Dev Channel Update for ChromeOS / ChromeOS Flex

The Dev channel is being updated to OS version 127.0.6533.11 (Platform version 15917.8.0) for most ChromeOS devices. This build contains a number of bug fixes and security updates.

If you find new issues, please let us know one of the following ways

  1. File a bug
  2. Visit our ChromeOS communities
    1. General: Chromebook Help Community
    2. Beta Specific: ChromeOS Beta Help Community
  3. Report an issue or send feedback on Chrome

Interested in switching channels? Find out how.

Alon,
Google ChromeOS

Dev Channel Update for ChromeOS / ChromeOS Flex

The Dev channel is being updated to OS version 127.0.6533.11 (Platform version 15917.8.0) for most ChromeOS devices. This build contains a number of bug fixes and security updates.

If you find new issues, please let us know one of the following ways

  1. File a bug
  2. Visit our ChromeOS communities
    1. General: Chromebook Help Community
    2. Beta Specific: ChromeOS Beta Help Community
  3. Report an issue or send feedback on Chrome

Interested in switching channels? Find out how.

Alon,
Google ChromeOS

Stable Channel Update for Desktop

The Stable channel has been updated to 126.0.6478.114/115 for Windows, Mac and 126.0.6478.114 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.



This update includes 6 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.




[$20000][344608204] High CVE-2024-6100: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) participating in SSD Secure Disclosure's TyphoonPWN 2024 on 2024-06-04

[$7000][343748812] High CVE-2024-6101: Inappropriate implementation in WebAssembly. Reported by @ginggilBesel on 2024-05-31

[TBD][339169163] High CVE-2024-6102: Out of bounds memory access in Dawn. Reported by wgslfuzz on 2024-05-07

[TBD][344639860] High CVE-2024-6103: Use after free in Dawn. Reported by wgslfuzz on 2024-06-04




We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:

[347958670] Various fixes from internal audits, fuzzing and other initiatives




Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.



Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Srinivas Sista
Google Chrome

Stable Channel Update for Desktop

The Stable channel has been updated to 126.0.6478.114/115 for Windows, Mac and 126.0.6478.114 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.



This update includes 6 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.




[$20000][344608204] High CVE-2024-6100: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) participating in SSD Secure Disclosure's TyphoonPWN 2024 on 2024-06-04

[$7000][343748812] High CVE-2024-6101: Inappropriate implementation in WebAssembly. Reported by @ginggilBesel on 2024-05-31

[TBD][339169163] High CVE-2024-6102: Out of bounds memory access in Dawn. Reported by wgslfuzz on 2024-05-07

[TBD][344639860] High CVE-2024-6103: Use after free in Dawn. Reported by wgslfuzz on 2024-06-04




We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:

[347958670] Various fixes from internal audits, fuzzing and other initiatives




Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.



Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Srinivas Sista
Google Chrome

The Third Beta of Android 15

Posted by Matthew McCullough – VP of Product Management, Android Developer


Android 15 logo

Today's Android 15 Beta 3 release takes Android 15 to Platform Stability, which means that the developer APIs and all app-facing behaviors are now final for you to review and integrate into your apps, and apps targeting Android 15 can be made available in Google Play. Thank you for all of your continued feedback in getting us to this milestone.

Android 15 continues our work to build a platform that helps improve your productivity while giving you new capabilities to produce superior media and AI experiences, take advantage of device form factors, minimize battery impact, maximize smooth app performance, and protect user privacy and security, all on the most diverse lineup of devices.

Android delivers enhancements and new features year-round, and your feedback on the Android beta program plays a key role in helping Android continuously improve. The Android 15 developer site has lots more information about the beta, including how to get it on devices and the release timeline. We’re looking forward to hearing what you think, and thank you in advance for your continued help in making Android a platform that works for everyone.

New in Android 15 Beta 3

Android 15 Production Timeline

Given where we are in the release cycle, there are just a few new things in the Android 15 Beta 3 release for you to consider when developing your apps.

Improved user experience for passkeys and Credential Manager

Users will be able to sign-into apps that target Android 15 using passkeys in a single step with facial recognition, fingerprint, or screen lock. If they accidentally dismiss the prompt to use a passkey to sign-in, they will be able to see the passkey or other Credential Manager suggestions in autofill conditional user interfaces, such as keyboard suggestions or dropdowns.

