Google updates Passes API to store COVID vaccination and testing information on Android devices

Posted by Irfan Faizullabhoy

Google has updated its Passes API to enable a simple and secure way to store and access COVID vaccination and test cards on Android devices. Starting today, developers from healthcare organizations, government agencies and organizations authorized by public health authorities to distribute COVID vaccines and/or tests will have access to these APIs to create a digital version of COVID vaccination or test information. This will roll out initially in the United States followed by other countries.

Image of three smart phones side by side showing Covid vaccination cards

Example COVID Cards from Healthvana, a company serving Los Angeles County

Once a user stores the digital version of the COVID Card to their device, they will be able to access it via a shortcut on their device home screen, even when they are offline or in areas that have weak internet service. To use this feature, the device needs to run Android 5 or later and be Play Protect certified. Installing the Google Pay app is not a requirement to access COVID Cards.

The COVID Card has been designed with privacy and security at its core.

  • Storing information: The user’s COVID vaccination and test information is stored on their Android device. If a user wants to access this information on multiple devices, the user will need to manually store it on each device. Google does not retain a copy of the user’s COVID vaccination or test information.
  • Sharing information: Users can choose to show their COVID Card to others. The information in the user’s COVID Card is not shared by Google with its various services or third parties and it is not used for targeting ads.
  • Securing information: A lock screen is required in order to store a COVID Card on a device. This is for added security and to protect the user’s personal information. When a user wants to access their COVID Card, they will be asked for the password, pin or biometric method set up for their Android device.

If you are a qualified provider, please sign up to share your interest here. And, for more information about COVID cards and their privacy and security features, please see the help center.

What do you think?

Do you have any questions? Let us know in the comments below or tweet using #AskGooglePayDevs and follow us @GooglePayDevs.

AWS Lambda now supports SASL/PLAIN authentication for functions triggered from self-managed Apache Kafka

AWS Lambda functions that are triggered from self-managed Apache Kafka topics can now access usernames and passwords secured by AWS Secrets Manager using SASL/PLAIN, a simple username/password authentication mechanism that is typically used with TLS for encryption to implement secure authentication. This is in addition to SASL/SCRAM, which is already supported on Lambda. To get started, customers who select Apache Kafka as the event source for their Lambda function can choose SASL/PLAIN as their authentication mechanism, and select their credentials from Secrets Manager on the AWS Management Console, AWS CLI or AWS SDK for Lambda. This feature requires no additional charge to use, and is available in all AWS Regions where self-managed Apache Kafka is supported as an event source for AWS Lambda. To learn more about using SASL/PLAIN authentication for your Lambda functions triggered from Amazon MSK topics, read the Lambda Developer Guide.

Upcoming security changes to Google’s OAuth 2.0 authorization endpoint in embedded webviews

Posted by Badi Azad, Group Product Manager (@badiazad)

The Google Identity team is continually working to improve Google Account security and create a safer and more secure experience for our users. As part of that work, we recently introduced a new secure browser policy prohibiting Google OAuth requests in embedded browser libraries commonly referred to as embedded webviews. All embedded webviews will be blocked starting on September 30, 2021.

Embedded webview libraries are problematic because they allow a nefarious developer to intercept and alter communications between Google and its users by acting as a “man in the middle.” An application embedding a webview can modify or intercept network requests, insert custom scripts that can potentially record every keystroke entered in a login form, access session cookies, or alter the content of the webpage. These libraries also allow the removal of key elements of a browser that hold user trust, such as the guarantee that the response originates from Google’s servers, display of the website domain, and the ability to inspect the security of a connection. Additionally the OAuth 2.0 for Native Apps guidelines from IETF require that native apps must not use embedded user-agents such as webviews to perform authorization requests.

Embedded webviews not only affect account security, they could affect usability of your application. The sandboxed storage environment of an embedded webview disconnects a user from the single sign-on features they expect from Google. A full-featured web browser supports multiple tools to help a logged-out user quickly sign-in to their account including password managers and Web Authentication libraries. Google’s users also expect multiple-step login processes, including two-step verification and child account authorizations, to function seamlessly when a login flow involves multiple devices, when switching to another app on the device, or when communicating with peripherals such as a security key.

