Related
I saw (I can't remember where and even tried googling for a while and couldn't find it again) a website that lists packages for phone manufacturers. One was like, stock (like what's on the g1 w/"with google" branding) another one was custom ui etc (I am assuming the package used for motoblur and rosie). < or something that that effect.
Now my point: I am not sure the cost of these licenses, but I was thinking maybe one entity (xda for example). Could purchase a license (with donation money) and allow devs like cyanogen, maxisma, drizzy, jac etc operate under that license.
Not this is just an idea, I don't know too much about licenses and how they work etc. its just an idea to discuss.
CBowley said:
I saw (I can't remember where and even tried googling for a while and couldn't find it again) a website that lists packages for phone manufacturers. One was like, stock (like what's on the g1 w/"with google" branding) another one was custom ui etc (I am assuming the package used for motoblur and rosie). < or something that that effect.
Now my point: I am not sure the cost of these licenses, but I was thinking maybe one entity (xda for example). Could purchase a license (with donation money) and allow devs like cyanogen, maxisma, drizzy, jac etc operate under that license.
Not this is just an idea, I don't know too much about licenses and how they work etc. its just an idea to discuss.
Click to expand...
Click to collapse
thats a stopgap until Google decides to change the agreement for their closed source software. the real solution is a fully open source flavor of android with proprietary repositories (a la Ubuntu)
alapapa said:
thats a stopgap until Google decides to change the agreement for their closed source software. the real solution is a fully open source flavor of android with proprietary repositories (a la Ubuntu)
Click to expand...
Click to collapse
It's not a stop gap, this would actually be effective, as it would legally allow them to include those apps in the ROMs.
But, how much those licenses cost is a whole nother world.
Yeah, I posted this very suggestion in one of the first threads created about this topic. I even have some ideas about funding and possible non-profit status for the organization that acquires the license for distribution... but it was lost in the *****ing and moaning.
Yes I believe that would be a viable option as far as licensing goes there are a set terms to them that after has been agreed to like a contract can't change we would be fine. But as the case with Blizzard entertainment they can change and most likely will all the time. I aggree best option would to be make a full open source option that would allow us to operate without the google apps but that is very tricky as well, for service especially like YouTube that has terms of use and unless sactioned by them they don't want you using that service. It was for that reason why youtube downloader was pulled from the market and also violated ToS for downloading. No other youtube app has really poped up. Another solution like has pointed out in dev forum is to back them up from a google image already on the device. They specially said we can't distribute them. Currently I am trying to find the terms for it if any one can find for me that would be great. Another idea that I have was to make an application that would allow user to install what ever custom rom without google apps then find the approriate image from google for the device rom is installed on. Download that image ROM file and extract out google apps and install on the device. Since was ment for that and I or xda won't be distrubting the apps that might fall as acceptible in their terms. If anyone can find the terms I would greatly appreciate it.
TheArtiszan said:
Yes I believe that would be a viable option as far as licensing goes there are a set terms to them that after has been agreed to like a contract can't change we would be fine. But as the case with Blizzard entertainment they can change and most likely will all the time. I aggree best option would to be make a full open source option that would allow us to operate without the google apps but that is very tricky as well, for service especially like YouTube that has terms of use and unless sactioned by them they don't want you using that service. It was for that reason why youtube downloader was pulled from the market and also violated ToS for downloading. No other youtube app has really poped up. Another solution like has pointed out in dev forum is to back them up from a google image already on the device. They specially said we can't distribute them. Currently I am trying to find the terms for it if any one can find for me that would be great. Another idea that I have was to make an application that would allow user to install what ever custom rom without google apps then find the approriate image from google for the device rom is installed on. Download that image ROM file and extract out google apps and install on the device. Since was ment for that and I or xda won't be distrubting the apps that might fall as acceptible in their terms. If anyone can find the terms I would greatly appreciate it.
Click to expand...
Click to collapse
well if flash comes out next month we wont need the youtube app.
Lol have you tried hero w flash. Slow as hell
well that not the official version so it hard to say. yeah did but the hero builds seem slow to me.
Jacheroski2.1 was pretty quick once swapper and everything was setup correctly
TheArtiszan said:
Lol have you tried hero w flash. Slow as hell
Click to expand...
Click to collapse
yea but adobe plans to release flash 10 for android as early as october
I read that Cyanogen or someone is already working on a workaround..kinda. A backup program which will backup your currently legal device apps, and upon install of his bare-bones rom, restore the original device apps.
