Snapchat testing TikTok-style music feature to release later this year, report says – CNET

snapmusic

Snapchat's new feature will make the app more musical. 

Snapchat

Snapchat app users will soon be able to add songs to their videos. Snap, parent company of Snapchat, has reportedly inked music rights deals with several major music companies, including Warner Music Group, Universal Music Publishing Group and Merlin.

Snap will test the new feature in New Zealand and Australia starting Monday, according to an earlier report from Bloomberg, with a wider release scheduled for later this year. 

The feature will let your friends send you Snaps with music. You'll be able to view the album art, song title and name of the artist. In addition, a link to play the song will open a web view to Linkfire so you can listen to the full song on your favorite music streaming platform like Spotify, Apple Music and SoundCloud, according to a release from Snapchat. 

When your friend sends you a Snap with music, swipe up to view the album art, song title and name of the artist. A "Play This Song" link will open a web view to Linkfire so you can listen to the full song on your favorite streaming platform (like Spotify, Apple Music and SoundCloud). Snapchat is designed to be a communication tool for close friends, and there is tremendous value in friend-to-friend music recommendations. Snapchatters will be able to form an even deeper connection to the artists and songs they love, both on and off platform.  

"We're always looking for new ways to give Snapchatters creative tools to express themselves. Music is a new dimension they can add to their Snaps, that helps capture feelings and moments they want to share with their real friends," a Snapchat spokesperson said in an emailed statement on Monday.

Snapchat's new feature might be the company's attempt to take on the quirky video app TikTok, which has been making headlines as the Trump administration eyes a ban.

See also: 7 things about how Snapchat's Snap Map feature tracks you

Now playing: Watch this: Why the US might try to ban TikTok

6:28

Let's block ads! (Why?)

Read More

Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites

On July 13, 2020, our Threat Intelligence team was alerted to a recently patched vulnerability in Newsletter, a WordPress plugin with over 300,000 installations. While investigating this vulnerability, we discovered two additional, more serious vulnerabilities, including a reflected Cross-Site Scripting(XSS) vulnerability and a PHP Object Injection vulnerability.

We reached out to the plugin’s author on July 15, 2020, and received a response the next day. After fully disclosing the vulnerability on July 16, 2020, the plugin’s author released a patch the next day, on July 17, 2020.

A firewall rule to protect against the Reflected Cross-Site Scripting vulnerability was released to Wordfence Premium customers on July 15, 2020 and will become available to free Wordfence users 30 days later, on August 14, 2020.

Although the PHP Object Injection vulnerability would require additional vulnerable software to be installed, and our built-in PHP Object Injection protection would have protected against the most common exploits, we determined that a bypass was possible. Out of an abundance of caution, we created an additional firewall rule and released it to Wordfence Premium users on July 28, 2020. The PHP Object Injection firewall rule will become available to free Wordfence users on the same date as the XSS rule for this plugin, on August 14, 2020.


Description: Authenticated Reflected Cross-Site Scripting(XSS)
Affected Plugin: Newsletter
Plugin Slug: newsletter
Affected Versions: < 6.8.2
CVE ID: Pending
CVSS Score: 6.5(Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Fully Patched Version: 6.8.2

The Newsletter plugin includes a full-featured visual editor that can be used to create visually appealing newsletters and email campaigns. It uses an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. Unfortunately, the vulnerable versions did not filter these options, but passed them onto a second function, restore_options_from_request which used multiple methods to decode options that were passed in before displaying them using the render_block function.

    function tnpc_render_callback() {
        $block_id = $_POST['b'];
        $wrapper = isset($_POST['full']);
        $options = $this->restore_options_from_request();

        $this->render_block($block_id, $wrapper, $options);
        wp_die()

As such, it was possible for an attacker to get malicious JavaScript to display in multiple ways. The simplest method would involve sending a POST request to wp-admin/admin-ajax.php with the action parameter set to tnpc_render, the b parameter set to html, and the options parameter set to arbitrary JavaScript. Alternatively, a similar request with the options parameter set to an empty array options[]= and the encoded_options parameter set to a base64-encoded JSON string containing arbitrary JavaScript would also result in JavaScript being rendered in a logged-in user’s browser.

            if (isset($_POST['encoded_options'])) {
                $decoded_options = $this->options_decode($_POST['encoded_options']);
    function options_decode($options) {