Instructions for impacted developers

Developers must register an appropriate OAuth client for each platform (Desktop, Android, iOS, etc.) on which your app will run, in compliance with Google’s OAuth 2.0 Policies. You can verify the OAuth client ID used by your installed application is the most appropriate choice for your platform by visiting the Google API Console’s Credentials page. A “Web application” client type in use by an Android application is an example of mismatched use. Reference our OAuth 2.0 for Mobile & Desktop Apps guide to properly integrate the appropriate client for your app’s platform.

Applications opening all links and URLs inside an embedded webview should follow the following instructions for Android, iOS, macOS, and captive portals:

Android

Embedded webviews implementing or extending Android WebView do not comply with Google’s secure browser policy for its OAuth 2.0 Authorization Endpoint. Apps should allow general, third-party links to be handled by the default behaviors of the operating system, enabling a user’s preferred routing to their chosen default web browser or another developer’s preferred routing to its installed app through Android App Links. Apps may alternatively open general links to third-party sites in Android Custom Tabs.

iOS & macOS

Embedded webviews implementing or extending WKWebView, or the deprecated UIWebView, do not comply with Google’s secure browser policy for its OAuth 2.0 Authorization Endpoint. Apps should allow general, third-party links to be handled by the default behaviors of the operating system, enabling a user’s preferred routing to their chosen default web browser or another developer’s preferred routing to its installed app through Universal Links. Apps may alternatively open general links to third-party sites in SFSafariViewController.

Captive portals

If your computer network intercepts network requests, redirecting to a web portal supporting authorization with a Google Account, your web content could be displayed in an embedded webview controlled by a captive network assistant. You should provide potential viewers instructions on how to access your network using their default web browser. For more information reference the Google Account Help article Sign in to a Wi-Fi network with your Google Account.

New IETF standards adopted by Android and iOS may help users access your captive pages in a full-featured web browser. Captive networks should integrate Captive-Portal Identification in DHCP and Router Advertisements (RAs) proposed IETF standard to inform clients that they are behind a captive portal enforcement device when joining the network, rather than relying on traffic interception. Networks should also integrate the Captive Portal API proposed IETF standard to quickly direct clients to a required portal URL to access the Internet. For more information reference Captive portal API support for Android and Apple’s How to modernize your captive network developer articles.

Test for compatibility

If you’re a developer that currently uses an embedded webview for Google OAuth 2.0 authorization flows, be aware that embedded webviews will be blocked as of September 30, 2021. To verify whether the authorization flow launched by your application is affected by these changes, test your application for compatibility and compliance with the policies outlined in this post.

You can add a query parameter to your authorization request URI to test for potential impact to your application before September 30, 2021. The following steps describe how to adjust your current requests to Google’s OAuth 2.0 Authorization Endpoint to include an additional query parameter for testing purposes.

  1. Go to where you send requests to Google’s OAuth 2.0 Authorization Endpoint. Example URI: https://accounts.google.com/o/oauth2/v2/auth
  2. Add the disallow_webview parameter with a value of true to the query component of the URI. Example: disallow_webview=true

An implementation affected by the planned changes will see a disallowed_useragent error when loading Google’s OAuth 2.0 Authorization Endpoint, with the disallow_webview=true query string, in an embedded webview instead of the authorization flows currently displayed. If you do not see an error message while testing the effect of the new embedded webview policies your app’s implementation might not be impacted by this announcement.

Note: A website’s ability to request authorization from a Google Account may be impacted due to another developer’s decision to use an embedded webview in their app. For example, if a messaging or news application opens links to your site in an embedded webview, the features available on your site, including Google OAuth 2.0 authorization flows, may be impacted. If your site or app is impacted by the implementation choice of another developer please contact that developer directly.

User-facing warning message

A warning message may be displayed in non-compliant authorization requests after August 30, 2021. The warning message will include the user support email defined in your project’s OAuth consent screen in Google API Console and direct the user to visit our Sign in with a supported browser support article.

A screenshot showing an example Google OAuth authorization dialog including a warning message: To help protect your account, Google will soon block apps that don't comply with Google's embedded webview policy. You can let the app developer (moo@gmail.com) know that this app should stop using embedded webviews

Developers may acknowledge the upcoming enforcement and suppress the warning message by passing a specific query parameter to the authorization request URI. The following steps explain how to adjust your authorization requests to include the acknowledgement parameter:

  1. Go to where you send requests to Google’s OAuth 2.0 Authorization Endpoint. Example URI: https://accounts.google.com/o/oauth2/v2/auth
  2. Add an ack_webview_shutdown parameter with a value of the enforcement date: 2021-09-30. Example: ack_webview_shutdown=2021-09-30

A successful request to Google’s OAuth 2.0 Authorization Endpoint including the acknowledgement query parameter and enforcement date will suppress the warning message in non-compliant authorization requests. All non-compliant authorization requests will display a disallowed_useragent error when loading Google’s OAuth 2.0 Authorization Endpoint after the enforcement date.