Things will be close to the same. Just a bump in the road. They should know, people will always find a way. Legal or not.
First of all: I'm an OSS advocate and love the idea of open source. Don't forget that while reading this.
Some 2 month ago, I got myself a Galaxy S. It's not exactly cheap, but on the other side, it's really good hardware. This thread is not about Samsung or the Galaxy S. It's about the missing parts of android security.
We all know it from our home computers: Software sometimes has bugs. Some just annoy us, others are potentially dangerous for our beloved data. Our data sometimes gets stolen or deleted due to viruses. Viruses enter our machines by exploiting bugs that allow for code execution or priviledge escalation. To stay patched, we regularly execute our "apt-get update;apt-get dist-upgrade" or use windows update. We do this to close security holes on our systems.
In the PC world, the software and OS manufacturers release security bulletins to inform users of potentially dangerous issues. They say how to work around them or provide a patch.
How do we stay informed about issues and keep our Android devices updated?
Here's what Google says:
We will publicly announce security bugs when the fixes are available via postings to the android-security-announce group on Google Groups.
Click to expand...
Click to collapse
Source: http://developer.android.com/guide/appendix/faq/security.html#informed
OK, that particular group is empty (except for a welcome post). Maybe there are no bugs in Android. Go check yourself and google a bit - they do exist.
"So why doesn't Google tell us?", you ask. I don't know. What I know is that the various components of Android (WebKit, kernel, ...) do have bugs. There's nothing wrong with that BTW, software is made by people - and people make mistakes and write buggy code all the time. Just read the changelogs or release notes.
"Wait", I head you say, "there are no changelogs or release notes for Android releases".
Oh - so let's sum up what we need to stay informed about security issues, bugs and workarounds:
* Security bulletins and
* Patches or Workaround information
What of these do we have? Right, nada, zilch, rien.
I'll leave it up to you to decide if that's good common practise.
"But why is this important anyway", you ask.
Well, remember my example above. You visit a website and suddenly find all your stored passwords floating around on the internet. Don't tell me that's not possible, there was a WebKit bug in 2.2 that did just that. Another scenario would be a drive-by download that breaks out of the sandbox and makes expensive phone calls. Or orders subscriptions for monthly new ringtones, raising your bill by orders of magnitute. Or shares your music on illegal download portals (shh, don't tell the RIAA that this is remotely possible).
The bug is probably fixed in 2.2.1 - but without changelogs we can't be sure.
But that's not all - there's a second problem. Not only are we unaware of security issues, we also don't have automated update mechanisms.
We only receive updates when our phone's manufacturers release new firmware. Sadly, not all manufacturers support their phones in the long run.
In the PC world, most Distros have a central package management - that Google forgot to implement in Android. Agreed, some phones can receive OTA updates, but that depends on the carrier. And because of the differences in Android versions it's not possible to have a central patch management either. So we do not know if our Android devices might have security issues. We also have no easy way to patch them.
Perhaps you knew this before, then I apologize for taking your time.
What do YOU - the computer literate and security aware XDA users - think about this? Do you think that's a problem? Or would you rather say that these are minor problems?
Very intresting, thanks! The update problem should be fixed with the next release, no more custom UIs and mods from phone manufacturers,at least google said that
Sent from my Nexus One using XDA App
Excellent post and quite agree with you. The other significant problem looming is the granularity (or rather, lack thereof) in app permissions which can cause problems you describe without bugs and exploits. I install an app that does something interesting with contacts and also has internet access to display ads. How do I know that my contacts are not encrypted, so making sniffing useless, and beamed back to mummy? Nothing other than blind trust!
I love Android but it's an accident waiting to happen unless the kind of changes you advocate are implemented and granularity of permissions significantly increased. I don't like much about Apple but their walled garden app store is something they did get right although IMHO, they also abuse that power to stifle competition. Bring out the feds!
simonta said:
The other significant problem looming is the granularity (or rather, lack thereof) in app permissions [...]
How do I know that my contacts are not encrypted, so making sniffing useless, and beamed back to mummy? Nothing other than blind trust!
Click to expand...
Click to collapse
I agree, although I'm not sure that less experienced users might have difficulties with such options.
simonta said:
I love Android but it's an accident waiting to happen
Click to expand...