Single-step UI experience

Single step UI experience demonstrating before on the left which required two taps and after on the right which only requires one

Fallback UI experience

Fallback UI experience showing password, passkey, and sign in with Google options across Keyboard chips and on screen dropdown options

Credential Provider integration for the single-step UI

Registered credential providers will be able to use upcoming APIs in the Jetpack androidx.credentials library to hand off the user authentication mechanism to the system UI, enabling the single-step authentication experience on devices running Android 15.

App integration for autofill fallback UI

When you present the user with a selector at sign-in using Credential Manager APIs, you can associate a Credential Manager request with a given view, such as a username or a password field. When the user focuses on one of these views, Credential Manager gets an associated request, and provider-aggregated resulting credentials are displayed in autofill fallback UIs, such as inline or dropdown suggestions.

WebSQL deprecated in Android WebView

The setDatabaseEnabled and getDatabaseEnabled WebSettings are now deprecated. These settings are used for WebSQL support inside Webview. WebSQL is removed in Chrome and is now deprecated on Android Webview. These methods will become a no-op on all Android versions in the next 12 months.

The World Wide Web Consortium (W3C) encourages apps needing web databases to adopt Web Storage API technologies like localStorage and sessionStorage, or IndexedDB. SQLite Wasm in the browser backed by the Origin Private File System outlines a replacement set of technologies based on the SQLite database, compiled to Web Assembly (Wasm), and backed by the origin private file system to enable more direct migration of WebSQL code.

Get your apps, libraries, tools, and game engines ready!

If you develop an SDK, library, tool, or game engine, it's even more important to prepare any necessary updates now to prevent your downstream app and game developers from being blocked by compatibility issues and allow them to target the latest SDK features. Please let your developers know if updates are needed to fully support Android 15.

Testing your app involves installing your production app using Google Play or other means onto a device or emulator running Android 15 Beta 3. Work through all your app's flows and look for functional or UI issues. Review the behavior changes to focus your testing. Each release of Android contains platform changes that improve privacy, security, and overall user experience, and these changes can affect your apps. Here are several changes to focus on that apply even if you don't yet target Android 15:

    • Support for 16KB page sizes - Beginning with Android 15, Android supports devices that are configured to use a page size of 16 KB. If your app or library uses the NDK, either directly or indirectly through an SDK, then you will likely need to rebuild your app for it to work on these devices.
    • Private space support - Private space is a new feature in Android 15 that lets users create a separate space on their device where they can keep sensitive apps away from prying eyes, under an additional layer of authentication.

Remember to thoroughly exercise libraries and SDKs that your app is using during your compatibility testing. You may need to update to current SDK versions or reach out to the developer for help if you encounter any issues.

Once you’ve published the Android 15-compatible version of your app, you can start the process to update your app's targetSdkVersion. Review the behavior changes that apply when your app targets Android 15 and use the compatibility framework to help quickly detect issues.

Get started with Android 15

Today's beta release has everything you need to try out Android 15 features, test your apps, and give us feedback. Now that we’re in the beta phase, you can check here to get information about enrolling your device; Enrolling supported Pixel devices will deliver this and future Android Beta updates over-the-air. If you don’t have a supported device, you can use the 64-bit system images with the Android Emulator in Android Studio. If you're already in the Android 14 QPR beta program on a supported device, you'll automatically get updated to Android 15 Beta 3.

For the best development experience with Android 15, we recommend that you use the latest version of Android Studio Koala. Once you’re set up, here are some of the things you should do:

    • Try the new features and APIs - your feedback is critical during the early part of the developer preview and beta program. Report issues in our tracker on the feedback page.
    • Test your current app for compatibility - learn whether your app is affected by changes in Android 15; install your app onto a device or emulator running Android 15 and extensively test it.
    • Update your app with the Android SDK Upgrade Assistant - The latest Android Studio Koala Feature Drop release now covers android 15 API changes and walks you through the steps to upgrade your targetSdkVersion with the Android SDK Upgrade Assistant.
Android SDK Upgrade Assistant in Android Studio Koala Feature Drop
Android SDK Upgrade Assistant in Android Studio Koala Feature Drop

We’ll update the beta system images and SDK regularly throughout the remainder of the Android 15 release cycle. Read more here.

For complete information, visit the Android 15 developer site.


Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.

All trademarks, logos and brand names are the property of their respective owners.

