In the name of security and privacy, Google is taking away the ability for users to select third-party camera apps in Android 11, forcing users to rely on the built-in camera app. Android Police reports: At the heart of this change is one of the defining traits of Android: the Intent system. Let's say you need to take a picture of a novelty coffee mug to sell through an auction app. Since the auction app wasn't built for photography, the developer chose to leave that up to a proper camera app. This where the Intent system comes into play. Developers simply create a request with a few criteria and Android will prompt users to pick from a list of installed apps to do the job.

However, things are going to change with Android 11 for apps that ask for photos or videos. Three specific intents will cease to work like they used to, including: VIDEO_CAPTURE, IMAGE_CAPTURE, and IMAGE_CAPTURE_SECURE. Android 11 will now automatically provide the pre-installed camera app to perform these actions without ever searching for other apps to fill the role. Google describes the change in a list of new behaviors in Android 11, and further confirmed it in the Issue Tracker. Privacy and security are cited as the reason, but there's no discussion about what exactly made those intents dangerous. Perhaps some users were tricked into setting a malicious camera app as the default and then using it to capture things that should have remained private.

Not only does Android 11 take the liberty of automatically launching the pre-installed camera app when requested, it also prevents app developers from conveniently providing their own interface to simulate the same functionality. I ran a test with some simple code to query for the camera apps on a phone, then ran it on devices running Android 10 and 11 with the same set of camera apps installed. Android 10 gave back a full set of apps, but Android 11 reported nothing, not even Google's own pre-installed Camera app.

Researchers have demonstrated that they can make a working 3D-printed copy of a key just by listening to how the key sounds when inserted into a lock. Slashdot reader colinwb writes: While you cannot hear the shape of a drum it seems you can hear the shape of one type of key from the sound it makes in the lock. That says it all really, but [here's how Soundarya Ramesh and her team at the National University of Singapore accomplished this feat]: "[The NUS team developed and tested what it calls SpiKey, an end-to-end attack technique for, as its name suggests, spying on Yale/Schlage type keys and using signal processing software to infer their correct shapes.] Once they have a key-insertion audio file, SpiKey's inference software gets to work filtering the signal to reveal the strong, metallic clicks as key ridges hit the lock's pins [and you can hear those filtered clicks online here]. These clicks are vital to the inference analysis: the time between them allows the SpiKey software to compute the key's inter-ridge distances and what locksmiths call the 'bitting depth' of those ridges: basically, how deeply they cut into the key shaft, or where they plateau out. If a key is inserted at a nonconstant speed, the analysis can be ruined, but the software can compensate for small speed variations.

The result of all this is that SpiKey software outputs the three most likely key designs that will fit the lock used in the audio file, reducing the potential search space from 330,000 keys to just three. 'Given that the profile of the key is publicly available for commonly used [pin-tumbler lock] keys, we can 3D-print the keys for the inferred bitting codes, one of which will unlock the door,' says Ramesh." The article has a link to a 15-minute video presentation of the research and to another article on the research.

Secure Thoughts reports that artificial intelligence company Cense AI, which specializes in "SaaS-based intelligent process automation management solutions," has leaked nearly 2.6 million medical records on the internet. PCMag reports: [O]n July 7 security researcher Jeremiah Fowler discovered two folders of medical records available for anyone to access on the internet. The data was labeled as "staging data." Fowler believes the data was made public because Cense AI was temporarily hosting it online before loading it into the company's management system or an AI bot.

The medical records are quite detailed and include names, insurance records, medical diagnosis notes, and payment records. It looks as though the data was sourced from insurance companies and relates to car accident claims and referrals for neck and spine injuries. The majority of the personal information is thought to be for individuals located in New York, with a total of 2,594,261 records exposed. Fowler sent a responsible disclosure notice to Cense AI and public access to the folders was restricted soon after. However, the damage has potentially already been done if others had previously discovered the data was available. Fowler points out that medical data is the most valuable on the black market, fetching as much as $250 per record. If someone willing to act maliciously came across this data you can guarantee it is, or has been sold.

Oculus will soon require all of its virtual reality headset users to sign up with a Facebook account. The Facebook-owned company says it will start removing support for separate Oculus accounts in October, although users can maintain an existing account until January 1st, 2023. All users can maintain a distinct "VR profile" with a separate friends list. From a report: Starting later this year, you'll only be able to sign up for an Oculus account through Facebook. If you already have an account, you'll be prompted to permanently merge your account. If you don't, you'll be able to use the headset normally until 2023, at which point official support will end. Old headsets using non-linked accounts will still work, but some games and apps may no longer function. Developers can keep using an unlinked developer account without social functionality, and the Oculus for Business platform uses a separate login process that will remain unchanged. Facebook also says that all future unreleased Oculus devices will require a Facebook login, even if you've got a separate account already.

While there's wide HTTPS adoption today, HTTP content on secure pages still persists. Google has been working to stamp that out, and Chrome is now turning its attention to and warning about insecure forms. "These 'mixed forms' (forms on HTTPS sites that do not submit on HTTPS) are a risk to users' security and privacy," says Google in a blog post. "Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data." 9to5Google reports: The Google browser today removes the address bar's lock icon from sites with mixed forms. However, this proved to deliver an "unclear" experience that "did not effectively communicate the risks associated with submitting data in insecure forms." Starting in version 86, due to hit stable in October, Chrome will provide a more aggressive warning about insecure forms. Autofill will be disabled, but the built-in password manager will continue to offer "unique passwords." The company argues it's safer than reusing credentials. Next, the form will show red warning text underneath the field: "This form is not secure. Autofill has been turned off. The last measure will throw up a full-page warning communicating the potential risks. It gives users an option to cancel the action, but there will be a "Send anyway" button.