Click to collapse
Sad but true. I'm just curious what Google will do when the first problems arise and the first users will have groundshaking bills.
If that happens to just a few users, it'll get a kind media coverage Google surely won't like.
I've seen quite a few android exploits posted on bugtraq over the years. It's a high-volume email list, but with some filtering of stuff you don't care about, it becomes manageable. It's been around forever and is a good resource if you want the latest security news on just about anything computer related.
http://www.securityfocus.com/archive/1/description
People are bashing a lot about the Android security model but the truth is you can never have 100% protection with ANY solution.
Apple is not allowing any app in their store. Fine. but mostly they are only filtering out apps that crash, violate some rules or they just don't like them or whatever. but they can never tell what an app is really doing. Therefore they would neeed to reverse-engineer every app they get etc. That's just impossible considering the amount of apps....
Speaking again of Android. I think the permission model is not bad. I mean, no other OS got such detailed description about what an app can do or not. But unfortunately it can only filter out very conspicuous apps, i.e. a Reversi game asking for your location and internet access. But then you never know... if the app is using ads it requires location and internet access, right? so what can you do?
RAMMANN said:
Apple is not allowing any app in their store. Fine. but mostly they are only filtering out apps that crash, violate some rules or they just don't like them or whatever. but they can never tell what an app is really doing. Therefore they would neeed to reverse-engineer every app they get etc. That's just impossible considering the amount of apps....
Click to expand...
Click to collapse
Not really, they do blackbox testing and let the apps run on emulated devices they then check if the app "behaves" as desired...
Of course you can't get 100% security and I don't think that's what we're saying, but there is a lot you can do.
Take for example internet access which is the biggest worry I have. The only reason most apps request internet access is to support ads. I now have a choice to make, don't use the app or trust it. That simple, no other choice.
If I installed an app that serves ads but did not have internet access, then the only way that app can get information off my phone is to use exploits and I'm a lot more comfortable knowing that some miscreant needs to understand that than the current situation where some script kiddy can hoover up my contacts.
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
I absolutely agree with you on Apple, one of the main reasons that I chose a Desire instead of an iPhone, but the Android approach is too far the other way IMHO.
Just my tuppence, in a hopeless cause of imagining someone at Google paying attention and thinking you know what, it is an accident waiting to happen.
marty1976 said:
Not really, they do blackbox testing and let the apps run on emulated devices they then check if the app "behaves" as desired...
Click to expand...
Click to collapse
Well, so why did a tethering app once make it into the appstore?
Also I think there are many possibilities for an app to behave normal, and just start some bad activity after some time. Wait a couple months until the app is spread around and then bang. Or remotely launch some action initiated through push notifications etc.
If there is interest, then there is always a way....
simonta said:
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
Click to expand...
Click to collapse
I agree that a seperate permission for ads would be a good thing.
But there are still many apps which need your location, contacts, internet access.... all the social media things nowadays. And this is where the whole thing will be going to so I think in the future it will be even harder to differenciate.
Getting back on topic: I just read that Windows 7 Phone will get updates and patches like desktop windows. That means patchday once a month plus when urgency is high...
simonta said:
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
Click to expand...
Click to collapse
But, how do you distinguish them? Today, (as a developer) I can use any ad-provider I want. In order to distinguish ads from general internet access, the OS would need one of:
A Google-defined ad interface, which stifles "creativity" in ad design. Developers would simply ignore it and do what they do now as soon as their preferred ad-provider didn't want to support the "official" ad system or provided some improvement by doing so.
An OS update to support every new ad-provider (yuck^2).
Every ad-provider would have to go through a Google whitelist that was looked up on the fly (increased traffic, and all ads are now "visible" to Google whether Google is involved in the transaction or not). This would also make ad-blocking apps harder to implement since Google's whitelisting API might not behave if the whitelist was unavailable. On the upside, it would make ad-blocking in custom ROMs be trivial.
Even if Google did one of these things, it still wouldn't provide any real increase in privacy or security. The "ad service" would still need to deliver a payload from the app to the service (in order to select ads) and another from the service to the app (the ad content). Such a mechanism could be trivially exploited to do anything that simple HTTP access could provide.
http://code.google.com/p/android/issues/list
issues submitted are reviewed by google employed techs... they tell you if you messed up and caused the issue or if the issue will be fixed in a future release or whatever info they find.
probably not the best way to handle it but its better then nothing.
twztdwyz said:
http://code.google.com/p/android/issues/list
Click to expand...
