Connect with us

Biz & IT

Fleksy’s AI keyboard is getting a store to put mini apps at chatters’ fingertips

Published

on

Remember Fleksy? The customizable Android keyboard app has a new trick up its sleeve: It’s adding a store where users can find and add lightweight third party apps to enhance their typing experience.

Right now it’s launched a taster, preloading a selection of ‘mini apps’ into the keyboard — some from very familiar brand names, some a little less so — so users can start to see how it works.

The first in-keyboard apps are Yelp (local services search); Skyscanner (flight search); Giphy (animated Gif search); GifNote (music Gifs; launching for U.S. users only for rights reasons); Vlipsy (reaction video clips); and Emogi (stickers) — with “many more” branded apps slated as coming in the next few months.

They’re not saying exactly what other brands are coming but there are plenty of familiar logos to be spotted in their press materials — from Spotify to Uber to JustEat to Tripadvisor to PayPal and more…

The full keyboard store itself — which will let users find and add and/or delete apps — will be launching at the end of this month.

The latest version of the Fleksy app can be downloaded for free via the Play Store.

Mini apps made for messaging

The core idea for these mini apps (aka Fleksyapps) is to offer lightweight additions designed to serve the messaging use case.

Say, for example, you’re chatting about where to eat and a friend suggests sushi. The Yelp Fleksyapp might pop up a contextual suggestion for a nearby Japanese restaurant that can be shared directly into the conversation — thereby saving time by doing away with the need for someone to cut out of the chat, switch apps, find some relevant info and cut and paste it back into the chat.

Fleksyapps are intended to be helpful shortcuts that keep the conversation flowing. They also of course put brands back into the conversation.

“We couldn’t be more excited to bring the power of the world’s popular songs with GIFs, videos and photos to the new Fleksyapps platform,” says Gifnote co-founder, John vanSuchtelen, in a supporting statement.

Fleksy’s mini apps appear above the Qwerty keyboard — in much the same space as a next-word prediction. The user can scroll through the app stack (each a tiny branded circle until tapped on to expand) and choose one to interact with. It’s similar to the micro apps lodged in Apple’s iMessage but on Android where iMessage isn’t… The team also plans for Fleksy to support a much wider range of branded apps — hence the Fleksyapps store.

In-keyboard apps is not a new concept for the dev team behind Fleksy; an earlier keyboard app of theirs (called ThingThing) offered micro apps they built themselves as a tool to extend its utility.

But now they’re hoping to garner backing and buy in from third party brands excited about the exposure and reach they could gain by being where users spend the most device time: The keyboard.

“Think of it a bit like the iMessage equivalent but on Android across any app. Or the WeChat mini program but inside the keyboard, available everywhere — not only in one app,” CEO Olivier Plante tells TechCrunch. “That’s a problem of messaging apps these days. All of them are verticals but the keyboard is horizontal. So that’s the benefit for those brands. And the user will have the ability to move them around, add some, to remove some, to explore, to discover.”

“The brands that want to join our platform they have the option of being preloaded by default. The analogy is that by default on the home screen of a phone you are by default in our keyboard. And moving forward you’ll be able to have a membership — you’re becoming a ‘brand member’ of the Fleksyapps platform, and you can have your brand inside the keyboard,” he adds.

The first clutch of Fleksyapps were developed jointly, with the team working with the brands in question. But Plante says they’re planning to launch a tool in future so brands will be able to put together their own apps — in as little as just a few hours.

“We’re opening this array of functionalities and there’s a lot of verticals possible,” he continues. “In the future months we will embed new capabilities for the platform — new type of apps. You can think about professional apps, or cloud apps. Accessing your files from different types of clouds. You have the weather vertical. You have ecommerce vertical. You have so many verticals.

“What you have on the app store today will be reflected into the Fleksyappstore. But really with the focus of messaging and being useful in messaging. So it’s not the full app that we want to bring in — it’s really the core functionality of this app.”

