Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.
You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.
Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.
Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”
The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.
We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.
Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.
That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.
The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.
Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.
We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.
“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.
“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.
Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.
It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.
But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.
Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
BigBrain aims to bring live mobile trivia back to glory – TechCrunch
If you ask Nik Bonaddio why he wanted to build a new mobile trivia app, his answer is simple.
“In my life, I’ve got very few true passions: I love trivia and I love sports,” Bonaddio told me. “I’ve already started a sports company, so I’ve got to start a trivia company.”
He isn’t kidding about either part of the equation. Bonaddio actually won $100,000 on “Who Wants To Be A Millionaire?”, which he used to start the sports analytics company numberFire (acquired by FanDuel in 2014).
And today, after a period of beta testing, Bonaddio is launching BigBrain. He’s also announcing that the startup has raised $4.5 million in seed funding from FirstRound Capital, Box Group, Ludlow Ventures, Golden Ventures and others.
Of course, you can’t mention mobile trivia without thinking of HQ Trivia, the trivia app that shut down last year after some high-profile drama and a spectacular final episode.
But Bonaddio said BigBrain is approaching things differently than HQ in a few key ways. For starters, although there will be a handful of free games, the majority will require users to pay to enter, with the cash rewards coming from the entry fees. (From a legal perspective, Bonaddio said this is distinct from gambling because trivia is recognized as a game of skill.)
“The free-to-play model doesn’t really work for trivia,” he argued.
In addition, there will be no live video with a live host — Bonaddio said this would “very, very difficult from a technical perspective and very cost ineffective.” Instead, he claimed the company has found a middle ground: “We have photos, we have different interactive elements, it’s not just a straight multiple choice quiz. We do try to keep it interactive.”
Plus, the simpler production means that where HQ was only hosting two quizzes a day, BigBrain will be hosting 20, with quizzes every 15 minutes at peak times.
Topics will range from old school hip hop to college football to ’90s movies, and Bonaddio said different quizzes will have different prize structures — some might be winner take all, while others might award prizes to the top 50% of participants. The average quiz will cost $2 to $3 to enter, but prices will range from free to “$20 or even $50.”
What kind of quiz might cost that much money to enter? As an example, Bonaddio said that in a survey of potential users, he found, “There are no casual ‘Rick and Morty’ fans … They’re almost completely price sensitive, and since they’ve seen every episode, they can’t fathom a world where someone knows more about ‘Rick and Morty’ than they do.”
TikTok’s new developer tools allow apps to offer ‘Login with TikTok,’ sound sharing, and more – TechCrunch
TikTok is expanding its integrations with third-party apps. The company today announced the launch of two new tool sets for app developers, the TikTok Login Kit and Sound Kit, that will allow apps on mobile, web and consoles to authenticate users via their TikTok credentials, build experiences that leverage users’ TikTok videos and share music and sounds back to TikTok from their own apps.
The company already offers tools that allow app developers to share content, including both pictures and videos, back to TikTok. But the new kits — or, SDKs (software development kits) — expand upon that functionality to make TikTok not just a destination for sharing, but a more deeply integrated part of the third-party app experience.
For starters, the new Login Kit allows an app’s users to sign in quickly using their TikTok log-in credentials, similar to other social log-ins offered by Facebook or Snap. Once signed in, users can then access their TikTok videos in the third-party app, potentially fueling entire new app ecosystems with TikTok content.
For example, a video dating app called Snack is using the Login Kit to allow users to share their TikTok videos on their dating profiles to help them find new matches. The game recording app Medal will allow users to share their TikTok videos with their fellow gamers. And Singapore-based Burpple lets users share their food and dining reviews with a community.
Other early adopters of the Login Kit include gaming clips app Allstar, anti-anxiety app Breathwrk, social app IRL, as well as dating and friend-making apps Lolly, MeetMe, Monet, Swipehouse and EME Hive. Creator tool provider Streamlabs is also using Login Kit, as is video game PUBG, which is only using the login functionality. A forthcoming NFT platform Neon will use Login Kit, too.
When users log in to these apps via their TikTok credentials, they’ll then be presented with an additional permissions box that asks them if the app in question can read their profile information and access their public videos, which they then have to also agree to in order to take advantage of the additional video sharing options inside the app itself.
For the time being, these are the only permissions that Login Kit asks for — and it doesn’t give the app access to further information, like who the TikTok user’s friends are, for example. If TikTok expands beyond these permissions in the future, it says it will be transparent with users about any changes or new additions. For the time being, however, the focus is more on allowing apps to better integrate TikTok content into their own experiences.