        // Start compatibility
        if (is_string($options) && strpos($options, 'options[') !== false) {
            $opts = array();
            parse_str($options, $opts);
            $options = $opts['options'];
        }
        // End compatibility

        if (is_array($options)) {
            return $options;
        }

        $tmp = json_decode($options, true);
        if (is_null($tmp)) {
            return json_decode(base64_decode($options), true);
        } else {
            return $tmp;
        }
    }

We discussed Reflected XSS vulnerabilities in a previous post. Despite the fact that they require an attacker to trick a victim into performing a specific action (such as clicking a specially crafted link), they can still be used to inject backdoors or add malicious administrative users. If an attacker tricked a victim into sending a request containing a malicious JavaScript using either of these methods, the malicious JavaScript would be decoded and executed in the victim’s browser.


Description: PHP Object Injection
Affected Plugin: Newsletter
Plugin Slug: newsletter
Affected Versions: < 6.8.2
CVE ID: Pending
CVSS Score: 7.5(High)
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 6.8.2

Although the Newsletter editor did not allow lower-level users to save changes to a given newsletter, the same tnpc_render_callback AJAX function was still accessible to all logged-in users, including subscribers. This introduced a PHP Object Injection vulnerability via the restore_options_from_request function. This function unserialized data passed in via the options[inline_edits] parameter. As such, an attacker logged-in as a subscriber could send a POST request to wp-admin/admin-ajax.php with the action parameter set to tpnc_render and the options[inline_edits] parameter set to a serialized PHP object.

        if (isset($_POST['options']) && is_array($_POST['options'])) {
            // Get all block options
            $options = stripslashes_deep($_POST['options']);

            // Deserialize inline edits when
            // render is preformed on saving block options
            if (isset($options['inline_edits']) && is_serialized($options['inline_edits'])) {
                $options['inline_edits'] = unserialize($options['inline_edits']);
            }

Although the Newsletter plugin itself did not use any code that would allow additional exploitation, this vulnerability could be used to inject a PHP object that might be processed by code from another plugin or theme and used to execute arbitrary code, upload files, or any number of other tactics that could lead to site takeover.

How does PHP Object Injection Work?

PHP can make use of a method called “serialization” to store complex data. In most cases serialized data consists of key => value arrays, for example:
a:2:{s:11:"productName";s:5:"apple";s:7:"price";i:10;}
This serialized data sample includes a productName property which is set to apple and a price property which is set to 10.

Serialized data is useful for storing settings in bulk, and many WordPress settings are stored as serialized data. Unfortunately, serialized data can also cause a security issue because it can be used to store PHP objects.

What are PHP objects?

Most modern PHP code is object oriented, meaning that code is organized into “classes.” These classes act like a basic template containing both variables (referred to as “properties”) and functions (referred to as “methods”). A running program can then create “objects” based on these templates, or classes. This creates not only a clear, concise structure for handling data, making code easier to maintain, it allows the same code to be reused for multiple similar tasks.

For instance, an online store could use a single class for products with properties(variables) including $price and $productName, and create a different object for each product. Each object would use the same function(method) to calculate tax, but could use a different price and product name.

If a plugin unserializes data provided by users without sanitizing that user’s input, then an attacker can send a specially crafted payload that would be unserialized into a PHP object.

On its own, an injected PHP object is not particularly dangerous. This changes, however, if the class it is based on uses so-called “magic methods”.

What are magic methods?

Magic methods are special functions that can be added to a class that describe what it should do when certain events happen.

For instance, the __destruct function is used in many classes to “clean up” once an object is done being used, and in many cases it does this by deleting files.

Here’s a very basic example of a vulnerable class that calculates product prices, stores a log, and deletes the log when it’s done:

class Product{

    public $price;
    public $productName;
    public $savedPriceFile;

    function __construct($price, $productName){
        $this->price=$price;
        $this->productName=$productName;
        $this->savedPriceFile=$productName."pricefile.log";
    }

    function calculateTotal($quantity) {
        $total=$this->price * $quantity;
        echo ($total);
        file_put_contents($this->savedPriceFile, $total);
    }

    function __destruct(){
        unlink($this->savedPriceFile);
    }

}

If this code was running on a site that also had a PHP Object Injection vulnerability, an attacker could delete the wp-config.php file containing the WordPress site’s core configuration settings by sending a payload similar to the following:

O:7:"Product":3:{s:5:"price";i:2;s:11:"productName";s:6:"apples";s:14:"savedPriceFile";s:13:"wp-config.php";}

This would inject a Product object, with the $productName set to apples, the $price set to 2, and a $savedPriceFile property set to wp-config.php. Even though the object might not be used by anything else, eventually the __destruct function would run, deleting whatever $savedPriceFile was set to. In this case, the deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site’s new configuration to a remote database under their control.

