Friday, January 11, 2013

[Gd] Fridaygram: renewable energy, grabbing an asteroid, driverless car

| More

Google Developers Blog: Fridaygram: renewable energy, grabbing an asteroid, driverless car

Author Photo
By Scott Knaster, Google Developers Blog Editor

Running Google takes power, so we’ve long been interested in efficient and responsible power creation. This goes not just for energy we use, but also energy used by others. By investing in renewable energy, we hope to have positive effects on the environment as well as help further good business opportunities. This week we announced our investment in the Spinning Spur Wind Farm, a Texas wind farm. We’ve now invested in 11 renewable energy projects – and because we all like pictures and numbers, here are some statistics (click to enlarge):


Meanwhile, in space, NASA and the Keck Institute for Space Studies have proposed robotically capturing a small near-earth asteroid and bringing it to a lunar orbit by 2025. This relocated rock would give astronauts a chance to perform all sorts of tasks, including landings and scientific experiments, all without leaving the relatively close location of the moon’s orbit (read the full proposal here). The captive asteroid wouldn’t be much of a tourist destination, but could greatly advance space travel and science research.

Finally, when you have a few spare minutes this weekend, take a look at this video that shows what might happen as the world gets used to self-driving cars.

Happy 2013!


Each week on Fridaygram, we take time out from developer topics to present cool things from Google and elsewhere that you might have missed during the week. See, we like to have fun too.
URL: http://googledevelopers.blogspot.com/2013/01/fridaygram-renewable-energy-grabbing.html

[Gd] Beta Channel Update for Chrome OS

| More

Chrome Releases: Beta Channel Update for Chrome OS


The Beta channel has been updated to 23.0.1271.111 (Platform version: 2913.331.0) for new Samsung Chromebook, Samsung Series 5 550, Samsung Series 5, Acer C7 and Acer AC700 and Samsung Series 3 Chromebox. 

Some highlights of these changes are: 
  • New firmware version for Acer C7
  • New Flash version 11.5.31.5 for x86 
  • New Flash version 11.5.31.30 for arm
  • Stability fixes
If you find new issues, please let us know by visiting our help site or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 horizontal bars in the upper right corner of the browser).

Josafat Garcia
Google Chrome
URL: http://googlechromereleases.blogspot.com/2013/01/beta-channel-update-for-chrome-os.html

Thursday, January 10, 2013

[Gd] Dev Channel Update

| More

Chrome Releases: Dev Channel Update

The Dev channel has been updated to 25.0.1364.29 for Windows, Mac, Linux, and Chrome Frame. This update contains additional stability fixes. A full list of changes in this build is available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Jason Kersey
Google Chrome
URL: http://googlechromereleases.blogspot.com/2013/01/dev-channel-update_10.html

[Gd] Beta Channel Arrives for Android Phones and Tablets

| More

Chromium Blog: Beta Channel Arrives for Android Phones and Tablets

Starting today, you can install Chrome Beta channel for phones and tablets on Android 4.0+ from Google Play. This release includes some of the biggest developer updates to Chrome for Android since its launch last year, bringing many features available on other Chrome versions to Android as well:
  • With prefixed support for CSS Filters you can apply visual effects like grayscale, blur, and contrast adjustment to the mobile web. Try this demo on Chrome for Android to see filters in action.
  • The new Flexible Box Layout Module simplifies the styling of complex layouts.
  • The dynamic viewport units vw, vh, and vmin can now be used for responsive design.
  • The <track> element for video provides a simple, standardized way to add subtitles, captions, screen reader descriptions, and chapters. Note that it doesn’t work for fullscreen video on Chrome for Android yet.
  • The CSS calc() function can be used anywhere a length is required by a CSS properties. It allows mathematical expressions with addition (‘+’), subtraction (‘-’), multiplication (‘*’), and division (‘/’) to be used as component values.
  • The @sandbox and @srcdoc attributes of the <iframe> element give you more control over inline frames.
  • Unprefixed IndexedDB gives you access to fast, structured client-side storage.
  • Our technique to make desktop web pages more readable on mobile screens (now called Text Autosizing) has been improved and is more consistent with other browsers.
  • V8 has been updated to 3.15 bringing a big speed boost; performance on the Octane benchmark improved on average by 25-30%.
Lastly, the new beta comes with an updated stack of Developer Tools. Expect big improvements in measuring your mobile performance with the Timeline's frames mode and easily navigate and edit your active scripts in the revised Sources panel.