Click to collapse
Knew that bug tracker, but the free tagging aka labels isn't the best idea IMHO.
You can't search for a specific release, for example...
twztdwyz said:
probably not the best way to handle it but its better then nothing.
Click to expand...
Click to collapse
Ack, but I think Google can do _much_ better...
Two more things to have in mind:
1. I doubt that many Android users bother much about what permissions they give to an app.
2. Using Google to sync your contacts and calendar (and who knows what else), is a bad, bad idea.
Just wondering if anyone knows details on how market listings work. I know there are some apps that show or not to certain phones, but is that just a version issue, a special exception google makes?
At any rate, it's moot, because if google has a solution, they aren't making it very clear to lots of people.
Anyway, the problem:
As android ages, the phones age, and the apps mature. There are lots of apps that won't adequately run on older phones, but as far as I can tell, the only recourse devs have is to put a note in the description, which stops no one from actually downloading it, then clogging the reviews with 1 star "does not work on the ___" reviews.
While this was always a problem, now that we've reached the point in time where this is starting to happen to Droid 1 users, it's less an annoyance, and more a serious issue. Ratings almost mean nothing on those apps, and it's hard to use the reviews to see if there are actually any real issues.
(There are 10 billion droid users, and because it was true for quite a while they seem particularly locked in to the "I have one of the better phones out there" mentality )
Ok, rant over. Not sure anyone else even notices this.
Also, I'm not sure the solution is to restrict access, but an official way to list the phones that work or don't work needs to be in place, and then maybe another dev option to still allow access*
Then, if your phone isn't compatible, but the dev okays downloading anyway, you are given an extra screen to dismiss, explaining the app probably wont work for you, and you aren't allowed to leave reviews.
*Not all phones are equal, a stock phone, and a tricked out custom kerneled OC'd version, are very different, so a user might opt to give it a whirl anyway.
I have several apps on the market. In the manifest for the app you declare the minimum version of Android required for the app, and it's my understanding that phones that do not have at least that version of Android will not see the app.
Now, just because an app doesn't work on one person's phone, and they write a nasty review saying "doesn't work on the Epic!" doesn't actually mean that it doesn't work on the Epic, it just means that one person couldn't get it to work. Also, the developer may have made some hardcoding choices (like directories, etc.) that are not universal, and that may lead to incompatibilities that were un-anticipated. But, other than version of Android, I'm not sure what else is available to a developer to restrict access.
Yeah, I figured you could set the version. It's too bad there's no way to control it a bit finer.
I also realize that it's entirely possible someone is just being an idiot, but the fact remains we're past the days where you could necessarily infer anything about the phones from the version, or NEED the latest API version to do something useful/cool.
There are apps that legitimately don't run on some phones, and I feel like google needs to offer an official solution, rather than rely on dev comments that no one reads.
Obviously there are lots of ways to fake what your phone is, and whatnot, so nothing is going to be perfect, but there needs to be some way to officially denote "This app only requires 2.2, but your phone can't be one that shipped with Cupcake"
Edit: perhaps an easier approach is to have a market setting that only factors ratings/reviews of people that have the same phone.
I also don't mean to sound like I install every 5 star app, and wont even think about installing a 3 star app, no matter what I've heard. I've just noticed this in apps I was installing for one reason or another, and felt bad for the devs. It also gives a little less incentive to provide new/cool things for those of us with better phones.
I also suppose there's no "official" guidelines on what these stars are supposed to mean, but to me 1 starring an ap that says "this won't work for you" when it doesn't work for you is like telling people your dentist sucks because he wouldn't change your oil or make you a burger.
Hey guys, remember when the carriers blocked wireless tethering apps from the market for 'their phones'? I don't believe they ever REMOVED the apps from the market, just tagged them in such a way that they are not visible to any of the phones they provide service for. Just a thought, maybe devs could do the same kind of 'blacklisting' based on model number...
Sent from my pocket rocket
Vulnerability Allows Attackers to Modify Android Apps Without Breaking Their Signatures
This might be the reason why the new MF2 and ME6 are not downgradable and why the 4.2.2 update was delayed.
Source->http://www.cio.com/article/735878/V...ndroid_Apps_Without_Breaking_Their_Signatures
IDG News Service — A vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.