Common Expressions For Portable Policy and Beyond


I am thrilled to introduce Common Expression Language, a simple expression language that's great for writing small snippets of logic which can be run anywhere with the same semantics in nanoseconds to microseconds evaluation speed. The launch of cel.dev marks a major milestone in the growth and stability of the language.

It powers several well known products such as Kubernetes where it's used to protect against costly production misconfigurations:

    object.spec.replicas <= 5

Cloud IAM uses CEL to enable fine-grained authorization:

    request.path.startsWith("/finance")

Versatility

CEL is both open source and openly governed, making it well adopted both inside and outside Google. CEL is used by a number of large tech companies, either internally or as part of their public product offering. As a reflection of this open governance, cel.dev has been launched to share more about the language and the community around it.

So, what makes CEL a good choice for these applications? Why is CEL unique or different from Amazon's Cedar Policy or Open Policy Agent's Rego? These are great questions, and common ones (no pun intended):

  • Highly optimized evaluation O(ns) - O(μs)
  • Portable with stacks supported in C++, Java, and Go
  • Thousands of conformance tests ensure consistent behavior across stacks
  • Supports extension and subsetting

Subsetting is crucial for preserving predictable compute / memory impacts, and it only exists in CEL. As any latency-critical service maintainer will tell you, it's vital to have a clear understanding of compute and memory implications of any new feature. Imagine you've chosen an expression language, validated its functionality meets your security, serving, and scaling goals, but after launching an update to the library introduces new functionality which can't be disabled and leaves your product vulnerable to attack. Your alternatives are to fork the library and accept the maintenance costs, introduce custom validation logic which is likely to be insufficient to prevent abuse, or to redesign your service. CEL supported subsetting allows you to ensure that what was true at the initial product launch will remain true until you decide when to expose more of its functionality to customers.

Cedar Policy language was developed by Amazon. It is open source, implemented in Rust, and offers formal verification. Formal verification allows Cedar to validate policy correctness at authoring time. CEL is not just a policy language, but a broader expression language. It is used within larger policy projects in a way that allows users to augment their existing systems rather than adopt an entirely new one.

Formal verification often has challenges scaling to large amounts of data and is based on the belief that a formal proof of behavior is sufficient evidence of compliance. However, regulations and policies in natural language are often ambiguous. This means that logical translations of these policies are inherently ambiguous as well. CEL's approach to this challenge of compliance and reasoning about potentially ambiguous behaviors is to support evaluation over partial data at a very high speed and with minimal resources.

CEL is fast enough to be used in networking policies and expressive enough to be used in detailed application policies. Having a greater coverage of use cases improves your ability to reason about behavior holistically. But, what if you don't have all the data yet to know exactly how the policy will behave? CEL supports partial evaluation using four-valued logic which makes it possible to determine cases which are definitely allowed, denied, or where policy behavior is conditional on additional inputs. This allows for what-if analysis against historical data as well as against speculative data from new use cases or proposed policy changes.

Open Policy Agent's Rego is also open source, implemented in Golang and based on Datalog, which makes it possible to offer similar proofs as Cedar. However, the language is much more powerful than Cedar, and more powerful than CEL. This expressiveness means that OPA Rego is fantastic for non-latency critical, single-tenant solutions, but difficult to safely embed in existing offerings.


Four-valued Logic

CEL uses commutative logical operators that can render a true, false, error, or unknown status. This is a scalable alternative to formal verification and the expressiveness of Datalog. Four-valued logic allows CEL to evaluate over a partial set of inputs to deliver either a definitive result or communicate that more information is necessary to complete the evaluation.

What is four-valued logic?

True, false, and error outcomes are considered definitive: no additional information will change the outcome of the expression. Consider the following case:

    1/0 != 0 && false

In traditional programming languages, this expression would be an error; however, in CEL the outcome is false.

Now consider the following case where an input variable, called unknown_var is marked as unknown:

    unknown_var && true

The outcome of this expression is UNKNOWN{unknown_var} indicating that once the variable is known, the evaluation can be safely completed. An unknown indicates what was missing, and alerts the user to fix the outcome with more information. This technique both borrows from and extends SQL three-valued predicate logic which uses TRUE, FALSE, and NULL with commutative logical operators. From a CEL perspective, the error state is akin to SQL NULL that arises when there is an absence of information.