The Yelp Fleksyapp, for example, only includes the ability to see nearby places and search for and share places. So it’s intentionally stripped down. “The core benefit for the brand is it gives them the ability to extend their reach,” says Plante. “We don’t want to compete with the app, per se, we just want to bring these types of app providers inside the messenger on Android across any app.”

On the user side, the main advantage he touts is “it’s really, really fast — fleshing that out to: “It’s very lightweight, it’s very, very fast and we want to become the fastest access to content across any app.”

Users of Fleksyapps don’t need to have the full app installed because the keyboard plugs directly into the API of each branded service. So they get core functionality in bite-sized form without a requirement to download the full app. (Of course they can if they wish.)

So Plante also notes the approach has benefits vis-a-vis data consumption — which could be an advantage in emerging markets where smartphone users’ choices may be hard-ruled by the costs of data and/or connectivity limits.

“For those types of users it gives them an ability to access content but in a very light way — where the app itself, loading the app, loading all the content inside the app can be megabits. In Fleksy you’re talking about kilobits,” he says.

Privacy-sensitive next app suggestions

While baking a bunch of third party apps into a keyboard might sound like a privacy nightmare, the dev team behind Fleksy have been careful to make sure users remain in control.

To wit: Also on board is an AI keyboard assistant (called Fleksynext) — aka “a neural deep learning engine” — which Plante says can detect the context, intention and sentiment of conversations in order to offer “very useful” app suggestions as the chat flows.

The idea is the AI supports the substance of the chat by offering useful functionality from whatever pick and mix of apps are available. Plante refers to these AI-powered ‘next app’ suggestions as “pops”.

And — crucially, from a privacy point of view — the Fleksynext suggestion engine operates locally, on device.

That means no conversation data is sent out of the keyboard. Indeed, Plante says nothing the user types in the keyboard itself is shared with brands (including suggestions that pop up but get ignored). So there’s no risk — as with some other keyboard apps — of users being continually strip-mined for personal data to profile them as they type.

That said, if the user chooses to interact with a Fleksyapp (or its suggestive pop) they are then interacting with a third party’s API. So the usual tracking caveats apply.

“We interact with the web so there’s tracking everywhere,” admits Plante. “But, per se, there’s not specific sensitive data that is shared suddenly with someone. It is not related with the service itself — with the Fleksy app.”

The key point is that the keyboard user gets to choose which apps they want to use and which they don’t. So they can choose which third parties they want to share their plans and intentions with and which they don’t.

“We’re not interesting in making this an advertising platform where the advertiser decides everything,” emphasizes Plante. “We want this to be really close to the user. So the user decides. My intentions. My sentiment. What I type decides. And that is really our goal. The user is able to power it. He can tap on the suggestion or ignore it. And then if he taps on it it’s a very good quality conversion because the user really wants to access restaurants nearby or explore flights for escaping his daily routine… or transfer money. That could be another use-case for instance.”

They won’t be selling brands a guaranteed number of conversions, either.

That’s clearly very important because — to win over users — Fleksynext suggestions will need to feel telepathically useful, rather than irritating, misfired nag. Though the risk of that seems low given how Fleksy users can customize the keyboard apps to only see stuff that’s useful to them.

“In a sense we’re starting reshape a bit how advertising is seen by putting the user in the center,” suggests Plante. “And giving them a useful means of accessing content. This is the original vision and we’ve been very loyal to that — and we think it can reshape the landscape.”

“When you look into five years from now, the smartphone we have will be really, really powerful — so why process things in the cloud? When you can process things on the phone. That’s what we are betting on: Processing everything on the phone,” he adds.

When the full store launches users will be able to add and delete (any) apps — included preloads. So they will be in the driving seat. (We asked Plante to a confirm the user will be able to delete all apps, including any pre-loadeds and he said yes. So if you take him at his word Fleksy will not be cutting any deals with OEMs or carriers to indelibly preload certain Fleksyapps. Or, to put it another way, crapware baked into the keyboard is most definitely not plan.)