Successfully exploiting this chain of events, also known as a “POP chain”, does require some degree of effort, since it requires:

  • Code that unserializes user input (an Object Injection vulnerability).
  • Code that uses a magic method in an insecure way.
  • Both of these need to be loaded at the same time.

Due to the fact that many plugins and themes load some, or all, of their classes on each request to the site, this is not as great of a restriction as it might appear. Additionally, although insecure usage of these “magic methods” is less common than it was in the past, such usage is not considered a vulnerability on its own since it requires the presence of a PHP Object Injection vulnerability to exploit.

Finally, although an attacker might need to know which plugins are installed in order to tailor their attack to a given POP chain, it is often fairly simple to determine this with scanning tools. The good news is that such vulnerabilities are difficult to automatically exploit in bulk, except in cases where a PHP Object Injection vulnerability and an insecure magic method are both used in the same plugin.

Timeline

July 13, 2020 – Our Threat Intelligence Team begins investigating a recently patched vulnerability in the Newsletter plugin.
July 14, 2020 – During our investigation, we discover 2 unpatched vulnerabilities.
July 15, 2020 – We release a firewall rule for the reflected XSS vulnerability to Wordfence Premium users and reach out to the plugin’s author.
July 16, 2020 – We receive a response from the plugin’s author and provide full disclosure.
July 17, 2020 – Plugin author releases a patch for both vulnerabilities.
July 28, 2020 – We determine that an additional firewall rule is necessary to ensure full coverage for the PHP Object Injection vulnerability and release it to Wordfence Premium users.
August 14, 2020 – Both firewall rules become available to free Wordfence users.

Conclusion

In this blog post, we discussed 2 vulnerabilities in the Newsletter plugin, including a reflected XSS vulnerability and a PHP Object Injection vulnerability. We also explained what PHP Object Injection vulnerabilities are and how they can be exploited.

We strongly recommend updating to the latest version of the Newsletter plugin as soon as possible. As of this writing, that is version 6.8.3.

Wordfence Premium users have been protected against the majority of potential attacks since July 15, 2020, and have been fully protected since July 28, 2020. Sites still running the free version of Wordfence will receive firewall rules protecting against both vulnerabilities on August 14, 2020.

Special thanks to Stefano Lissa & The Newsletter Team for their rapid response in patching these vulnerabilities.

The post Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites appeared first on Wordfence.

Read More

An American Pickle Might Have Been Fresher in the 2010s

In April, the actress Julie Nolke uploaded a video called “Explaining the Pandemic to My Past Self” to YouTube. The premise: A cheerful, optimistic Nolke from January of this year receives a visit from Nolke from April Covid-19 quarantine, and she grows increasingly horrified as her future self recounts the first few months of annus horribilis. It went viral. Two months later, she uploaded a sequel, with her June 2020 self explaining to her April 2020 self how rapidly the world had shifted once again with the rising movements to protest systemic racism and police brutality. The sketches capture the whiplash of living through a time of accelerated change, and they serve as snapshots of very particular moments in time. But both come off as dated now, just four months and two months after they were written. Life, as they say, comes at you fast.

The new comedy An American Pickle is also about the challenge of explaining the new world to someone from the past. Adapted from a serialized novella by Simon Rich called Sell Out, An American Pickle is first and foremost a goofy Rip Van Winkle update (or Encino Man update) with Seth Rogen as a cranky old-time Jewish man named Herschel Greenbaum, who comes to the United States around 1919, takes a job at a pickle factory in Williamsburg killing rats, and subsequently gets stuck in a pickle vat for a century. Rogen also plays Ben Greenbaum, Herschel’s gentle yuppie great-grandson, who is surprised and pleased when Herschel is discovered alive in the vat a hundred years after falling in, perfectly preserved by the brine.