You can report any issues you find within the app or at mcrbug.com/new. We’ll be pushing periodic updates so you can test out our latest work as soon as it’s ready. Even better, you can install the Beta alongside your current version of Chrome for Android

Posted by Peter Beverloo, Software Engineer and Mobile Web Maestro
URL: http://blog.chromium.org/2013/01/beta-channel-arrives-for-android-phones.html

[Gd] Chrome for Android Beta Channel

| More

Chrome Releases: Chrome for Android Beta Channel

The Chrome Team is excited to announce our first Beta channel release of Chrome for Android, based on Chrome 25. You can download version 25.0.1364.8 from Google Play (note, please use the direct link, you will not find it via the search function in Google Play). Similar to our other platforms, Chrome Beta for Android offers a preview of new features and enhancements currently in development. You can install both Chrome and Chrome Beta side by side on the same device.

Chrome 25 on Android brings a slew of updates and improvements over our current Chrome 18 based stable channel, including better HTML5 support and JavaScript performance. That said, non-Stable channel releases can sometimes be bumpy, and our new Beta release is no exception. The following are some of the larger known issues in today’s release:

  • Performance is sluggish, noticeably on Galaxy Nexus and Nexus S
  • Frequent freeze on devices with specific versions of Qualcomm GPU driver
  • Text autosizing may break formatting on some sites
  • 164632 - Editing bookmark feature is broken
  • 165244 - Text position handler jumps or disappears when moving
  • 163439 - Clicking on links in yahoo.com not navigating on Nexus 7
  • 166233 - Unable to submit comments on Facebook posts in desktop version of Facebook
  • 165244 - Text handler jumps or disappears when moving
  • 167351 - Youtube video controls are lost after returning from fullscreen video mode
  • 162486 - iframe scrolling broken

Much like other Chrome channels, we’ll be pushing regular updates, and we recommend you check the “Auto-update apps” checkbox in Google Play Store settings on your device to get the latest updates right away. If you find a new issue, please let us know by filing a bug. More information on Chrome for Android is available on the Chrome site.

Jason Kersey
Google Chrome
URL: http://googlechromereleases.blogspot.com/2013/01/chrome-for-android-beta-channel.html

[Gd] Stable Channel Update

| More

Chrome Releases: Stable Channel Update

The Chrome team is excited to announce the promotion of Chrome 24 to the stable channel. Chrome 24.0.1312.52 has been updated for Windows, Mac, Linux, and Chrome Frame.

This is the first Stable release with support for MathML, thanks to WebKit volunteer Dave Barton. This release also contains an update to Flash (11.5.31.137) as well as improvements in speed and stability. You can find out more about Chrome 24 on the Official Chrome Blog and the Official Chromium Blog.

Security fixes and rewards:

Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.

  • [$1000] [162494] High CVE-2012-5145: Use-after-free in SVG layout. Credit to Atte Kettunen of OUSPG.
  • [$4000] [165622] High CVE-2012-5146: Same origin policy bypass with malformed URL. Credit to Erling A Ellingsen and Subodh Iyengar, both of Facebook.
  • [$1000] [165864] High CVE-2012-5147: Use-after-free in DOM handling. Credit to José A. Vázquez.
  • [167122] Medium CVE-2012-5148: Missing filename sanitization in hyphenation support. Credit to Google Chrome Security Team (Justin Schuh).
  • [166795] High CVE-2012-5149: Integer overflow in audio IPC handling. Credit to Google Chrome Security Team (Chris Evans).
  • [165601] High CVE-2012-5150: Use-after-free when seeking video. Credit to Google Chrome Security Team (Inferno).
  • [165538] High CVE-2012-5151: Integer overflow in PDF JavaScript. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [165430] Medium CVE-2012-5152: Out-of-bounds read when seeking video. Credit to Google Chrome Security Team (Inferno).
  • [164565] High CVE-2012-5153: Out-of-bounds stack access in v8. Credit to Andreas Rossberg of the Chromium development community.
  • [Windows only] [164490] Low CVE-2012-5154: Integer overflow in shared memory allocation. Credit to Google Chrome Security Team (Chris Evans).
  • [Mac only] [163208] Medium CVE-2012-5155: Missing Mac sandbox for worker processes. Credit to Google Chrome Security Team (Julien Tinnes).
  • [162778] High CVE-2012-5156: Use-after-free in PDF fields. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [162776] [162156] Medium CVE-2012-5157: Out-of-bounds reads in PDF image handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [162153] High CVE-2013-0828: Bad cast in PDF root handling. Credit to Mateusz Jurczyk, with contribution from Gynvael Coldwind, both of Google Security Team.
  • [162114] High CVE-2013-0829: Corruption of database metadata leading to incorrect file access. Credit to Google Chrome Security Team (Jüri Aedla).
  • [Windows only] [162066] Low CVE-2013-0830: Missing NUL termination in IPC. Credit to Google Chrome Security Team (Justin Schuh).
  • [161836] Low CVE-2013-0831: Possible path traversal from extension process. Credit to Google Chrome Security Team (Tom Sepez).
  • [160380] Medium CVE-2013-0832: Use-after-free with printing. Credit to Google Chrome Security Team (Cris Neckar).
  • [154485] Medium CVE-2013-0833: Out-of-bounds read with printing. Credit to Google Chrome Security Team (Cris Neckar).
  • [154283] Medium CVE-2013-0834: Out-of-bounds read with glyph handling. Credit to Google Chrome Security Team (Cris Neckar).
  • [152921] Low CVE-2013-0835: Browser crash with geolocation. Credit to Arthur Gerkis.
  • [150545] High CVE-2013-0836: Crash in v8 garbage collection. Credit to Google Chrome Security Team (Cris Neckar).
  • [145363] Medium CVE-2013-0837: Crash in extension tab handling. Credit to Tom Nielsen.
  • [Linux only] [143859] Low CVE-2013-0838: Tighten permissions on shared memory segments. Credit to Google Chrome Security Team (Chris Palmer).