Depending on what other Fleksyapps launch in future a Fleksy keyboard user could choose to add, for example, a search service like DuckDuckGo or France’s Qwant to power a pro-privacy alternative to using Google search in the keyboard. Or they could choose Google.

Again the point is the choice is theirs.

Scaling a keyboard into a platform

The idea of keyboard-as-platform offers at least the possibility of reintroducing the choice and variety of smartphone app stores back before the cynical tricks of attention-harvesting tech giants used their network effects and platform power to throttle the app economy.

The Android keyboard space was also a fertile experiment ground in years past. But it’s now dominated by Google’s Gboard and Microsoft-acquired Swiftkey. Which makes Fleksy the plucky upstart gunning to scale an independent alternative that’s not owned by big tech and is open to any third party that wants to join its mini apps party.

“It will be Bing search for Swiftkey, it will be Google search for Gboard, it will be Google Music, it will be YouTube. But on our side we can have YouTube, we can also have… other services that exist for video. The same way with pictures and the same way for file-sharing and drive. So you have Google Drive but you have Dropbox, you have OneDrive, there’s a lot of services in the cloud. And we want to be the platform that has them all, basically,” says Plante.

The original founding team of the Fleksy keyboard was acqui-hired by Pinterest back in 2016, leaving the keyboard app itself to languish with minimal updates. Then two years ago Barcelona-based keyboard app maker, ThingThing, stepped in to take over development.

Plante confirms it’s since fully acquired the Fleksy keyboard technology itself — providing a solid foundation for the keyboard-as-platform business it’s now hoping to scale with the launch of Fleksyapps.

Talking of scale, he tells us the startup is in the process of raising a multi-million Series A — aiming to close this summer. (ThingThing last took in $800,000 via equity crowdfunding last fall.)

The team’s investor pitch is the keyboard offers perhaps the only viable conduit left on mobile to reset the playing field for brands by offering a route to cut through tech giant walled gardens and get where users are spending most of their time and attention: i.e. typing and sharing stuff with their friends in private one-to-one and group chats.

That means the keyboard-as-platform has the potential to get brands of all stripes back in front of users — by embedding innovative, entertaining and helpful bite-sized utility where it can prove its worth and amass social currency on the dominant messaging platforms people use.

The next step for the rebooted Fleksy team is of course building scale by acquiring users for a keyboard which, as of half a year ago, only had around 1M active users from pure downloads.

Its strategy on this front is to target Android device makers to preload Fleksy as the default keyboard.

ThingThing’s business model is a revenue share on any suggestions the keyboard converts, which it argues represent valuable leads for brands — given the level of contextual intention. It is also intending to charge brands that want to be preloaded on the Fleksy keyboard by default.

Again, though, a revenue share model requires substantial scale to work. Not least because brands will need to see evidence of scale to buy into the Fleksyapps’ vision.

Plante isn’t disclosing active users of the Fleksy keyboard right now. But says he’s confident they’re on track to hit 30M-35M active users this year — on account of around ten deals he says are in the pipeline with device makers to preload Fleksy’s keyboard. (Palm was an early example, as we reported last year.)

The carrot for OEMs to join the Fleksyapps party is they’re cutting them in on the revenue share from user interactions with branded keyboard apps — playing to device makers’ needs to find ways to boost famously tight hardware margins.

“The fact that the keyboard can monetize and provide value to the phone brands — this is really massive for them,” argues Plante. “The phone brands can expect revenue flowing in their bank account because we give the brands distribution and the handset manufacturer will make money and we will make money.”

It’s a smart approach, and one that’s essentially only possible because Google’s own Gboard keyboard doesn’t come preloaded on the majority of Android devices. (Exceptions include its own Pixel brand devices.) So — unusually for a core phone app on Android — there’s a bit of an open door where the keyboard sits, instead of the usual preloaded Google wares. And that’s an opportunity.

Markets wise, ThingThing is targeting OEMs in all global regions with its Fleksy pitch — barring China (which Plante readily admits it too complex for a small startup to sensibly try jumping at).