Herschel and Ben move in together, and quickly shift from long-lost family tentatively forging a bond to bitter nemeses intent on destroying one another. (Herschel, accustomed to the dismal tribulations of peasant life in the fictional Eastern Europe country of Schlupsk, scoffs at Ben’s fixation on creating a mobile app named Boop Bop and his reluctance to outwardly mourn his dead family; Ben resents Herschel for ruining a business opportunity.) They feud. They reconcile. We laugh. (Mostly at Herschel, who gets all the best lines. He marvels over seltzer and extra pairs of socks with an infectious, unfettered glee. His rationale for being a shoo-in for running a pickle business is “I was pickle.”)

Occasionally, An American Pickle suffers from a sensation that pivotal scenes have been cut from the narrative; the way the men jump into a fairly vicious rivalry feels abrupt, as though a few moments of emotional connective tissue got excised. But the thread of leaning on family to process grief is touching, and Rogen manages to make Herschel and Ben’s longing to connect feel real. The movie is frequently funny, sometimes sweet, and never particularly deep, but it does have a uniquely odd relationship to time that gives it a peculiar extra layer. Call it the proprietary brine.

Simon Rich adapted the screenplay from Sell Out, and he made some substantial changes—in the original, the Ben character is named “Simon Rich,” and he’s a sniveling screenwriter rather than a good-hearted freelance mobile app developer—but what he didn’t change gives the movie an off-kilter feel. The Brooklyn stereotypes An American Pickle is trying to skewer might’ve been fresh when Sell Out was written, but they are now long past their expiration date, to the point where they’re distracting.

There are jokes about too many types of non-dairy milks (“They’re milking everything these days!”), kombucha, and silly app names that could’ve been culled from Portlandia’s first-season reject pile. “Let’s go to Smorgasburg!” Ben chirps, babbling about jackfruit nachos. There’s an extended gag about keener college kids eagerly serving as unpaid interns, which comes off like a misguided attempt at ragging on millennials rather than anything resembling a spoof on Gen Z, who are the people in college today. And the north Williamsburg that Herschel conquers in 2019 is somehow still filled with bloggers and devoid of the finance bros and Australians who actually sunbathe in Domino Park nowadays. To make matters stranger, none of this is really necessary to the plot. Why doesn’t Herschel simply fall into the vat in 1913 and get awakened in 2013? The adjustments would’ve been simple enough to make. But oh well. An American Pickle is all the more interesting for its screwy universe where copies of A Field Guide to the Urban Hipster never stopped flying off shelves.

Read More

Verizon strikes roaming deal to allow for 5G use in South Korea – CNET

5g-verizon-phone-7209

Verizon users traveling to South Korea will be able to take advantage of 5G if they have the right device. 

Angela Lang/CNET

Verizon is expanding its 5G service, at least for those who are traveling internationally. On Monday the wireless giant announced that it has reached a deal with South Korean wireless provider LG U Plus to allow for those visiting South Korea to be able to take advantage of 5G abroad. 

Verizon says that those traveling will be able to use South Korea's 3.5 GHz midband 5G network, which in its tests the US carrier says it was able to get average download speeds of 252 Mbps and upload speeds of 119 Mbps. 

Verizon says a "compatible device" is required, though it is unclear if the carrier's current 5G portfolio will be able to take advantage of international roaming or if users will need a newer 5G device. 

CNET has reached out to Verizon for more details and will update if they respond. 

Users will also need to have a compatible Verizon 5G unlimited plan at home to be able to take advantage of 5G abroad. Verizon currently charges $10 per day for a TravelPass to use your phone internationally, though that slows high-speed data after half a gigabyte is used.  

The home country for Samsung and LG, South Korea is seen as one of the leading countries when it comes to deploying 5G. According to a June report from research firm OpenSignal, the country's three major wireless carriers -- KT, LG U Plus and SK Telecom -- had 7 million customers on 5G, up from 6.3 million users at the end of April.

While most people are currently staying home, the announcement marks the first time a US carrier has reached a roaming agreement to allow for 5G to be used abroad. 

Verizon, which plans to launch a nationwide low-band network in the US later this year to go along with its higher-frequency millimeter-wave 5G offering, says preparations for 5G roaming trials with other countries are "underway." 

Let's block ads! (Why?)

