Facebook collected device data on 187,000 users using banned snooping app

Facebook obtained personal and sensitive device data on about 187,000 users of its now-defunct Research app, which Apple banned earlier this year after the app violated its rules.

The social media giant said in a letter to Sen. Richard Blumenthal’s office — which TechCrunch obtained — that it collected data on 31,000 users in the U.S., including 4,300 teenagers. The rest of the collected data came from users in India.

Earlier this year, a TechCrunch investigation found both Facebook and Google were abusing their Apple-issued enterprise developer certificates, designed to only allow employees to run iPhone and iPad apps used only inside the company. The investigation found the companies were building and providing apps for consumers outside Apple’s App Store, in violation of Apple’s rules. The apps paid users in return for collecting data on how participants used their devices and to understand app habits by gaining access to all of the network data in and out of their device.

Apple banned the apps by revoking Facebook’s enterprise developer certificate — and later Google’s enterprise certificate. In doing so, the revocation knocked offline both companies’ fleet of internal iPhone or iPad apps that relied on the same certificates.

But in response to lawmakers’ questions, Apple said it didn’t know how many devices installed Facebook’s rule-violating app.

“We know that the provisioning profile for the Facebook Research app was created on April 19, 2017, but this does not necessarily correlate to the date that Facebook distributed the provisioning profile to end users,” said Timothy Powderly, Apple’s director of federal affairs, in his letter.

Facebook said the app dated back to 2016.

TechCrunch also obtained the letters sent by Apple and Google to lawmakers in early March, but were never made public.

These “research” apps relied on willing participants to download the app from outside the app store and use the Apple-issued developer certificates to install the apps. Then, the apps would install a root network certificate, allowing the app to collect all the data out of the device — like web browsing histories, encrypted messages and mobile app activity — potentially also including data from their friends — for competitive analysis.

A response by Facebook about the number of users involved in Project Atlas (Image: TechCrunch)

In Facebook’s case, the research app — dubbed Project Atlas — was a repackaged version of its Onavo VPN app, which Facebook was forced to remove from Apple’s App Store last year for gathering too much device data.

Just this week, Facebook relaunched its research app as Study, only available on Google Play and for users who have been approved through Facebook’s research partner, Applause. Facebook said it would be more transparent about how it collects user data.

Facebook’s vice president of public policy Kevin Martin defended the company’s use of enterprise certificates, saying it “was a relatively well-known industry practice.” When asked, a Facebook spokesperson didn’t quantify this further. Later, TechCrunch found dozens of apps that used enterprise certificates to evade the app store.

Facebook previously said it “specifically ignores information shared via financial or health apps.” In its letter to lawmakers, Facebook stuck to its guns, saying its data collection was focused on “analytics,” but confirmed “in some isolated circumstances the app received some limited non-targeted content.”

“We did not review all of the data to determine whether it contained health or financial data,” said a Facebook spokesperson. “We have deleted all user-level market insights data that was collected from the Facebook Research app, which would include any health or financial data that may have existed.”

But Facebook didn’t say what kind of data, only that the app didn’t decrypt “the vast majority” of data sent by a device.

Facebook describing the type of data it collected — including “limited, non-targeted content” (Image: TechCrunch)

Google’s letter, penned by public policy vice president Karan Bhatia, did not provide a number of devices or users, saying only that its app was a “small scale” program. When reached, a Google spokesperson did not comment by our deadline.

Google also said it found “no other apps that were distributed to consumer end users,” but confirmed several other apps used by the company’s partners and contractors, which no longer rely on enterprise certificates.

Google explaining which of its apps were improperly using Apple-issued enterprise certificates (Image: TechCrunch)

Apple told TechCrunch that both Facebook and Google “are in compliance” with its rules as of the time of publication. At its annual developer conference last week, the company said it now “reserves the right to review and approve or reject any internal use application.”

Facebook’s willingness to collect this data from teenagers — despite constant scrutiny from press and regulators — demonstrates how valuable the company sees market research on its competitors. With its restarted paid research program but with greater transparency, the company continues to leverage its data collection to keep ahead of its rivals.

Facebook and Google came off worse in the enterprise app abuse scandal, but critics said in revoking enterprise certificates Apple retains too much control over what content customers have on their devices.

The Justice Department and the Federal Trade Commission are said to be examining the big four tech giants — Apple, Amazon, Facebook and Google-owner Alphabet — for potentially falling afoul of U.S. antitrust laws.

With antitrust investigations looming, Apple reverses course on bans of parental control apps

With Congressional probes and greater scrutiny from Federal regulators on the horizon, Apple has abruptly reversed course on its bans of parental control apps available in its app store.

As reported by The New York Times, Apple quietly updated its App Store guidelines to reverse its decision to ban certain parental control apps.

