Google Play Music: Saving to SD card

Having switched from Amazon MP3 to Google Play Music, the most annoying omission in Google’s offering is the inability to save music tracks to SD card instead of internal storage.

Since version 5.1 of Play Music the capability is actually there, although the feature has not yet been exposed via the user interface. Here’s a neat trick you can use to switch it on manually.

First you’ll need to make sure you have the latest version of Google Play Music, then download and install the free Apex Launcher app from Google Play.

After Apex Launcher has been installed, fire it up and you’ll see a new and hopefully fairly empty home screen (don’t worry, your existing home screen has not been lost!). Tap and hold on the home screen, select Shortcuts and then Activities.

Scroll down until you come to Google Play Music, then tap on it to expand to a list of activities. Scroll down until you come to .ui.SDCardSelectorActivity, tap on it and you should find a new Google Play icon appear on the Apex home screen.

Tap on this new Google Play icon and you’ll be presented with a ‘Download Storage Location’ dialogue box. Simply tap on ‘SD card’ and you’re done!

You can now uninstall Apex Launcher if you wish.

Although the switch has been made, it only applies to music that you ‘Keep on device’ from now on, so you’ll need to unpin and pin all your previously downloaded albums again to move them to SD card.

I’m guessing Google will expose this new capability in a future update, but for the time being this is a very welcome workaround.

In case you’re interested, the saved files are stored on your SD card in the Android/data/com.google.android.music/files/music folder.

Advertisements

Apps Publishing Security Policy

BSkyB has become the latest high-profile victim of a security blunder which has caused them to suspend all their Sky Android applications from the Google Play app store.

The hackers would appear to have used a combination of phishing and social engineering techniques to compromise a trusted computer and steal corporate login details for third-party sites such as Google and Twitter.

The storefront for Sky’s Android mobile apps was defaced, with the app descriptions changed and screenshots replaced.

Sky Go defaced

To make a bad situation even worse for Sky, one of their official Twitter accounts was also compromised and the hackers used it to draw more attention to their handywork.

skyhelpteam

Fuelled by the ‘official’ Twitter misinformation, customers were led to believe that the apps had also been tampered with, although this has been subsequently denied by Sky on their Help Forum:

We have temporarily removed our Apps from the Google Play store following a security alert.

All Sky Apps were unaffected and any Sky Android apps previously downloaded by customers are safe to use. There is no need to remove them from your android device.

As soon as we have restored the apps on Google Play we will post up an update.

In a related security breach, Twitter has locked access to @SkyHelpTeam, which is why we are currently unable to tweet from this account. However, help and info is available via @SkyHelpTeam1Facebook and here on the Sky Help Forum.

The tweet that was made from the @SkyHelpTeam twitter, in the early hours of Sunday morning, advising customers to unistall their apps was NOT an official tweet from Sky. Twitter security immediately detected this vogue messaging and locked account as part of agreed standard security process.

Sky have suffered this humiliation as a result of sloppy security practices. With a robust security policy the damage from this attack could have be limited or prevented entirely.

My recommendations for an apps publishing security policy:

  • Use a dedicated Google account for the Google Play Developer Console, not an account used for other Google services. Do not divulge the email address of this account.
  • Enable 2-Step Verification on your Google account and use Google Authenticator to login. Make sure that you properly sign out of your Google account when you have finished each session.
  • Only use a bookmarked https link to access the Developer Console. Never click on links contained in emails or on other web sites.
  • Tightly limit access to the Developer account. Only permit access to those directly involved with apps publishing, usually just the Apps Manager and their deputy.
  • Wherever possible use discrete private keys to sign each application – see the Signing Strategies section of Android Developer Tools. This limits the damage should the private key for an individual app be compromised.
  • Store your signing keys securely, preferably using a hardware-encrypted USB flash drive (such as an IronKey). Physically store the keys in a locked safe.
  • Use a standalone computer for code signing and never connect it to a network. Treat all networks as untrusted, even your corporate LAN.
  • Have a well rehearsed contingency plan to ensure business continuity if the worst does happen.