Read More

How to Watch: State of Play will showcase upcoming PS4 games on Thursday – CNET

state-of-play

The livestream will focus on upcoming PS4 and PS VR games, rather than PS5 ones.

Sony

Sony will showcase some upcoming third-party games for PS4 and PS VR in a 40-minute State of Play stream this Thursday. It'll also give us updates on some third-party PS5 games it revealed previously, and is happening at 1 p.m. PT (4 p.m. ET/9 p.m. BST/6:00 a.m. Friday AEST).

The livestream will be available on PlayStation's YouTube and Twitch channels, but we'll embed it in this article when the time comes. The company warned us not to expect any major PS5 announcements.

"And just to be super clear — there will be no PlayStation Studios updates in Thursday's episode," Sid Shuman, a senior director on its marketing team, wrote in a blog post. "There won't be any updates around hardware, business, preorders, or dates either." 

So we won't be getting any fresh Spider-Man: Miles Morales, Ratchet and Clank: Rift Apart or Horizon Forbidden West footage this week.

Now playing: Watch this: Why PS5 & Xbox Series X games could cost $70

7:28

Let's block ads! (Why?)

Read More

We’re giving away a 75-inch Hisense H8G 4K TV* – CNET

cnet-great-tv-nl

This 75-inch Hisense H8G 4K TV could be yours*

We've teamed up with CBS Sports and Fantasy Football Today to give away not one, but two 4K Smart TVs courtesy of Hisense. Our grand prize winner will take home a 75-inch Hisense H8G Quantum Dot 4K ULED Android Smart TV, priced at $1,300. The first prize winner will receive a 55-inch Hisense H8G, priced at $500. The H8G Hisense Quantum Smart TV features Google Assistant connectivity, a voice-controlled remote, Dolby Vision HDR, and Dolby Atmos for enhanced image quality and audio. 

Looking to be one of our lucky winners? You just have to read the official rules, accept the terms and conditions, and fill out the form below. If you're having trouble viewing the form from your mobile device, follow this link. Otherwise, make sure your ad blocker is disabled and refresh the page.

You can unlock extra entries and increase your chances of winning by checking out our podcast and following us on YouTube, Instagram, Facebook and more. Good luck everyone!

Let's block ads! (Why?)

Read More

Frozen Mars? Ancient valleys show planet may have been covered in ice – CNET

Mars

Scientists think Mars may have been more icy than previously believed.

Getty Images

Mars, 2020: Cold, dusty and, except for a growing cadre of robotic explorers, not particularly lively. Today, the planet's southern highlands are crisscrossed by deep valleys, surface features believed to have formed by ancient rivers and oceans. But new research suggests the valleys may have formed underneath glaciers, strengthening the idea our planetary neighbor was partly frozen in its formative years. 

The study, published in the journal Nature Geoscience on Monday, suggests that ancient Mars may not have been warm and wet as planetary scientists have previously suggested. Instead, the Mars of old was partly frozen over in the south, with large ice sheets occurring in the south. The new hypothesis is based on an analysis of over 10,000 different valleys from 66 different valley networks. 

"Since Mars's valleys were first discovered, the assumption was that rivers once flowed on Mars, eroding and originating all of these valleys," said Anna Grau Galofre, a planetary scientist at Arizona State University and first author on the study, in a press release.  

The valleys had been previously imaged using instruments aboard NASA's Mars Global Surveyor spacecraft and the European Space Agency's Mars Express, and their characteristics such as length, width and angles were measured by the research team. Valleys are generally carved into a planet by water -- the constant force of H2O grinds away at the soil and sediment, eventually creating huge rifts -- but this can happen in a number of ways. Rivers and streams, yes, but also underneath glaciers, where the water melts away into channels. 

Analyzing a valley's features provides geologists with a fingerprint. The research team looked at these geological fingerprints in Mars' valleys and compared them to similar valleys on Earth. They found that some were most certainly formed by rivers and streams, as previous research had shown.

However, they found evidence that many of the valleys likely formed underneath glaciers -- ice sheets -- where water would run off and carve out channels in the planet's surface. 

icesheet

The Devon ice cap in northern Canada.

Anna Grau Galofre

"These results are the first evidence for extensive subglacial erosion driven by channelized meltwater drainage beneath an ancient ice sheet on Mars," said Mark Jellinek, a geoscientist at the University of British Columbia and co-author on the study.