Related content

Amazon Connect Chat ahora es compatible con Apple Business Chat (disponibilidad general)

Gracias a la integración de Apple Business Chat en Amazon Connect, sus clientes pueden interactuar con usted mediante la aplicación de mensajes de Apple en su iPhone, iPad o Mac. Ahora, sus clientes pueden disfrutar de una experiencia que les resulta tan familiar y práctica como hablar con un amigo, a la vez que utilizan completas características de servicio al cliente como mensajes interactivos para, por ejemplo, programar citas. Apple Business Chat facilita a sus clientes hablar con usted en cualquier momento en el que hagan clic en su número de teléfono registrado en un dispositivo Apple. La integración de Apple Business Chat le permite utilizar la misma configuración, análisis, enrutamiento e interfaz de usuario del agente que ya está utilizando para la voz y el chat de Amazon Connect.

AWS WAF agrega 15 nuevas transformaciones de texto

AWS WAF ahora es compatible con 15 transformaciones de texto adicionales, lo cual le permite cambiar el formato de solicitudes web para eliminar cualquier formato no usual o sanear la entrada antes de la evaluación de regla. Se pueden utilizar también para identificar amenazas ocultas por los atacantes en un intento de evitar la detección. Además, también es posible utilizar estas nuevas transformaciones de texto con declaraciones de reglas de WAF, como detección SQLi, emparejamiento de cadenas y conjunto de patrones de expresiones regex. Puede encadenar hasta 10 transformaciones de texto juntas en una única declaración de regla. Una vez configurado, AWS WAF aplicará las transformaciones primero antes de evaluar la declaración de regla.

Support for additional MXF mezzanine output formats now available with AWS Elemental MediaConvert

AWS Elemental MediaConvert now supports creating AVC-Intra, VC3, and XAVC mezzanine formats carried in the MXF container. Often referred to as “intermediate” or “editing” file formats, these lightly compressed video codecs balance quality and performance by providing visually lossless compression, lightweight decoding requirements, and native editing and playback support in non-linear editing tools.

With 1,600 students by his side, Jack Lee grew the largest Google Developer Student Club in the world

Posted by Noa Havazelet, Program Manager, Google Developer Student Clubs, UK & Ireland

With 1,600 students by his side, Jack Lee grew the largest Google Developer Student Club in the world in just 6 months at the London School of Economics (LSE). A life-long athlete, who loves leading teams, Jack saw that reigniting his university’s GDSC would be a great opportunity to have a large impact on the local tech scene. With a heavy focus on partnerships, Jack connected members of his club with leaders at top companies and other student groups across Scotland, France, Norway, Canada, and Nigeria. These collaborations enabled students to practice networking, while gaining access to key internships.

Learn more about Jack and his club below.

Image of Jack Lee

Image of Jack Lee speaking at a GDSC event

Student-to-student mentorship with impact

Leaders like Jack Lee make Google Developer Student Clubs around the world special by providing a trusted and fun space for student-to-student mentorship. When students step up to help their peers, a strong camaraderie and support system forms beyond the classroom.

One of the secrets to Jack’s success was to appeal to both computer science students as well as those with a non-technical background, like business majors. To inspire more students with different backgrounds to join the club, Jack put together a team of additional student leaders. Under his leadership, this team had the freedom to independently build tech-focused events that would interest students across the university.

Image of GDSC LSE team

After the first semester, Jack’s approach was working. They hosted over 80 events, covering a wide range of topics including front end web development and career talks with financial firms.

The intersection of students with different backgrounds inspired club members to work together on community projects, utilizing their different skills. In fact, a few club members formed teams to solve for one of the United Nations 17 Sustainable Development Goals. As part of the Google Developer Student Clubs 2021 Solution Challenge, students from the London School of Economics developed prototype solutions for NGOs on 1) wildfire analysis using TensorFlow, 2) raising donations and grant access, and 3) increasing voter registrations.