Apps vs tech giants

In its stamping ground of Europe there are warm regulatory winds blowing too: An European Commission antitrust intervention last year saw Google hit with a $5BN fine over anti-competitive practices attached to its Android platform — forcing the company to change local licensing terms.

That antirust decision means mobile makers finally have the chance to unbundle Google apps from devices they sell in the region.

Which translates into growing opportunities for OEMs to rethink their Android strategies. Even as Google remains under pressure not to get in the way by force feeding any more of its wares.

Really, a key component of this shift is that device makers are being told to think, to look around and see what else is out there. For the first time there looks to be a viable chance to profit off of Android without having to preload everything Google wants.

“For us it’s a super good sign,” says Plante of the Commission decision. “Every monopolistic situation is a problem. And the market needs to be fragmented. Because if not we’re just going to lose innovation. And right now Europe — and I see good progress for the US as well — are trying to dismantle the imposed power of those big guys. For the simple evolution of human being and technology and the future of us.”

“I think good things can happen,” he adds. “We’re in talks with handset manufacturers who are coming into Europe and they want to be the most respectful of the market. And with us they have this reassurance that you have a good partner that ensures there’s a revenue stream, there’s a business model behind it, there’s really a strong use-case for users.

“We can finally be where we always wanted to be: A choice, an alternative. But having Google imposing its way since start — and making sure that all the direct competition of Google is just a side, I think governments have now seen the problem. And we’re a winner of course because we’re a keyboard.”

But what about iOS? Plante says the team has plans to bring what they’re building with Fleksy to Apple’s mobile platform too, in time. But for now they’re fully focusing efforts on Android — to push for scale and execute on their vision of staking their claim to be the independent keyboard platform.

Apple has supported third party keyboards on iOS for years. Unfortunately, though, the experience isn’t great — with a flaky toggle to switch away from the default Apple keyboard, combined with heavy system warnings about the risks of using third party keyboards.

Meanwhile the default iOS keyboard ‘just works’ — and users have loads of extra features baked by default into Apple’s native messaging app, iMessage.

Clearly alternative keyboards have found it all but impossible to build any kind of scale in that iOS pincer.

“iOS is coming later because we need to focus on these distribution deals and we need to focus on the brands coming into the platform. And that’s why iOS right now we’re really focusing for later. What we can say is it will come later,” says Plante, adding: “Apple limits a lot keyboards. You can see it with other keyboard companies. It’s the same. The update cycle for iOS keyboard is really, really, really slow.”

Plus, of course, Fleksy being preloaded as a default keyboard on — the team hopes — millions of Android devices is a much more scalable proposition vs just being another downloadable app languishing invisibly on the side lines of another tech giant’s platform.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Safari and iOS bug reveals your browsing activity and ID in real time

Published

on

Getty Images

For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the Internet’s most sacrosanct security policies. The violation results from a bug that leaks user identities and browsing activity in real time.

The same-origin policy is a foundational security mechanism that forbids documents, scripts, or other content loaded from one origin—meaning the protocol, domain name, and port of a given webpage or app—from interacting with resources from other origins. Without this policy, malicious sites—say, badguy.example.com—could access login credentials for Google or another trusted site when it’s open in a different browser window or tab.

Obvious privacy violation

Since September’s release of Safari 15 and iOS and iPadOS 15, this policy has been broken wide open, research published late last week found. As a demo site graphically reveals, it’s trivial for one site to learn the domains of sites open in other tabs or windows, as well as user IDs and other identifying information associated with the other sites.

“The fact that database names leak across different origins is an obvious privacy violation,” Martin Bajanik, a researcher at security firm FingerprintJS, wrote. He continued:

It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.

Attacks work on Macs running Safari 15 and on any browser running on iOS or iPadOS 15. As the demo shows, safarileaks.com is able to detect the presence of more than 20 websites—Google Calendar, YouTube, Twitter, and Bloomberg among them—open in other tabs or windows. With more work, a real-world attacker could likely find hundreds or thousands of sites or webpages that can be detected.