The other new SDK launching today is the Sound Kit, which allows artists and creators to bring their original sounds and music from a third-party app into TikTok. This kit, which also requires Login Kit to work, will help TikTok seed its sounds database with more original content it doesn’t have to license from major labels. Instead, whatever licensing rights to the music and other sounds that exist within the original app will still apply to whatever is shared out to TikTok. But by sharing the music more broadly, creators can gain interest from potential fans and even see their sounds used as the backing for new TikTok videos.
Early adopters on this front include mobile multi-track recording studio Audiobridge, music creation and collaboration suite LANDR, hip hop music creation app Rapchat and upcoming audio recording and remix app Yourdio.
TikTok says some of the apps selected as early partners for the SDKs were those that already adopted its Share to TikTok SDK, which launched in 2019. Others, however, were chosen based on a specific set of criteria, including the ability to move quickly to integrate the new features and the strength of their specific use cases. TikTok was looking for a diversity of use cases and those that were particularly novel — like building out a dating network based on videos, for instance.
More information on the new tools and developer documentation will be added to TikTok’s developer website, but TikTok says it will be vetting and reviewing developers who request access. And as most of the current developer partners are U.S.-based, with just a few exceptions, the company says it is looking to diversify the list of companies going forward, as this is a global initiative.
“As TikTok becomes increasingly ingrained in culture, more third-party apps across a variety of categories and use cases are looking to tap into our community on their own platforms,” said Isaac Bess, TikTok’s Global Head of Distribution Partnerships, in a statement about the launch. “Through the Sound Kit and Login Kit for TikTok, we’re providing seamless integration solutions that help developers expand their reach, increase exposure for creators, and empower our community to showcase their content on other platforms,” he added.
Turkey’s Ace Games raises $7M to develop casual and ‘hyper casual’ games – TechCrunch
Ace Games, a Turkish mobile gaming company founded by a former Peak Games co-founder, has raised a $7 million Seed funding round led by Actera Group. Co-investment has come from San Francisco’s NFX. Former gaming entrepreneurs Kristian Segerstrale, Alexis Bonte, and Kaan Gunay also participated. Firat Ileri is previous investors from the pre-seed round.
The company runs two studios, one focused on casual and one on ‘hyper-casual’ games.
Co-founded by CEO Hakan Bas, the former Co-Founder, and COO at Peak Games, Ace Games has had some success on the US iOS Store with its hyper-casual title, ‘Mix and Drink.’
In a statement, Bas said: “Ace’s main focus is actually the casual ‘hybrid puzzle’ game that we have been working on for a while now. However, our hyper-casual studio assists the main studio in many aspects like training talent, coming up with creative game mechanics and marketing ideas, generating cash, and creating user base.” Ace’s casual title is to be released late-summer this year and the global launch is expected in early 2022.
Peak Games, Gram Games and Rollic Games were all acquired by Zynga, showing that Turkey is capable of producing decent exits for gaming startups.
VCs such as Index, Balderton, Makers and Griffin have all made M&A deals with Dream Games, Bigger Games and Spyke Games.
Google responds to Apple App Tracking Transparency with new rules for Android
Google released a notice today about the future of Android and user data transparency. While not a direct response to...
China’s carbon pollution now surpasses all developed countries combined
Carbon pollution from China’s bustling, coal-intensive economy last year outstripped the carbon pollution of the US, the EU, and other...
The Google Assistant is now a Google messaging service
Receiving a Google Assistant Broadcast on a phone. On the left is a notification. On the right is an individual...
Apple probably didn’t want you to see this AirTag debug menu
Apple’s AirTags may be designed to make hunting things easier, but there’s a secret debug menu in the Find My...
This HP EliteOne 800 G8 AiO has video call talents every PC should steal
HP has revealed its latest all-in-one PC, and we can’t help thinking it’s wasted in businesses. The HP EliteOne 800...
Social1 year ago
CrashPlan for Small Business Review
Gadgets3 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Mobile3 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social3 years ago
iPhone XS priciest yet in South Korea
Cars2 years ago
What’s the best cloud storage for you?
Security2 years ago
Google latest cloud to be Australian government certified
Social3 years ago
Apple’s new iPad Pro aims to keep enterprise momentum
Cars2 years ago
SK Telecom and Samsung to collaborate on 5G for enterprise