Many of the above bugs were detected using AddressSanitizer.

The security issues in V8 have been fixed in v8-3.14.5.3.

We’d also like to thank Atte Kettunen and Sławomir Błażek for working with us during the development cycle and preventing security regressions from ever reaching the stable channel. Rewards were issued.

Full details about what changes are in this build are available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Dharani Govindan
Google Chrome
URL: http://googlechromereleases.blogspot.com/2013/01/stable-channel-update.html

[Gd] Dev Channel Update for Chrome OS

| More

Chrome Releases: Dev Channel Update for Chrome OS

The Dev channel has been updated to 25.1364.26 (Platform version: 3428.49.0) for all Chrome OS devices. This build contains a number of stability fixes and feature enhancements.

Some highlights of these changes are:

  • Fixes to several recent bugs in Google Docs
  • Audio is now working for spoken feedback
  • Several fixes related to multi-monitor extended desktop display (163812, 35796)
  • Fix to some pages' scrolling jumping to the top of the page (166943)
  • Several crash fixes

Known Issues:

  • In some situations, Chrome Sync may not sync any data. Workaround: Restart system and perform sync again. (167090)
  • The login screen when resuming from a locked state may be off-center. (167215)

If you find new issues, please let us know by visiting our help site or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 horizontal bars in the upper right corner of the browser).

Danielle Drew
Google Chrome
URL: http://googlechromereleases.blogspot.com/2013/01/dev-channel-update-for-chrome-os.html

[Gd] Beta Channel Update

| More

Chrome Releases: Beta Channel Update

The Beta channel has been updated to 24.0.1312.52  for Windows, Mac, Linux, and Chrome Frame.  This build contains security fixes and an update to flash. Full details about what changes are in this build are available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Dharani Govindan
Google Chrome
URL: http://googlechromereleases.blogspot.com/2013/01/beta-channel-update_8.html

[Gd] Verifying Back-End Calls from Android Apps

| More

Android Developers Blog: Verifying Back-End Calls from Android Apps

Posted by Tim Bray






Most Android apps have some sort of server-side back end, to persist and share data. Even the most basic game needs to remember its players’ high scores. When you’re building your back end, one problem you have to solve is how the back-end code knows what app it’s talking to and who the person using it is.



You probably have HTTP endpoints for communicating with your client apps, but how can the server-side code be sure who’s sending messages to it? After all, anyone can send HTTP POST requests from anywhere; could they impersonate your users if they could guess their identities?



It’s really user-unfriendly to ask people to type in usernames and passwords on mobile devices. In particular, if someone has installed your app and given it permission to use the Internet and know your identity, they shouldn’t be pestered any more.



It turns out that Google Play services, now available on every compatible device running Android release 2.2 or higher, offers a good solution to this problem, based on the use of Google Accounts.



Summary



Doing this is a multi-step process, which I’ll outline in full, but here’s the short version: You use the GoogleAuthUtil class, available through Google Play services, to retrieve a string called an “ID Token”. You send the token to your back end and your back end can use it to quickly and cheaply verify which app sent it and who was using the app.






This capability is built into Google facilities such as App Engine’s new Cloud Endpoints feature, which bakes app/back-end identity into a simple programming model.



Now let’s get to the details.