Researchers from San Francisco mobile security startup firm Bluebox Security found the flaw and plan to present it in greater detail at the Black Hat USA security conference in Las Vegas later this month.
The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures.
When an application is installed and a sandbox is created for it, Android records the application's digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.
This is important for the Android security model because it ensures that sensitive data stored by one application in its sandbox can only be accessed by new versions of that application that are signed with the original author's key.
The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures.
The vulnerability has existed since at least Android 1.6, code named Donut, which means that it potentially affects any Android device released during the last four years, the Bluebox researchers said Wednesday in a blog post.
"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," they said.
The vulnerability can also be exploited to gain full system access if the attacker modifies and distributes an app originally developed by the device manufacturer that's signed with the platform key -- the key that manufacturers use to sign the device firmware.
"You can update system components if the update has the same signature as the platform," Forristal said. The malicious code would then gain access to everything -- all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.
Attackers can use a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more.
Some of these methods, especially the one involving third-party app stores, are already being used to distribute Android malware.
Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said.
However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said.
Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said.
Forristal confirmed that one third party device, the Samsung Galaxy S4, already has the fix, which indicates that some device manufacturers have already started releasing patches. Google has not released patches for its Nexus devices yet, but the company is working on them, he said.
Google declined to comment on the matter and the Open Handset Alliance did not respond to a request for comment.
The availability of firmware updates for this issue will differ across device models, manufacturers and mobile carriers.
Whether a combination of device manufacturers and carriers, which play an important role in the distribution of updates, coincide to believe that there is justification for a firmware update is extremely variable and depends on their business needs, Forristal said. "Ideally it would be great if everyone, everywhere, would release an update for a security problem, but the practical reality is that it doesn't quite work that way, he said."
The slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users. Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws.
Judging by Android's patch distribution history so far, the vulnerability found by the Bluebox researchers will probably linger on many devices for a long time, especially since it likely affects a lot of models that have reached end-of-life and are no longer supported.
Click to expand...
Click to collapse
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Key phrase here is "for apps not installed through the google store". Hence not an issue for a large fraction of users. Total case of FUD. Someone must be wanting to sell some av software.
Sent from my GT-N7100 using Tapatalk 4 Beta
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
Well, X-Ray scanner either does not detect this latest security flaw or N7100 (as of DM6) is allready patched.
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literally hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
djmcnz said:
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literry hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
Click to expand...
Click to collapse
Ahh! Thats the answer I was waiting for (and from a Recognized Developer). I knew XDA Devs were using this method. My new question is.. If they fix it will it be harder to create Mods? Will it slow down development?
Shouldn't this be posted in the generals forum?
Kremata said:
If they fix it will it be harder to create Mods? Will it slow down development?
Click to expand...
Click to collapse
I suspect so. If they fix it properly it would become impossible to change any aspect of the app without signing it again. If you wanted to maintain compatibility with the original then you'd need the developer's keys.
At the moment really only the manifest and some metadata within the apk is signed, if they extended that to the entire contents of the apk many mods (think themes for stock Google apps etc) are screwed unless users are happy to relinquish Play Store links and updates (i.e. backward compatibility).
Google may not go this far and may only choose to authenticate the code (smali) rather than all of the apk contents (graphics, strings etc), this approach would leave room for some mods to survive. Remains to be seen.
The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.
proof: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/
ROM: gen.y_vision_WWE_2.42.405.4_R1.3-EXT4 vulnerable.
I think, HTC will not update stock ROM, can i hope what xda developers will be update her ROMs?
As I understood this news, it must be user triggered. Someone must choose to install such an apk.
And most people that install from apk dont check the author of files anyways, so no big thing.
And if Playstore is in any way affected now or not, I do not know because I do not use it.
It always depends on how the stores/sites you get your apps from maintain a consistent trust relationship to app authors.
Would really be nice if a "Who is who and who made what" menu would be included into cm or aosp.
I think you are more or less safe when you stick to commonly used apps in the Play store. OTOH I had a app once that had notification ads in it, kind of spam.
The new ILWT CM7 supposedly has it fixed. Build 879
Unfortunately, Android accounts for 79% of phone malware and has become the new prime target. This really makes me think that having a good AV on my phone is important, yet how many of us don't? (including me!) Any recommendations that anyone has tested?
Come on, had anyone been hacked or smth?
We should just check software before installing, but i suppose google does it for us.