Grau Galofre's work shows some of the valleys and channels found on Mars resemble those seen in Earth's polar regions, such as the Devon ice cap in northern Canada. The idea that Mars may have been, at least partially, frozen some 4 billion years ago has been predicted by climate modeling, but the existence of valleys and channels carved by rivers was at odds with the theory.

Now the new modelling performed by Grau Galofre and team has upended those old beliefs and helped solidify the idea the red planet was likely a little white, in its earlier years.

"Using the geomorphology of Mars' surface to rigorously reconstruct the character and evolution of the planet in a statistically meaningful way is, frankly, revolutionary," said Jellinek.

With Earth in various states of ruin, stargazers might feel a little jealous about the robotic explorers that have fled en masse to Mars. In the last month, three missions launched to the red planet: the UAE's Hope probeChina's Tianwen-1 mission and NASA's Perseverance rover. The latter two missions will search for signs of ancient life, probing the sediment in ancient lake beds for the telltale signs of alien existence. If glacial sheets did cover the planet, as Grau Galofre's team believes, life may have found a way to pull itself together in the earliest days of the planet.

Now playing: Watch this: How NASA's new Perseverance Mars rover compares with...

5:49

Let's block ads! (Why?)

Read More

Frog Eats Beetle. Beetle Crawls Through Guts to Escape

The nice thing about being a frog is that you don’t have to chew your food—just gulp, and down the hatch. The problematic thing about being a frog is that you don’t have to chew your food, which means that if you’ve happened to nab the aquatic beetle Regimbartia attenuata, your food might come out the other end in an undesirable fashion: alive and literally kicking.

Writing today in the journal Current Biology, Kobe University ecologist Shinji Sugiura describes how the beetle, locked behind the frog’s jaws, turns around and scrambles through its digestive tract. In carefully designed lab experiments, Sugiura found that 93 percent of the beetles he fed to the frog Pelophylax nigromaculatus escaped the predator’s “vent”—aka anus—within four hours, “frequently entangled in fecal pellets,” he writes. The quickest run from mouth to anus was just six minutes. The beetles then went about their day as if they hadn’t just spelunked through a digestive system, and even swam effectively.

Apparently understanding their unique predicament, the R. attenuata beetles seem to have clambered through the intestines of the frogs. Sugiura showed as much by immobilizing some of the beetles’ legs with wax—this time, none of them emerged from the anus alive, but as feces, over 24 hours later. This all came as some surprise to Sugiura himself. Given that the predator and prey share habitat in Japan’s rice paddy fields, he hypothesized that the beetle could have evolved some sort of anti-frog defense. “However, I did not predict that R. attenuata can escape from the frog vent,” Sugiura writes in an email to WIRED. “I simply provided the beetle to the frogs, expecting that the frogs spat them out in response to the beetles’ behavior or something.”

Serendipitously, it may be that the adaptations the beetle had already evolved for the life aquatic prepared it for the great journey through a frog’s digestive system. For one, these insects swim quite effectively by kicking their legs, so perhaps they’re in effect swimming through the waste in the frog’s intestines. Also, insects breathe through holes in their hard shells, or exoskeletons. So to breathe underwater, this particular species of beetle traps a small pocket of air under its wing covers, which are known as elytra. (Think of the polka-dotted flaps that a ladybug opens to take off.)

Video: S. Sugiura/Current Biology

Perhaps it does the same while finding its way through a frog’s innards. “I would imagine that an air bubble would help the beetle breathe, and may provide a little jacket to keep stomach acid at bay while an escape is made,” says Christopher Grinter, collections manager of entomology at the California Academy of Sciences, who wasn’t involved in the research.

Read More

Google Pixel 4A Review: Nearly Perfect and Only $350

There’s something about Google’s new Pixel 4A that has me reaching for it far more than most smartphones I’ve tested this year.

Maybe it’s the wonderfully compact size, allowing me to completely wrap my fingers around the phone. Or the matte, chalkboard-like polycarbonate back that’s grippy and attracts no fingerprints, unlike its glass counterparts. Perhaps it’s the camera that impresses all day, every day, or the various software smarts like Call Screen, which puts pesky spam and robocalls out of sight, out of mind.

