the clients allowed to even dream about running the app. The app was checking for: whether you have a directory called TWRP</code> in your internal storage. TWRP is a custom recovery, and by default, stores device backups you generate from recovery in there. You have a device backup? Then no deals for you, nerd.</li> whether you have the com.topjohnwu.magisk</code> app installed. You like modifying your devices, don't you? Pay full price, nerd.</li> whether you have installed the app from com.android.vending</code>, more widely known as Google Play. What, you don't have it? That'll be €14,50, nerd.</li> check your device with RootBeer, a library that tries to check whether you have root access. Not passing? Card or cash, nerd?</li> and finally, using the SafetyNet API (now being rebranded into Play Integrity, specifically the Device Integrity and App Integrity parts, with some minor changes). Not passing? Pay. Nerd.</li> </ul> This is more annoying than any financial app I've had, and I have 5 of them on my phone. mBank.pl uses Play Integrity API, but that's to use contactless payments via BLIK, and the rest of the app works. IKO, the app of PKO BP, seeing that I have root access, disabled logging in with biometry, requiring me to log in with a PIN code. bunq told me that maybe my device should not be rooted. The worst one seems to be Revolut, which blocked my access, clearly stating the reason to be root access. The McDonald's app only displays a generic error message, and an error code that tells you nothing. And what are guarding so much?</h2> What are the Deals inside the app? Currently, I can get a free burger for 650 points, that is, if I spend 65 Euro in McDonald's first. What a deal. But that's not what brings me here. There once was a promotion</a> in collaboration between Coca-Cola and McDonald's, specifically available in Poland. It boiled down to this: Buy 3 bottles of Coca-Cola.</li> Enter 3 codes (from each bottle) into the Coca-Cola app.</li> Enter the code you got from the Coca-Cola app into the McDonald's app.</li> In return, you get a free meal with a Big Mac.</li> </ol> Ignore this unnecessary duplication with copying the code between 2 apps. Actually, ignore the Coca-Cola part as a whole. So, what happens in the McDonald's app? As with many things in that app, this deal was operated by a page opened in a WebView. The config for the country was set to point to the deal's page from the main screen. On the page, there was a pretty simple form: </picture> </figure> Obscurity is not security</h2> From now on, this is basically a post mortem, except it's not McDonald's writing it. The page opened in the WebView was sending the entered code in a request to a McDonald's server. But here's the flaw: the request checking and invalidating the code, was doing just that. It just returned whether the code is valid. The page was requesting a check whether the code was valid, and the client was assigning the coupon to the user. It turns out that the company's servers do not verify this and take the app "for its word", reported android.com.pl</a>. When you say you need to check whether the request is coming from a "trustworthy client", I say trust no client, use a rubber. An untouched device can exploit your service, too</h3> Oh, right, I said earlier about some measures? This whole exploit could (at least at that time) be executed from an unmodified device. Open the app, go to privacy policy (opens in a WebView), find an external link. Be creative. Find a link to Google's privacy policy, and tap their logo to go to Google Search. Find a link to YouTube, and search for a video with a link somewhere else. Whatever gets you to a page that can execute a little bit of JavaScript for you. COLA.offerActivation.send({ loyaltyId: 2424, rewardId: 95275, }) </code></pre> This was the thing. But don't worry. If this is fixed, nothing is lost. You remember the measures I talked about? They indeed check signs that might indicate you're not trustworthy. But really, passing these checks might just mean you know how these checks work. What can and does go wrong? You can just comply with the checks.</h3> TWRP backups? Change the directory name. Magisk Manager app? Change the package name in the settings. Not installed from Google Play? Open terminal and run pm set-installer com.mcdonalds.mobileapp com.android.vending</code>. Or install with pm install -i com.android.vending [file]</code>. Or the same with adb</code>. Root checks? Add McDonald's to Zygisk Denylist. You can just not run the checks.</h3> Oh, that was just the way where we obediently fulfil these checks. But if this runs on your device, you are the one in control of it. You can inject into the process with tools like Zygisk or LSPosed, and remove these checks. I have injected into 2137 processes on my phone today. Nobody controls this. You can just tell the checks what they want to hear.</h3> And the last check. SafetyNet/Play Integrity. Check whether you pass with SPIC</a>. If you don't pass basic SafetyNet, install MagiskHide Props Config</a>, run props</code> in console, change signature to something from the available list. Now, if you don't pass CTS SafetyNet, install Universal SafetyNet Fix</a>. Yes, my phone really just passes SafetyNet and Play Integrity like this (Integrity up to MEETS_DEVICE_INTEGRITY</code>, without MEETS_STRONG_INTEGRITY</code>). No labels (a blank value): The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks). </blockquote> This is a fragment of the Play Integrity documentation</a>. But the problem with checking if the user is a god, is that the user is a god. They can just tell you what you want to hear. (On a side note, if you speak Polish, I recommend reading "Aplikacja mobilna nie wie, czy telefon jest zhackowany" from Informatyk Zakładowy</a>) But typical users will not study your app if it doesn't work</h3> Mass exploitation was, in the end, stopped by ending the deal, because of how out of control it was. So who was stopped? Unaware users. Every time you introduce a stupid check, there is a user with a false positive result. For example, some of the RootBeer checks will trigger</a> on some unmodified Xiaomi, Asus, or Fairphone, or random cheap phones that happened to be in someone's nearest Tesco. The biggest irony is that some of these users will root their phones to bypass these checks instead. If your app starts looking for the MEETS_STRONG_INTEGRITY</code> label from Play Integrity, even more users will be affected like this. Literally look at the Google Play reviews of the McDonald's app. This app has a 2,8/5 rating and you have to keep scrolling them to find positive ones, from the very few users who managed to get the app running. </li> Users with root access to their own phones. First of all, why? What's bad about having administrator access to your own phone? Second, this is ineffective if they know how to workaround. They can inject into your process and tell you it's a good phone ma'am. </li> Huawei users. Or Amazon Fire users. Or any Android device made for China market users. Or users of a mobile Linux distribution, trying to run an app over Waydroid. Their devices by default do not have Google Play Services that can be tricked like this, and will require more work than I described to pass these checks. </li> </ul> But will it at least stop fraud?