When users are logged in to one of these sites, the vulnerability can be abused to reveal the visit and, in many cases, identifying information in real time. When logged in to a Google account open elsewhere, for instance, the demo site can obtain the internal identifier Google uses to identify each account. Those identifiers can usually be used to recognize the account holder.

Raising awareness

The leak is the result of the way the Webkit browser engine implements IndexedDB, a programming interface supported by all major browsers. It holds large amounts of data and works by creating databases when a new site is visited. Tabs or windows that run in the background can continually query the IndexedDB API for available databases. This allows one site to learn in real time what other websites a user is visiting.

Websites can also open any website in an iframe or pop-up window in order to trigger an IndexedDB-based leak for that specific site. By embedding the iframe or popup into its HTML code, a site can open another site in order to cause an IndexedDB-based leak for the site.

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” Bajanik wrote. “Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window.”

How IndexedDB in Safari 15 leaks your browsing activity (in real time).

Bajanik said he notified Apple of the vulnerability in late November, and as of publication time, it still had not been fixed in either Safari or the company’s mobile OSes. Apple representatives didn’t respond to an email asking if or when it would release a patch. As of Monday, Apple engineers had merged potential fixes and marked Bajanik’s report as resolved. End users, however, won’t be protected until the Webkit fix is incorporated into Safari 15 and iOS and iPadOS 15.

For now, people should be wary when using Safari for desktop or any browser running on iOS or iPadOS. This isn’t especially helpful for iPhone or iPad users, and in many cases, there’s little or no consequence of browsing activities being leaked. In other situations, however, the specific sites visited and the order in which they were accessed can say a lot.

“The only real protection is to update your browser or OS once the issue is resolved by Apple,” Bajanik wrote. “In the meantime, we hope this article will raise awareness of this issue.”

Continue Reading

Biz & IT

Microsoft warns of destructive disk wiper targeting Ukraine

Published

on

Getty Images

Over the past few months, geopolitical tensions have escalated as Russia amassed tens of thousands of troops along Ukraine’s border and made subtle but far-reaching threats if Ukraine and NATO don’t agree to Kremlin demands.

Now, a similar dispute is playing out in cyber arenas, as unknown hackers late last week defaced scores of Ukrainian government websites and left a cryptic warning to Ukrainian citizens who attempted to receive services.

Be afraid and expect the worst

“All data on the computer is being destroyed, it is impossible to recover it,” said a message, written in Ukrainian, Russian, and Polish, that appeared late last week on at least some of the infected systems. “All information about you has become public, be afraid and expect the worst.”

Around the same time, Microsoft said in a post over the weekend, “destructive” malware with the ability to permanently destroy computers and all data stored on them began appearing on the networks a dozens of government, nonprofit, and information technology organizations, all based in Ukraine. The malware—which Microsoft is calling Whispergate—masquerades as ransomware and demands $10,000 in bitcoin for data to be restored.

But Whispergate lacks the means to distribute decryption keys and provide technical support to victims, traits that are found in virtually all working ransomware deployed in the wild. It also overwrites the master boot record—a part of the hard drive that starts the operating system during bootup.

“Overwriting the MBR is atypical for cybercriminal ransomware,” members of the Microsoft Threat Intelligence Center wrote in Saturday’s post. “In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets. There are several reasons why this activity is inconsistent with cybercriminal ransomware activity observed by MSTIC.”

Over the weekend, Serhiy Demedyuk, deputy head of Ukraine’s National Security and Defense Council, told news outlets that preliminary findings from a joint investigation of several Ukrainian state agencies show that a threat actor group known as UNC1151 was likely behind the defacement hack. The group, which researchers at security firm Mandiant have linked to the government of Russian ally Belarus, was behind an influence campaign named Ghostwriter.

Ghostwriter worked by using phishing emails and theft domains that spoof legitimate websites such as Facebook to steal victim credentials. With control of content management systems belonging to news sites and other heavily trafficked properties, UNC1151 “primarily promoted anti-NATO narratives that appeared intended to undercut regional security cooperation in operations targeting Lithuania, Latvia, and Poland,” authors of the Mandiant report wrote.

