Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.
You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.
Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.
Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”
The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.
We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.
Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.
That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.
The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.
Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.
We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.
“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.
“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.
Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.
It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.
But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.
Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
Samsung will announce new foldables on August 11 – TechCrunch
Samsung just sent out invites for its next Unpacked event. There are those companies that like to sneak hints into their invites — and then there’s Samsung. The note leads with the big, bold words “Get ready to unfold” and features a pair of flat-colored objects that can reasonably be said to resemble the form factors of the Galaxy Z Fold and Flip, respectively.
In keeping with…the general state of the world over the past year-and-a-half, the event will be held virtually on Wednesday, August 11. Interestingly, the company is also opening up preorders on its “next flagship,” sights and specs unseen. Perks for early preorders include “12 free months of Samsung Care+, up to an extra $200 trade-in credit and a special pre-order offer.”
But honestly, it’s generally best to wait until you actually see the thing and maybe even read a review or two.
There’s a lot to unpack (so to speak) ahead of the event. First, I’m probably not alone in expecting that the company would focus its next big event on the upcoming Galaxy Watch. The big event at MWC was a bit of a dud (not unlike MWC itself), offering up more information on the upcoming wearable partnership with Google, in lieu of announcing any hardware.
As the company noted at the time, “The upcoming One UI Watch will debut at an upcoming Unpacked event later this summer, sporting the new UI, as well as the forthcoming joint Samsung/Google platform.”
It seems reasonably likely that this will be the event where that will occur, even if the new watch doesn’t get top billing. For one thing we’re running out of summer. For another, rumors have the new Galaxy Watch set for a late-August (the 27th) release.
All told, this could well be a pretty huge summer event for the company, bucking last year’s trend of meting out devices one by one at virtual invents. Word on the street is we could be seeing a Galaxy Watch 4, Galaxy Z Fold 3, Galaxy Z Flip 3, Galaxy S21 FE (“Fan Edition” — basically the latest version of the company’s budget flagship) and even the Galaxy Buds Pro, which will more directly take on the AirPods Pro (which are getting a bit long in the tooth).
What’s missing in all of this? No points if you said the Note. Samsung’s well-loved phablet is reportedly not coming this year, as chip shortages continue to plague the industry. That would be a big hit to Samsung’s six-month cycle, though we’ll see how that all plays out soon enough.
The August 11th event kicks off at 10AM ET / 7AM PT.
Kdan Mobile gets $16M Series B for its cloud-based content and productivity tools – TechCrunch
Kdan Mobile, a company that provides a wide range of cloud-based software, including AI-based tech for organizing documents, has raised a $16 million Series B. The round was led by South Korea-based Dattoz Partners, which will also take a seat on Kdan Mobile, and included participation from WI Harper Group, Taiwania Capital and Golden Asia Fund Mitsubishi UFJ Capital.
Launched in 2009, Kdan Mobile has focused on developing content creation and productivity software for mobile devices from the start, founder and chief executive officer Kenny Su told TechCrunch. “We’ve observed more and more industries embracing remote or hybrid work for years now, even before 2020,” he said. “We always sensed that trend would continue.”
Kdan Mobile has now raised $21 million in total. Since announcing its Series A in April 2018, Kdan Mobile has grown from 70 employees to 200 in Taiwan, China, Japan and the United States. It also passed 200 million downloads and now has more than 100 million members on its platform. More than half of Kdan Mobile’s users are in the U.S. and Europe, 30% from Asia and 15% from Africa and Australia.
Part of the funding will be used to develop Kdan Mobile’s enterprise products, including Document AI, its data processing and filtering technology, and SaaS products like e-signature service DottedSign, PDF software Document 365 and Creativity 365 for multimedia content creation, including animations and video editing.
After focusing primarily on individual users, Kdan Mobile decided to start working with more enterprise clients in 2018 and its software is now used by more than 40,000 businesses and educational organizations. Su said the company’s focus on enterprise was validated with the 2019 launch of DottedSign, which now has more than 300,000 users. During the past year and a half, the number of signatures processed by DottedSign increase by 30 times as companies switched to remote work because of the pandemic. Kdan Mobile also began offering a set of APIs and SDKs so internal developers at large enterprises can integrate and customize its technology.
“We use a lot of what’s called B2C2B approach, or business to consumer to business, meaning that we still try to connect with users at the individual level, but do so in a way that we hope they’ll adopt our solutions at the company level,” said Su.
Document AI was launched in 2021 after Kdan Mobile found that many of its users wanted to reduce the amount of time they spend managing documents. Its features include optical character recognition, smart tagging and search, and protection for sensitive data. Some examples of how Document AI can be used include automating data-entry tasks and creating summaries of research documents.
When asked how its products differentiate from those offered by Google, Microsoft and Adobe, Su said one way is that Kdan Mobile has always created products for mobile first, before designing the user experience for other devices, with the idea of serving professionals who are on the move a lot.