I think a large part of it is the value of this phone that keeps swirling in my head—you get all of this and more for $349. That’s a $50 price drop from last year’s excellent Pixel 3A, yet the components in the newer model have improved in every way; it’s rare to see a product get better and cheaper than its predecessor. There’s no such thing as the perfect phone, but the Pixel 4A comes very, very close this year.

Pixel Perfect

Two things that might worry you when buying a cheap phone are lackluster performance and a poor camera. Well, you can put those concerns to bed.

Inside the Pixel 4A is Qualcomm’s Snapdragon 730G chip with 6 gigabytes of RAM, a sizable step up from the Snapdragon 670 in the Pixel 3A. Performance has been very smooth. I didn’t experience any noticeable stutters or lag even after playing games like Dead Cells and Alto’s Odyssey for a good deal of time. It feels worlds apart compared to phones like the Moto G Stylus ($300) and the Samsung Galaxy A51 ($400), where some sluggishness is an everyday occurrence. Instead, performance is much closer to the more powerful OnePlus Nord.

The 5.8-inch screen makes it all look great, too. It’s sharp (2,340 x 1,080 pixels) and colorful, with slim bezels and a floating selfie camera for modern flair. I can stare at this OLED screen all day—in fact, I have. I’ve been watching my favorite shows more often than usual—at the dog park and on the couch—because the 4A is so lightweight and compact I can easily wrap my palm around it.

Google Pixel 4A Review Nearly Perfect and Only 350
Photograph: Google 

Everything about holding this phone and pressing its clicky buttons feels uniquely relaxing. It’s never unwieldy, which means I don’t need to worry about shattering any glass as much as on other phones. (If you want a case as a precaution, I like this one from Moment.)

Did I mention you get a headphone jack, NFC, and a rear fingerprint sensor? Lately, I’ve had to quickly plug in headphones for meetings after forgetting to charge my Bluetooth buds. The 4A reminds me how helpful the 3.5-mm port is to have as an option. The same goes for NFC, which lets you make contactless payments with services like Google Pay. It’s not always present on affordably priced phones (looking at you, Motorola), so it’s great to see here. And everyone may have their opinion on the various kinds of fingerprint unlocking. I much prefer capacitive fingerprint sensors on the back of phones over sensors under the display; they’re often faster and far more natural to access. This one works great.

More good news: The battery has been bumped up a bit. The 3,140-mAh cell hit five hours of screen-on time on a day when I took a short trip starting at 7:30 am. With plenty of social media and web browsing, gaming, and snapping photos and videos, I only had to plug in around 11 pm. Power users, this phone isn’t going to last more than a day, but with light to average use, it can run until the morning of a second day before it needs a recharge.

Class-Leading Camera

Pixel phones are known for their excellent cameras. Last year’s Pixel 3A made waves largely because the cameras on most $200–$400 phones aren’t very good, especially when it comes to night scenes. The Pixel 4A shows off Google’s camera leadership even more. There’s only one camera on the rear—the same main 12.2-megapixel sensor you’ll find on the 2019 flagship Pixel 4—and honestly, it’s all you need. I much prefer to have one really good camera instead of several average ones. On the front, you’re treated to a nearly-identical 8-megapixel selfie camera as the one on the flagship.

Google also brought many of the new Pixel 4 camera features down to the Pixel 4A, like Astrophotography mode and Live HDR+. You can put this phone on a tripod, point it at the sky, and get a surprisingly great photo of the stars above. This will naturally depend on where you live, but I managed to capture some stars in heavily light-polluted New York City. (I didn’t see any UFOs, though.)

Live HDR+, on the other hand, shows what your photo will look like in real time before you snap it, so you don’t have to wait for the image processing to finish. The dual-exposure controls from the Pixel 4 are also here, allowing you to dial in the precise level of exposure and shadows to your liking.

What does all this mean? I can’t stop taking photos with this phone. Daylight shots don’t look over-sharpened or over-saturated, and the camera manages high-contrast scenes incredibly well. Portrait mode still isn’t perfect, but it manages to snap some great photos of my dog. And at night, the camera maintains good detail and saturation, and the improved white balance keeps the color temperature in check.

Heck, photos captured with Night Sight, a mode that takes several photos at different exposures and stitches the best together, even beat out results from the Samsung Galaxy S20 Plus ($1,200) sometimes, adding much more accurate colors and greater detail. This is one of the best camera phones available today, and it costs half the price of the iPhone 11.