</h3> Hell no. </picture> </figure> Android is not free, let's get to work about it lnl — Sat, 08 Jul 2023 00:00:00 +0000 In the standards field, Embrace, Extend, and Extinguish</a> is a strategy for gaining users of an open standard, and breaking it to lock them in. This does not exactly match Android, as it is a software project, rather than a standard. But it resonates with its story of making the open source effectively unusable without proprietary extensions. Warning: if I wasn't enough of a techie to do some action, this would be a lot of doomerism. Thank fuck I'm autistic and this is my special interest? </div> </div> I've been an Android user for, I think over 10 years by now. Well, still am, out of necessity. But I'm fed up with it as a user. I feel like instead of empowerment, I have to fight with this device on every step to keep some control over my own device, and to not send more of my data to corporations. Google hardly even bothers to keep the Android Open Source Project documentation separate from one for their proprietary Google Play Services. Does any of your mobile apps send you push notifications? You can be almost certain they go through Google servers. More namely, Firebase Cloud Messaging</a>. Google has made it easy to just add FCM libraries to your Android app, and made it hard to not use FCM. Android 6 introduced Doze mode</a>: "If a user leaves a device unplugged and stationary for a period of time, with the screen off, the device enters Doze mode. In Doze mode, the system attempts to conserve battery by restricting apps' access to network and CPU-intensive services. It also prevents apps from accessing the network and defers their jobs, syncs, and standard alarms." As you might guess, this breaks background processes listening for notifications. Solutions? "If possible, use Firebase Cloud Messaging (FCM) for downstream messaging."</a> </li> Android 8 introduced background execution limits</a>. "Apps that are running in the background now have limits on how freely they can access background services." Solutions? "Use FCM to selectively wake your application up when network events occur, rather than polling in the background."</a> </li> Android 12? "Apps that target Android 12 or higher can't start foreground services while running in the background, except for a few special cases."</a> And yes, the point is that you use WorkManager</code></a>. But you probably get the drill by now. "Your app receives a high priority message using Firebase Cloud Messaging."</a> </li> OEMs who heavily modify Android they ship are notorious for making it worse</a>, by creating issues specific to their devices. "They kill background processes and render alarm clocks and other apps which rely on background processing useless." </li> </ul> Do any of your apps use location? There are system APIs for this! Oh, wait, what's this? "Note: The Google Location Services APIs, part of Google Play services, is the preferred way to access location services for apps. […] Clients of the traditional Android location APIs are encouraged to switch to the Google Location Services APIs wherever possible."</a> Anything scanning QR codes? Remember the old days of ZXing? Not anymore</a>. And of course with incentives: "The Google code scanner API provides a complete solution for scanning codes without requiring your app to request camera permission"</a>. You don't have it? I hope you enjoy typing your password and SMS codes, because you're not logging in with the DigiD app. And now, I couldn't just leave out SafetyNet, and its new replacement, Play Integrity API here. What do these do? I think the most important check: "tells you whether your app is running on a genuine Android device powered by Google Play services"</a>. What does "genuine Android device" even mean? I guess not that much control of your device, because you get an accordingly lower device integrity label of MEETS_BASIC_INTEGRITY</code> if your device "may have an unlocked bootloader"</a>. Is there really no hope in Android world?</h3> microG Project is trying to reimplement these proprietary APIs. There are 2 problems with that: Google keeps making new ones, requiring more work to reimplement them. We're talking about complicated stuff like ML models or speech synthesis.</li> Google makes all the engineering choices that suit them. To work, microG has to make requests the same way as the Google Play services. microG allows you to e.g. get push notifications without using Google's proprietary code on your device. But this is still the same, fundamentally flawed way, where Google servers are in the middle. Good riddance, but not quite enough.</li> </ol> I've previously had some faith that Huawei shipping Android phones without the proprietary Google parts is gonna change something. Because, e.g. if you have to scan a QR code on both Google and Huawei, you could just use ZXing, which does not depend on either's environment, right? In reality, of course, developers really just do depend on both, write handling dependent on whether it's Google or Huawei, and ship it like that to the app stores. The whole difference is that instead of a Google ML Kit</a> there is a Huawei ML Kit</a>, and so on. So, yeah. Hope, left me.</a>

lnl's weblog

Time to break some habits

"War on WPE", or the single-member community of Automattic CEOs

Hatch, change, rewind. 5 years as myself

Building Chromium at a distro? Here's your copium

2024 February 15, raid notice

New government, new TVP. News from the same reality?

More web, less web apps! Some thoughts on the web.

You are still vulnerable to the WebP exploits, by the way

Trusting clients is probably a security flaw

Meet the McDonald's app</h2> Hold on, I'm not at all joking. The McDonald's app developers put a lot of effort into policing the clients allowed to even dream about running the app. The app was checking for:</p>

And what are guarding so much?</h2> What are the Deals</em> inside the app? Currently, I can get a free burger for 650 points, that is, if I spend 65 Euro in McDonald's first. What a deal. But that's not what brings me here.</p>

But will it at least stop fraud?</h3> Hell no.</p> </picture> </figure>

Android is not free, let's get to work about it

But will it at least stop fraud?</h3>
Hell no.</p>
</picture> </figure>