The battle between Apple and certain app developers dates back to last year when the iPhone maker first put companies on notice that it would cut their access to the app store if they didn’t make changes to their monitoring technologies.

The heart of the issue is the use of mobile device management (MDM) technologies in the parental control apps that Apple has removed from the App Store, Apple said in a statement earlier this year.

These device management tools give control and access over a device’s user location, app use, email accounts, camera permissions and browsing history to a third party.

“We started exploring this use of MDM by non-enterprise developers back in early 2017 and updated our guidelines based on that work in mid-2017,” the company said.

Apple acknowledged that the technology has legitimate uses in the context of businesses looking to monitor and manage corporate devices to control proprietary data and hardware, but, the company said, it is “a clear violation of App Store policies — for a private, consumer-focused app business to install MDM control over a customer’s device.”

Last month, developers of these parental monitoring tools banded together to offer a solution. In a joint statement issued by app developers including OurPact, Screentime, Kidslox, Qustodio, Boomerang, Safe Lagoon, and FamilyOrbit, the companies said simply, “Apple should release a public API granting developers access to the same functionalities that Apple’s native “Screen Time” uses.”

By providing access to its screen time app, Apple would obviate the need for the kind of controls that developers had put in place to work around Apple’s restrictions.

“The API proposal presented here outlines the functionality required to develop effective screen time management tools. It was developed by a group of leading parental control providers,” the companies said. “It allows developers to create apps that go beyond iOS Screen Time functionality, to address parental concerns about social media use, child privacy, effective content filtering across all browsers and apps and more. This encourages developer innovation and helps Apple to back up their claim that “competition makes everything better and results in the best apps for our customers”.

Now, Apple has changed its guidelines to indicate that apps using MDM “must request the mobile device management capability, and may only be offered by commercial enterprises, such as business organizations, educational institutions, or government agencies, and, in limited cases, companies utilizing MDM for parental controls. MDM apps may not sell, use, or disclose to third parties any data for any purpose, and must commit to this in their privacy policy.”

Essentially it just reverses the company’s policy without granting access to Screen Time as the consortium of companies have suggested.

“It’s been a hellish roller coaster,” said Dustin Dailey, a senior product manager at OurPact, told The New York Times . OurPact had been the top parental control app in the App Store before it was pulled in February. The company estimated that Apple’s move cost it around $3 million, a spokeswoman told the Times.

 

Apple defends its takedown of some apps monitoring screen-time

Apple is defending its removal of certain parental control apps from the app store in a new statement.

The company has come under fire for its removal of certain apps that were pitched as tools giving parents more control over their children’s screen-time, but that Apple said relied on technology that was too invasive for private use.

“We recently removed several parental control apps from the App Store, and we did it for a simple reason: they put users’ privacy and security at risk. It’s important to understand why and how this happened,” the company said in a statement

The heart of the issue is the use of mobile device management technologies in the parental control apps that Apple has removed from the app store, the company said.

These device management tools give  control and access over a device’s user location, app use, email accounts, camera permissions and browsing history to a third party.

“We started exploring this use of MDM by non-enterprise developers back in early 2017 and updated our guidelines based on that work in mid-2017,” the company said.

Apple acknowledged that the technology has legitimate uses in the context of businesses looking to monitor and manage corporate devices to control proprietary data and hardware, but, the company said, it is “a clear violation of App Store policies — for a private, consumer-focused app business to install MDM control over a customer’s device.”

The company said it communicated to app developers that they were in violation of App Store guidelines and gave the company 30 days to submit updates to avoid being booted from the App Store.

Indeed, we first reported that Apple was warning developers about screen-time apps in December.

“Several developers released updates to bring their apps in line with these policies,” Apple said in a statement. “Those that didn’t were removed from the App Store.”

HBO’s mobile apps to gain a million new downloads courtesy of ‘Game of Thrones’ premiere

In addition to exciting its loyal legion of fans, HBO’s “Game of Thrones” premiere was also once again great news for installs of the network’s app for cord cutters, HBO NOW, which shot to the top of the App Store this weekend. The app this weekend saw a combined 300,000-plus new mobile subscribers in the U.S. across both Apple’s App Store and Google Play, according to preliminary estimates from Sensor Tower.

This is the highest the app has ranked on the U.S. iPhone App Store in three years, Sensor Tower notes, with its previous highest ranking on April 24, 2016 for the Season 6 “Game of Thrones” premiere. At that time, the app had seen 160,000 downloads on just the one day.

Sensor Tower expects to have more precise estimates of the premiere’s impact in the near future, as it wants to incorporate numbers from the fans who are getting a late start and downloading the app today.

Currently, the app is holding its No. 1 position on Apple’s App Store. If that continues, it could easily add another couple hundred thousand over the course of today (Monday, April 15, 2019), Sensor Tower estimates. That could see the app surpassing 500,000 new downloads across the three-day period.