All evidence points to Russia

Ukrainian officials said UNC1151 was likely working on behalf of Russia when it used its skill in harvesting credentials and infiltrating websites to deface Ukraine’s government sites. In a statement, they wrote:

As of now, we can say that all the evidence points to the fact that Russia is behind the cyber attack. Moscow continues to wage a hybrid war and is actively building forces in the information and cyberspace.

Russia’s cyber-troops are often working against the United States and Ukraine, trying to use technology to shake up the political situation. The latest cyber attack is one of the manifestations of Russia’s hybrid war against Ukraine, which has been going on since 2014.

Its goal is not only to intimidate society. And to destabilize the situation in Ukraine by stopping the work of the public sector and undermining the confidence in the government on the part of Ukrainians. They can achieve this by throwing fakes into the infospace about the vulnerability of critical information infrastructure and the “drain” of personal data of Ukrainians.

Damage assessment

There were no immediate reports of the defacements having a destructive effect on government networks, although Reuters on Monday reported Ukraine’s cyber police found that last week’s defacement appeared to have destroyed “external information resources.”

“A number of external information resources were manually destroyed by the attackers,” the police said, without elaborating. The police added: “It can already be argued that the attack is more complex than modifying the homepage of websites.”

Microsoft, meanwhile, didn’t say if the destructive data wiper it found on Ukrainian networks had merely been installed for potential use later on or if it had actually been executed to wreak havoc.

There’s no proof that the Russian government had any involvement in the wiper malware or the website defacement, and Russian officials have flatly denied it. But given past events, Russian involvement wouldn’t be a surprise.

In 2017, a massive outbreak of malware initially believed to be ransomware shut down computers around the world and resulted in $10 billion in total damages, making it the most costly cyberattack ever.

NotPetya initially spread spread through a legitimate update module of M.E.Doc, a tax-accounting application that’s widely used in Ukraine. Both Ukrainian
and US government officials have said Russia was behind the attacks. In 2020, federal prosecutors charged four Russian nationals for alleged hacking crimes involving NotPetya.

Continue Reading

Biz & IT

Backdoor for Windows, macOS, and Linux went undetected until now

Published

on

Researchers have uncovered a never-before-seen backdoor written from scratch for systems running Windows, macOS, or Linux that remained undetected by virtually all malware scanning engines.

Researchers from security firm Intezer said they discovered SysJoker—the name they gave the backdoor—on the Linux-based Webserver of a “leading educational institution.” As the researchers dug in, they found SysJoker versions for both Windows and macOS as well. They suspect the cross-platform malware was unleashed in the second half of last year.

The discovery is significant for several reasons. First, fully cross-platform malware is something of a rarity, with most malicious software being written for a specific operating system. The backdoor was also written from scratch and made use of four separate command-and-control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It’s also unusual for previously unseen Linux malware to be found in a real-world attack.

Analyses of the Windows version (by Intezer) and the version for Macs (by researcher Patrick Wardle) found that SysJoker provides advanced backdoor capabilities. Executable files for both the Windows and macOS versions had the suffix .ts. Intezer said that may be an indication the file masqueraded as a type script app spread after being sneaked into the npm JavaScript repository. Intezer went on to say that SysJoker masquerades as a system update.

Wardle, meanwhile, said the .ts extension may indicate the file masqueraded as video transport stream content. He also found that the macOS file was digitally signed, though with an ad-hoc signature.

SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions were fully undetected on the VirusTotal malware search engine. The backdoor generates its control-server domain by decoding a string retrieved from a text file hosted on Google Drive. During the time the researchers were analyzing it, the server changed three times, indicating the attacker was active and monitoring for infected machines.

Based on organizations targeted and the malware’s behavior, Intezer’s assessment is that SysJoker is after specific targets, most likely with the goal of “​​espionage together with lateral movement which might also lead to a ransomware attack as one of the next stages.”

Continue Reading

Trending