App Registration



You’re going to have to use the Google API Console quite a bit in this process. You’ll need to make a new project for this purpose; while you can give it a nice human-readable name and graphical branding, it turns out that those resources aren’t used in this particular scenario.



You can also authorize this project to access a large number of different Google APIs; but once again, you don’t need to in this scenario.



You should give serious thought to the people you authorize as members of the project, since these are important administrative roles.



Make Client IDs



You’ll need to make two different OAuth 2.0 “Client IDs” for your project. The first one is a “Client ID for Web applications”. Once again, you can ignore all the labeling and branding stuff, you’ll just need the Client-ID string, which will look something like 9414861317621.apps.googleusercontent.com.



Now you’ll need to make another Client ID for your Android app. To do this, you’ll need to provide two pieces of information: your app’s package name and cert signature. The package name is just the Java-style reverse-DNS, as given in the top-level “package” attribute in your AndroidManifest.xml, for example com.example.identity.



To get your app’s cert signature, use the following shell command:



$ keytool -exportcert -alias <your-key-name> -keystore <your-key-store-file> -v -list


Copy the octets labeled “SHA1”, paste them into the Developer Console field, and create your app’s Client ID. Once again, all you’ll really need from the readout is the Client-ID string.



In Your Android App



You’ll need to call the Google Play services GoogleAuthUtil class to get an ID token; the procedure is as described in Obtaining an Access Token. There’s one extra bit of magic: the value of the scope argument to the getToken(email, scope) method. It has to be the string audience:server:client_id:X, where X is the Client ID of for the Web app, as described above. If our Client ID were the example value given above, the value of the scope argument would be audience:server:client_id:9414861317621.apps.googleusercontent.com.



Magic Happens



Normally, when you ask for an OAuth token, the person using the device sees a challenge, asking them if it’s OK to use their identity to get at some resource or other. But in this case, the system looks at the server-side Client ID in your scope argument, notices that it’s in the same project as your Android app, and gives you the token without pestering the user; they’ve already agreed to a relationship with you, the developer who controls that project.



Send the Token



When you’re ready to start talking to your server back end, you need to send the token string to it. The best way to do this is in the body of an POST message; you could put it in a URL parameter, but they’re often logged. You absolutely must use an HTTPS connection, to keep any men-in-the-middle from peeking at your token.



There’s no particular reason for extra round-trips; if you’re sending a game high score to your back end, just stick the ID Token string in as an extra argument.



Use the Token



When your server receives the token from your Android app, it’s really important that you verify it. This requires two steps:




  1. Verify that it’s really signed by Google.

  2. Verify that it’s really meant for you.



Verify Signature



It turns out that this is signed using a Google public/private key pair, and Google publishes the public keys (which we change regularly) at www.googleapis.com/oauth2/v1/certs; go ahead and have a look.



You have to verify that the ID Token, which is actually a JSON Web Token, was signed with one of those certs. Fortunately, there are decent libraries around to do this; in this post, I’ll give pointers for Java, Ruby, and PHP.



The libraries can cache the Google certs and only refresh them when required, so the verification is (almost always) a fast static call.



Verify Token Fields



It turns out that the ID Token has a JSON payload, and most libraries that validate the signatures also give it to you as a hash or dictionary or whatever. Thus, you can retrieve named fields, such as aud and cid and email.



First, you have to look at the field named aud and verify that it’s identical to your Client ID, the string you included in the Android app’s scope argument. Seriously, do not omit this step; if you don't verify the ID Token, then any other developer can spoof requests to your service.



Optionally, you can look at the field named cid and verify that it is identical to the Client ID of your Android app. By the way, you can have multiple different Android client apps, each with its own Client ID, in that top-level project.



Let’s assume you’ve done all three of these things. Then, you know that:




  1. The token was issued by Google.

  2. The token was sent to a device that was being operated by the person identified in the payload's email field.



You also have high confidence that:




  1. The token was obtained by the Android app identified by the Client ID in the payload’s cid field.



The Client ID only has “high confidence” because non-compatible or rooted Android devices may be able to tamper with that information. But they won't be able to fake the Google signature or the authentication of the device user to Google.



What’s Next?



That’s up to you. You know which person and app you’re talking to, it’s up to you what to do with that information.