On the other hand, Kdan Mobile doesn’t necessarily see itself as a competitor with those companies. Instead, its solutions are complementary. For example, it creates files that are compatible with Adobe products and is integrated with Google Workspace, Zapier and, in the near future, Microsoft Teams.
“In that regard, it’s about helping users where they are, rather than trying to sway them away from existing products or services,” Su said.
In statement, Dattoz Partner CEO Yeon Su Kim said, “We see tremendous growth in the market for software and solutions that empower the post-pandemic hybrid workforce. Kdan’s powerful product suite and the leadership team’s ability to executive have led to its strong momentum in several key markets, including the U.S. and Asia markets.”
Yummy raises $4M, aims to be ‘super app of Venezuela’ – TechCrunch
Yummy, a Venezuela-based delivery app on a mission to create the super app for the country, announced Friday it raised $4 million in funding to expand its dark store delivery operations across Latin America.
Funding backers included Y Combinator, Tinder co-founder Justin Mateen, Canary, Hustle Fund, Necessary Ventures and the co-founders of TaskUs. The total investment includes pre-seeding capital raised in 2020.
“This appears to be a contrarian bet, but Yummy has quickly become the No. 1 super app in Venezuela and proven that the team can scale the business in a difficult territory,” Mateen said in a statement. “Now Vicente and the rest of the Yummy team will expand into more traditional markets with the necessary experience and support to overcome inevitable challenges that they will face.”
Vicente Zavarce, Yummy’s founder and CEO, launched the company in 2020 and is currently part of Y Combinator’s summer 2021 cohort. Born in Venezuela, Zavarce came to the U.S. for school and stayed to work in growth marketing at Postmates, Wayfair and Getaround before starting Yummy. Zavarce was a remote CEO over the past year, stuck in the U.S. due to travel restrictions, but said he is making the most of it.
Yummy’s app can be downloaded for free, and the company charges a delivery fee or merchant fee. In contrast to some of his food delivery competitors, Zavarce told TechCrunch Yummy’s fees are “the lowest in the market” so they do not affect the merchant’s ability to use the app.
The company is pulling together additional key components for its super app strategy, which includes launching a ridesharing vertical this year. Yummy has already connected more than 1,200 merchants with hundreds of thousands of customers.
And, over the past year the company completed more than 600,000 deliveries of food, groceries, alcohol and shopping. It reached $1 million in monthly gross merchandise volume while also growing 38% in revenue month over month.
Over the past eight years, the political and economic challenges faced by the country have led to its recent adoption of the U.S. dollar, Zavarce said. In some cases up to 70% of transactions are happening in dollars on the ground. He said this has protected the business against hyperinflation and ultimately created the opportunity for startups to begin operating in Venezuela.
Because of that, combined with more consumer technology innovation over the past decade, Zavarce said there is no reason why Venezuela should not have the best last-mile logistics. It’s there that Yummy has an opportunity to connect multiple vertices into a super app with little to no competition.
“Eventually, other players will enter, but because we have a super app, we already have an amazing frequency of usage,” he added. “We also already have exclusivity with 60% of the food delivery marketplace, which has enabled us to build a moat around the market. We believe we are the right people to execute on this and feel it is our responsibility to do it.”
Plans for the new funding include user acquisition — the company has close to 200,000 registered users already — and to expand in Peru and Chile by August. At the same time, Zavarce will spend some of that capital to attract more users across Venezuela. He also expects to be in Ecuador and Bolivia by the end of the year.
VPN servers seized by Ukrainian authorities weren’t encrypted
Privacy-tools-seller Windscribe said it failed to encrypt company VPN servers that were recently confiscated by authorities in Ukraine, a lapse...
UK worries Starlink and OneWeb may interfere with each other, plans new rules
Enlarge / Artist’s impression of low-Earth-orbit satellites like those launched by SpaceX and OneWeb. A UK government agency is worried...
SiriusXM’s new satellite radio plan is made for two-car households
Many cars now come with Bluetooth support, which means satellite radio service is less relevant than ever. Despite that, SiriusXM...
Valve promises Steam Deck will run “the entire Steam library” at 30+ fps
The Steam Deck, from Valve. The back. I spy a lot of shoulder and “grip” buttons—and some ventilation. The main...
iOS 14.7.1 and macOS 11.5.1 arrive with one bug fix and one security fix
Enlarge / Apple executive Craig Federighi unveiled iOS 15 this summer. That version is coming later this year. Apple has...
Social1 year ago
CrashPlan for Small Business Review
Gadgets3 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Cars3 years ago
What’s the best cloud storage for you?
Mobile3 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social3 years ago
iPhone XS priciest yet in South Korea
Security3 years ago
Google latest cloud to be Australian government certified
Cars3 years ago
SK Telecom and Samsung to collaborate on 5G for enterprise
Social3 years ago
Apple’s new iPad Pro aims to keep enterprise momentum