To be clear, these numbers refer to users who have never before installed the app on their phone – not re-downloads.

Of course, this isn’t necessarily a 1:1 correlation with new HBO NOW subscribers. Many fans watch the series on their TV’s big screen through an HBO app for devices like Roku, Apple TV, Fire TV, and others. Or they may tune in to watch on the web, via their laptop. Still, it’s a notable number – especially considering how late it is in the series for the show to be gaining new fans.

HBO’s app for cable and satellite TV customers, HBO Go, also did well this weekend. It’s on track to exceed 400,000 installs over the same three-day period (the weekend of the Season 8 premiere, plus Monday). This is highest the app has ranked since the Season 7 premiere in July 2017, when it added 350,000 first-time users across both stores worldwide.

Combined, the two apps — HBO Go and HBO NOW — are poised to exceed over 1 million new installs in this three-day period, Sensor Tower forecasts.

However, fans’ interest in the long-awaited new season may have caused HBO’s apps to struggle some.

There have been reports from Down Detector and Business Insider of users who had issues streaming from the HBO apps, as well as Hulu. But these were nowhere on the scale of crashes we’ve seen in years past — as with the Season 4 “Game of Thrones” premiere, which had HBO issuing a public apology due to the size of the outage. (HBO has not responded to our requests for comment about the unconfirmed reports detailing last night’s issues. So the issues could be chalked up to users’ broadband connections, or other factors.)

Other TV apps had a few glitches, too, thanks to the premiere. For example, the TV-tracking social app TV Time temporarily struggled to load, shortly after the premiere’s airing last night. On its app, “Game of Thrones” is one of the most-tracked shows, where it has 4.3 million followers who post comments, photos, memes and more to the show’s in-app community. Today, there are some 6,200 comments in the show’s forum, from fans discussing the show.

Skedulo raises $28M for its mobile workforce management service

Skedulo, a service that helps businesses manage their mobile employees, today announced that it has raised a $28 million Series B funding round led by M12, Microsoft’s venture fund. Existing investors Blackbird and Castanoa Ventures also participated in this round.

The company’s service offers businesses all the necessary tools to manage their mobile employees, including their schedules. A lot of small businesses still use basic spreadsheets and email to do this, but that’s obviously not the most efficient way to match the right employee to the right job, for example.

“Workforce management has traditionally been focused on employees that are sitting at a desk for the majority of their day,” Skedulo CEO and co-founder Matt Fairhurst told me. “The overwhelming majority — 80 percent — of workers will be deskless by 2020 and so far, there has been no one that has addressed the needs of this growing population at scale. We’re excited to help enterprises confront these challenges head-on so they can compete and lean into rapidly changing customer and employee expectations.”

At the core of Skedulo, which offers both a mobile app and web-based interface, is the company’s so-called “Mastermind” engine that helps businesses automatically match the right employee to a job based on the priorities the company has specified. The company plans to use the new funding to enhance this tool through new machine learning capabilities. Skedulo will also soon offer new analytics tools and integrations with third-party services like HR and financial management tools, as well as payroll systems.

The company also plans to use the new funding to double its headcount, which includes hiring at least 60 new employees in its Australian offices in Brisbane and Sydney.

As part of this round, Priya Saiprasad, principal of M12, will join Skedulo’s board of directors. “We found a strong sense of aligned purpose with Priya Saiprasad and the team at M12 — and their desire to invest in companies that help reduce cycles in a person’s working day,” Fairhurst said. “Fundamentally, Skedulo is a productivity company. We help companies, the back-office and mobile workforce, reduce the number of cycles it takes to get work done. This gives them time back to focus on the work that matters most.”

Apple tells app developers to disclose or remove screen recording code

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm.

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.

Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking.

Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it provides the technology, among many reasons, to help reduce app error rates. But the company “doesn’t enforce its customers” to mention that they use Glassbox’s screen recording tools in their privacy policies.

But Apple expressly forbids apps that covertly collect data without a user’s permission.

TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen afoul of Apple’s rules. One app developer was told by Apple to remove code that recorded app activities, citing the company’s app store guidelines.

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.

Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.

When asked if Glassbox was aware of the app store removals, a spokesperson for Glassbox said that “the communication with Apple is through our customers.”

Glassbox is also available to Android app developers. Google did not immediately comment if it would also ban the screen recording code. Google Play also expressly prohibits apps from secretly collecting device usage. “Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality,” the developer rules state. We’ll update if and when we hear back.

It’s the latest privacy debacle that has forced Apple to wade in to protect its customers after apps were caught misbehaving.

Last week, TechCrunch reported that Apple banned Facebook’s “research” app that the social media giant paid teenagers to collect all of their data.