Room to Grow

My two weeks with the Pixel 4A has been overwhelmingly positive. Google’s Android experience adds another rung to its excellence—the ever-accessible Google Assistant is still the best voice assistant, and there are so many small smart features like Now Playing, which automatically tells me what song is playing in my surroundings on the lock screen (even offline!). Still, there are some areas where the phone could improve.

First, it’s missing any kind of IP-rated water resistance, so you should be wary of using it near pools. There’s also no MicroSD slot so you’ll have to pay more for Google cloud storage if you run out of space. That said, 128 gigabytes is what you’ll find on most phones in this price bracket.

The dual speakers are sufficient if you’re in a quiet room, but introduce some ambient noise and you’ll quickly be reaching for your headphones. Watching a video in the noisy outdoors of New York, I had to crank the volume up to the max, and it still wasn’t too easy to discern dialog. Similarly, the screen is just bright enough to see in sunny conditions, but I sometimes had to squint, and video performance of the camera isn’t great.

My last two gripes are small. Wireless charging is missing, and considering it’s available in the iPhone SE ($400) it would’ve been nice to see it here. (I say this selfishly, with wireless chargers littered around my apartment.)

The phone also comes in just one color: black. Google cites “complexity in the supply chain” as the reason for this (also why there’s no larger Pixel 4A XL this year), which is understandable but still disappointing . (There’s a hole in my heart for the rumored “Barely Blue” model.) At least the power button is accented white, which is always a nice touch and makes this phone a little more distinguishable from the spate of gray and black phones. A case can add some color.

All the Phone You Need

The best part about all Pixel phones is that you get security updates and Android version upgrades straight from Google (the company that makes Android) for three years. That length of support can’t compete with Apple, which supports its iPhones for five years or more, but it’s much longer than most other Android phones (especially cheap ones).

You should also know that a 5G version of the Pixel 4A is set to arrive alongside the Pixel 5 later this year (likely around October). Considering 5G is still a nascent network technology that’s only available in select areas of several US cities, don’t feel like you need to wait for the Pixel 4A 5G. It’ll probably cost a bit more and the extra speed doesn’t add much, yet.

The Pixel 4A comes unlocked, so you can use it on any major US wireless carrier. It’s available for preorders now and goes on sale August 20. It’s the best phone Google has made, and it’s the phone I’d recommend to anyone right now. It’s $349!

At a time when millions of people are out of a job, this phone is a third the price of many high-end models, yet it will do everything you need. If you need a new phone, save some money and get on with more important things in your life.

Read More

Pixel 5: Coming this fall with 5G – CNET

google-pixel-5.png

Google's promo image of the Pixel 5 and 4A 5G.

Google

It's a busy day for Google. On top of a new Pixel 4A budget phone Monday, the tech giant announced the Pixel 4A 5G, and an upcoming flagship phone, the Pixel 5. Though you can already preorder the Pixel 4A, which ships Aug. 20, the Pixel 4A 5G and Pixel 5 will be available sometime in the fall. They will be Google's first 5G phones.

Except for the fact that it exists and that Google confirmed it will have 5G, not much else is known about the Pixel 5. Google did reveal a promo image of the Pixel 5 and 4A 5G (above). Given the position of the text, it's likely that the Pixel 5 is on the left while the 4A 5G is on the right, and it looks like the Pixel 5 will come in a black, glittery design with a big camera array.

Read more5G phones in 2020: Galaxy S20, OnePlus Nord, LG Velvet, Motorola Edge Plus and more

Now playing: Watch this: Pixel 4A review: Impressive camera and a battery that...

5:09

While it's not confirmed, the Pixel 5 may launch with Android 11 out of the box too, since the beta version of the OS update is already public. And because last year's Pixel 4 had a 90Hz display, wireless charging and a water-resistant design, it'd be surprising if the Pixel 5 didn't offer similar features as well.

Details on the Pixel 5 may be scant, but we do know a lot more about the Pixel 4A. Priced at $349 (£349, AU$599), the phone is equipped with a 5.81-inch screen, a single 12.2-megapixel camera and a headphone jack. For more information, read CNET's full Pixel 4A review.

Let's block ads! (Why?)

Read More
Page 2 of 1,408«12345»102030...Last »