Code Fragments



Here’s a Java class that implements an ID-Token checker using the Google Java libraries:



import java.io.IOException;
import java.security.GeneralSecurityException;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;

public class Checker {

private final List mClientIDs;
private final String mAudience;
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";

public Checker(String[] clientIDs, String audience) {
mClientIDs = Arrays.asList(clientIDs);
mAudience = audience;
NetHttpTransport transport = new NetHttpTransport();
mJFactory = new GsonFactory();
mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
}

public GoogleIdToken.Payload check(String tokenString) {
GoogleIdToken.Payload payload = null;
try {
GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
if (mVerifier.verify(token)) {
GoogleIdToken.Payload tempPayload = token.getPayload();
if (!tempPayload.getAudience().equals(mAudience))
mProblem = "Audience mismatch";
else if (!mClientIDs.contains(tempPayload.getIssuee()))
mProblem = "Client ID mismatch";
else
payload = tempPayload;
}
} catch (GeneralSecurityException e) {
mProblem = "Security issue: " + e.getLocalizedMessage();
} catch (IOException e) {
mProblem = "Network problem: " + e.getLocalizedMessage();
}
return payload;
}

public String problem() {
return mProblem;
}
}


If you wanted to do this in Ruby, you’d want to install the google-id-token Ruby gem, and do something like this:



require 'google-id-token'
validator = GoogleIDToken::Validator.new
jwt = validator.check(token, required_audience, required_client_id)
if jwt
email = jwt['email']
else
report "Cannot validate: #{validator.problem}"
end


For PHP programmers, check out the Google APIs Client Library for PHP, in particular the function verifyIdToken in apiOAuth2.php.


URL: http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html

Tuesday, January 8, 2013

[Gd] Dev Channel Update

| More

Chrome Releases: Dev Channel Update

The Dev channel has been updated to 25.0.1364.26 for Windows, Mac, Linux, and Chrome Frame. This update contains additional stability fixes. A full list of changes in this build is available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Jason Kersey
Google Chrome
URL: http://googlechromereleases.blogspot.com/2013/01/dev-channel-update.html

[Gd] OpenSocial Foundation Events for Q1 2013

| More

OpenSocial API Blog: OpenSocial Foundation Events for Q1 2013

Happy New Year everyone! We hope 2013 will be as promising and rewarding of a year as it's shaping up for OpenSocial. We are excited to announce us being a part of several events this quarter...

IBM Connect

Once again there will be lots of OpenSocial going on at IBM Connect, going on in Orlando from January 27th thru the 31st. In the exhibits area stop by the IBM Signature Solutions Area to see how OpenSocial is being leveraged to extend the reach and integration of Social Capabilities to third-party applications. You'll learn more about OpenSocial and other standards are driving innovation for integration across business applications.

There also are a number of OpenSocial related sessions, namely...
  • INV211 : The New Social Business Paradigm with OpenSocial
  • AD103 : Social Standards Across IBM Connections, IBM Notes, IBM iNotes and IBM Domino
  • AD206 : IBM Lotus Domino XPages: Embrace, Extend, Integrate
  • AD212 : Whats New in IBM Lotus Notes Widgets and LiveText: Linking Your Data to the World!
  • ID101 : What's New in IBM iNotes 9.0 Social Edition
  • BP209 : In The Land of Social Apps, the API is King
  • JMP102 : Extending Your App Arsenal With OpenSocial

ApacheCon NA

We will also be a part of ApacheCon North America 2013, going in Portland, OR from February 24th thru the 28th. The official conference, trainings, and expo of The Apache Software Foundation (ASF), ApacheCon draws Open Source users, developers, gurus, students, novices, community managers, and enthusiasts to address today’s issues, opportunities, and solutions focusing on the ASF’s nearly 150 projects and initiatives. With both Shindig and Rave as official Apache projects, we will be bring the OpenSocial message through two sessions...

CeBIT 2013 - Hannover, Germany

We will also be at CeBIT in Hannover, Germany, which is the world's largest and most international computer expo. Held each year on the Hanover fairground, it is considered a barometer of the state of the art in information technology. We are excited to have a panel discussion with several OpenSocial Foundation board members, along with foundation president Mark Weitzel, on one of the stages. In addition, look for OpenSocial foundation members SugarCRM and IBM exhibiting, and come visit the OW2 village.

We look forward to having more events in 2013 to bring the OpenSocial message to the social business community.
URL: http://blog.opensocial.org/2013/01/opensocial-foundation-events-for-q1-2013.html

Monday, January 7, 2013

[Gd] Beta Channel Update

| More

Chrome Releases: Beta Channel Update

The Beta channel has been updated to 24.0.1312.49 for Windows, Mac, Linux, and Chrome Frame.  This build contains stability fixes. Full details about what changes are in this build are available in the SVN revision log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug.

Dharani Govindan
Google Chrome
URL: http://googlechromereleases.blogspot.com/2013/01/beta-channel-update.html