It followed another investigation by TechCrunch that revealed Facebook misused its Apple-issued enterprise developer certificate to build and provide apps for consumers outside Apple’s App Store. Apple temporarily revoked Facebook’s enterprise developer certificate, knocking all of the company’s internal iOS apps offline for close to a day.

Equifax, Western Union, Priceline settle with New York attorney general over insecure mobile apps

New York’s attorney general has settled with five tech and financial giants, requiring each company to implement basic security on their mobile apps.

The settlements force Credit Sesame, Equifax (yes, that Equifax), Priceline, Spark Networks and Western Union to ensure data sent between the app and their servers are encrypted. Specifically, the attorney general said their apps “could have allowed sensitive information entered by users — such as passwords, social security numbers, credit card numbers, and bank account numbers — to be intercepted by eavesdroppers employing simple and well-publicized techniques.”

In other words, their mobile apps “all failed” to properly roll out and implement HTTPS, one of the barest minimum security measures in any modern app’s security.

HTTPS certificates (also known as SSL/TLS certificates) encrypt data between a device, like your phone or computer, and a website or app server, ensuring any sensitive data, like credit card numbers or passwords, can’t be intercepted as it travels over the internet — whether that’s someone on the same coffee shop Wi-Fi network or your nearest federal intelligence agency.

These certificates are more common than ever, not least because when they’re not incredibly cheap, they’re completely free — and most modern browsers these days will bluntly tell you when a website is “not secure.” Apps are no different, but without a green padlock in your browser window, there’s often very little to know for sure on the face of it that your data is traversing the internet securely.

At least, with financial, banking and dating apps — you’d just assume, right? Bzzt, wrong.

“Although each company represented to users that it used reasonable security measures to protect their information, the companies failed to sufficiently test whether their mobile apps had this vulnerability,” the office of attorney general Barbara Underwood said in a statement. “Today’s settlements require each company to implement comprehensive security programs to protect user information.”

The apps were picked out after an extensive batch of app testing in an effort to find security issues before incidents happen. Underwood’s office follows in the footsteps of federal enforcement in recent years by the Federal Trade Commission, which brought action against several app makers — including Credit Karma and Fandango — for failing to properly implement HTTPS certificates.

In taking action, the attorney general gets to keep closer tabs on the companies going forward to make sure they’re not flouting their data security responsibilities.

Family networking app Life360 acqui-hires PathSense team to boost location-based services

Life360, the app for networking families together via mobile devices, has acquired the developer team behind PathSense, responsible for the creation of a location-based mobile application toolkit, to build out its location-based offerings.

The San Francisco-based Life360 will see all of PathSense’s employees joining its staff, while the tech that PathSense developed will be licensed by the family networking and security monitoring service.

PathSense uses location software and sensing technologies that use less battery power than other GPS apps, according to the company.

“For Life 360 it is very critical to have accurate geofencing to locate assets especially family members and if they leave specific geofenced areas,” wrote Neil Shahe, an analyst for Counterpoint Research.

Specifically, Life360 is applying the technology to crash detection services for families in the event of an accident.

“The PathSense technology, and the team’s expertise in utilizing all of the sensors available on smartphones in a unique way, provides our users with a world-class car crash detection and response system,” said Alex Haro, co-founder and CTO of Life360. “This ensures we fulfill our vision to make every family member a safer driver and be there for them when accidents happen.”

That service will detect when an accident occurs and initiates a call to the phone of whichever subscriber was in the accident. If the user needs assistance, Life360 says it will notify emergency contacts and dispatch emergency services to a location.

The feature is part of the company’s Driver Protect subscription service — which also includes monitoring of phone usage in cars.

PathSense’s team, now a part of Life360 was behind the development of Trapster — a Waze -like app using crowd-sourced data to provide traffic and accident alerts.

As part of the talent acquisition, Life360 gets a new technology development hub in San Diego — which the company intends to continue to staff up as it develops new location-based applications.

PathSense will also remain a going concern and will look to bring on new clients in its Southern California office.

 

RecordGram thinks your phone is the new recording studio

 If RecordGram has its way, top record producers will all turn to their app, a kind of mobile recording studio, to find the next Justin Bieber or Nicki Minaj. And aspiring artists will all find beats, create songs and get signed to their first label through RecordGram. The company was a “wildcard” contender at TechCrunch’s Startup Battlefield in New York today. Read More

Facebook on course to be the WeChat of the West, says Gartner

whatsapp-messenger It’s the beginning of the end for smartphone apps as we have known and tapped on them, reckons Gartner. The analyst is calling the start of a “post-apps” era, based on changes in consumer interactions that appear driven, in large part, by the rise of dominant messaging platforms designed to consume more and more of mobile users’ time and attention. Read More