The new app is signed by "CN=Spotify, OU=Android, O=Spotify, L=Stockholm, ST=Stockholm, C=SE", the old was signed by "CN=Anders Bond, OU=Mobile, O=Spotify, L=Stockholm, ST=Sweden, C=SE". The new key was generated on 2014/05/24.
I think if the signing keys had been compromised they could have released an update to the existing app, instead of having to list a new one. Wouldn't it be more likely that just the google play credentials (or api keys) have been compromised?
You can't update an app signed with key X to an app (.apk) signed with key Y. The package names must be different, otherwise you get nasty error, and you cannot update. Their users would be forced to uninstall the old app and reinstall the new one.
and also scroll down and note that the size is 14MB - i.e. com.spotify.music is the new one.
Anyway, whilst you had that wrong, I had misunderstood. I think Shank was saying that the signing keys for com.spotify.mobile.android.ui were stolen which is why they then changed it to com.spotify.music - which is a reasonable explanation. I had thought that he meant the attacker uploaded com.spotify.music or something.
The reviews are a disaster though. I know those people are just the minority of morons who don't understand what's going on, but holy shit they shout loud. As a Spotify Premium customer I hope it doesn't cause them any major issues.
Not necessarily, the app could be installed outside of Google Play. A user could click on an malicious web link that would download the application and prompt them to install, much like https://m.spotify.com/us/ allows the user to do.
The complete lack of concrete information and the fact that the "incident" applies to only one user suggests something was discovered that triggered the company lawyers to engage cover-your-ass mode.
The alternative explanation would be that Spotify has adopted a total transparency policy that includes even the smallest of incidents, but the total lack of information about what the Android update actually changes doesn't support that.
Given that they are only urging Android users to update, it looks like this isn't a new version, but rather a hotfix for some issue that only existed in the Android app.
Anecdotal I know, but interestingly I also received one last week. I've had the account since Spotify was in private beta and this has happened only once before that I recall.
Interesting note at the end about offline playists having to be re-downloaded. That, and the phrase 'internal company data' has me curious if the breach was some kind theft of media, as opposed to user credentials and info.
I don't think the playlist thing is related to the breach at all.
This is likely just a side effect of the new version being an entirely new Android app instead of an upgrade to the existing one. If the local playlist data and/or offline settings were sandboxed to the old app, a new app wouldn't be able to access it.
Offline playlists are encrypted by Spotify. Presumably this change means that the encryption keys used by Spotify to store offline data were compromised.
Actually, it looks like the "upgrade" is actually a new app entirely, so it's probably just that since it's a new app, the offline data has to be regenerated.
The makes sense to me as it's unusual to make such a public announcement when just one users data has been compromised and it didn't include and personal or payment information. It sounds like something Spotify are worried about that likely won't harm actual users and media theft seems like a decent conclusion.
If that was the case I don't think they would bother writing that blog-post. Why on earth would a user 'care' about another user 'stealing his digital media', when it's just 'songs' that are not even owned, by basically 'rented' on a monthly fee.
I think the point here is if your data has been breached you should be reassuring people that password and payment details even if accessed aren't easily readable.
This phrase seems to appear often in press releases and I feel that it usually indicates the opposite. If you feel the need to SAY that, it's probably because you've done something that implies you don't.
Attention: Not everyone is tech-savvy, tech-anything, or security-anything. Saying "Security breach, no biggie" is not a proper way to communicate with the general public about a service for which they pay.
-Scope of breach? Check
-Actions taken? Kind of (investigating, patching apps)
-Actions required by users? Check
-Reassurance that everything will be alright, stop cancelling your credit cards? Check
The most interesting part to me is that the comments rant about the new app instead of discussing the security issue. Their users really want to be heard. Those are dedicated users whose hatred for the app is fueled by love for the product or company. Spotify should at least let them know that they're listening.
Afin que les utilisateurs d'eBay continuent de bénéficier d'une expérience fiable et sécurisée sur notre site, nous demandons à tous nos membres de modifier leur mot de passe.
En voici les raisons : nous avons récemment découvert que notre réseau informatique avait été la cible d’une cyberattaque. Cette attaque a eu pour effet de compromettre une base de données contenant les mots de passe des utilisateurs eBay.
Il est important de souligner que rien n'indique qu'il y ait eu accès à vos données financières ou que celles-ci aient été compromises. Par ailleurs, votre mot de passe était crypté. "
It has the package name 'com.spotify.mobile.android.ui'.
The new one is 'Spotify Music,' which appears to be brand new. https://play.google.com/store/apps/details?id=com.spotify.mu...
It has the package name 'com.spotify.music.'
To me, this indicates that the signing keys for the Android app were also stolen during the breach.