As more students continued to join their GDSC, Jack decided to up the tempo to keep the momentum going.

Connecting students to companies

Since the London School of Economics is not only a tech-focused university, Jack requested support from a team at Google for Startups. Together they reached out to some of the world’s largest firms and startups to collaborate on events and specialized programs for the student club. Jack’s GDSC established relationships with 6 partners, and 3 local sponsors from startups, NGOs, and financial firms. All these partners contributed to nearly 30 events throughout the academic year, which included:

  • Introductory Python courses
  • Mentorship sessions
  • Networking events
  • Talks with CEOs
  • Panel talks across industries

These events started catching the attention of students across Europe and Asia, with some students who could not afford to attend university reaching out for technical learning resources and opportunities.

Connecting 150 students to mentors from different startups is one of the achievements that makes Jack and the club leaders most proud.

This is yet another example of how Jack’s determination to grow a stronger community led him to build a global Google Developer Student Club that left a profound impact on his fellow students.

If you’re also a student and want to join a Google Developer Student Club community like this, find one near you here.

Pride Week with Google Developer Group Floripa

Posted by Rodrigo Akira Hirooka, Program Manager, Google Developer Groups Latin America

Lorena Locks is on a mission to grow the LGBTQIA+ tech community in Brazil. Her inspiration came from hosting Google Developer Group (GDG) Floripa meetups with her friend Catarina, where they were able to identify a need in their community.

We felt there wasn’t a forum to meet people in the tech industry that reflected ourselves. So we decided to think bigger.”

Image from GDG Floripa event

Image from GDG Floripa event

Pride Week at GDG Floripa, Brazil

As a Women Techmakers Ambassador and Google Developer Group lead in Floripa, Brazil, Lorena worked with the local community to create a week of special events, including over 12 talks and sessions centered on empowering the LGBTQIA+ experience in tech.

The events took place every night at 7pm from June 21st – 25th and focused on creating inclusive representation and building trust among developer communities.

Lorena’s commitment to this underrepresented group gained the attention of many local leaders in tech who identify as LGBTQIA+ and volunteered as speakers during Pride Week.

By creating spaces to talk about important LGBTQIA+ topics in tech, Pride Week with Google Developer Groups Floripa included sessions on:

  • Spotting binary designs in products
  • How to build inclusive tech teams
  • Being an LGBTQIA+ manager
  • Developing ‘Nohs Somos‘ an app for the LGBTQIA+ community
  • The best practices for D&I
  • General Personal Data Protection Law and inclusive gender questions on forms

Image from event

Speakers in photo: Lorena Locks and Catarina Schein

With one-hundred percent of the speakers at these events coming from the LGTBQIA+ community, Pride Week at GDG Floripa was a high impact program that has gone on to inspire GDGs around the world.

If you want to learn more about how to get involved in Google Developer Group communities like this one, visit the site here.

Amazon Connect lanza una API para configurar conexiones rápidas mediante programación

Amazon Connect ahora proporciona una API para crear y administrar conexiones rápidas mediante programación. Las conexiones rápidas son una forma de crear destinos configurados previamente para transferencias comunes y ponerlos a disposición de los agentes. Al utilizar esta API, es posible configurar mediante programación miles de conexiones rápidas a agentes, colas y números de teléfono. Además, ahora puede eliminar las conexiones rápidas que ya no son necesarias mediante la API de eliminación. Para obtener más información, consulte la documentación de la API. La API de conexiones rápidas también es compatible con AWS CloudFormation. Para obtener más información, consulte Referencia de tipos de recursos de Amazon Connect en la Guía del usuario de AWS CloudFormation.

CloudWatch agrega 14 nuevas funciones de matemáticas métricas

Amazon CloudWatch Metric Math ahora admite 14 nuevas funciones, incluidas RUNNING_SUM, TIME_SERIES y DATAPOINT_COUNT. También son compatibles dos nuevas variantes de relleno, dos funciones logarítmicas, dos funciones para calcular la diferencia entre cada punto de datos y cinco funciones de tiempo. Con CloudWatch Metric Math, puede agregar y transformar las métricas para crear visualizaciones personalizadas de las métricas de estado y rendimiento. Las nuevas funciones anunciadas hoy permiten ver los valores logarítmicos de la métrica, visualizar mejor el cambio de la latencia en el tiempo y calcular las ventas acumuladas de un producto.