CEL compatibility with SQL

CEL leverages SQL semantics to ensure that it can be seamlessly translated to SQL. SQL optimizers perform significantly better over large data sets, making it possible to evaluate over data at rest. Imagine trying to scale a single expression evaluation over tens of millions of records. Even if the expression evaluates within a single microsecond, the evaluation would still take tens of seconds. The more complex the expression, the greater the latency. SQL excels at this use case, so translation from CEL to SQL was an important factor in the design in order to unlock the possibility of performant policy checks both online with CEL and offline with SQL.


Thank you CEL Community!

We’re proud to announce cel.dev as a major milestone in the maturity and adoption of the language, and we look forward to working with you to make CEL the best building block for writing latency-critical, portable logic. Feel free to contact us at [email protected]

By Tristan Swadell – Senior Staff Software Engineer

3 must-know updates from Google Play at I/O ’24

Posted by Nick Sharma – Product Manager, Google Play

At Google Play, we’re passionate about helping people discover experiences they’ll love while empowering developers like you to bring your ideas to life and build successful businesses. At this year’s Google I/O, we shared our latest developments that will help you acquire and engage users, optimize your revenue, and reinforce trust with secure, high-quality experiences.

If you missed this year’s event, check out our recap video below, or read on for our top 3 announcements.

#1: Enhanced store listings: More ways to reach the right audience

Your store listing is often your first chance to make a good impression and acquire new users. You can already tailor your store listing in a number of ways to optimize your conversions for different audiences.

    • Now, you can also create listings based on what users search for. Tailoring your store listings by search keywords will not only make listing content more relevant, it can also help you target users actively seeking the benefits your app provides.
    • Not sure what keywords to choose? Play Console will now give you keyword suggestions for potentially impactful store listings.
Increase your store listing's relevance and conversions by displaying content tailored to users by search keywords

#2: Expanded payment options: More ways for customers to pay for your content

Our extensive payment method library, which includes traditional payment methods like credit cards and over 300 local forms of payment in more than 65 markets, continues to grow.

    • We enabled Pix in Brazil, allowing you to offer millions of customers their preferred payment method.
    • We also enhanced support for UPI in India to streamline subscription purchases.
    • With our new installment subscriptions feature, you can offer customers the option to pay over time for long-term subscriptions, helping increase your signups and lifetime value.
Installment subscriptions are now available for users in Brazil, France, Italy, and Spain

#3: SDK Console improvements: Build high-quality and safer app experiences

We're making it easier to build high-quality and safer app experiences with enhancements made possible by SDK Console.

    • You can now get better guidance on how to fix crashes or errors in Android Studio and receive notifications from SDK owners about non-compliant versions in Play Console.
    • Plus, you can share crash or ANR data with SDK owners directly through Play Console.
Sare crash or ANR data with SDK owners in Play Console
Developers can now share crash or ANR data with SDK owners in Play Console

That’s it for our top 3 announcements, there’s so much more to discover from this year’s event. Check out this blog post for more Google Play announcements at this year’s Google I/O.

Instant reports will soon be available using Bid Manager API

In the upcoming months, Display & Video 360 instant reports will be made available using the Bid Manager API. We previously announced the migration of certain report types from Offline Reporting to Instant Reporting.

Once a partner is migrated, they will see the following changes:

  • Instant reports will be included in queries.list responses.
  • Existing Standard, Reach, YouTube, and URA reports will only be available under the Instant Reporting tab in the Display & Video 360 interface under the same query and report IDs.
  • If you use the Display & Video 360 interface to build new reports, you will need to build Standard, Reach, YouTube, and URA reports under the Instant Reporting tab.

This migration will happen by partner throughout the following months, with all reports under a partner migrated at once.

If you have questions about this migration in general, you can contact Display & Video 360 product support using this contact form. If you have questions about how this migration will impact the API, please contact us using our new Bid Manager API Technical support contact form.

Stable Channel Update for ChromeOS / ChromeOS Flex

The Stable channel is being updated to OS version: 15853.67.0 Browser version: 125.0.6422.197 for most ChromeOS devices.

If you find new issues, please let us know one of the following ways

  1. File a bug
  2. Visit our ChromeOS communities
    1. General: Chromebook Help Community
    2. Beta Specific: ChromeOS Beta Help Community
  3. Report an issue or send feedback on Chrome

Interested in switching channels? Find out how.

Matt Nelson
Google ChromeOS