Apple patches a NSO zero-day flaw affecting all devices

Apple has released security updates for a newly discovered zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, urges users to immediately update their devices.

The technology giant said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said “may have been actively exploited.”

Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones belonging to at least one Bahraini activist.

Last month, Citizen Lab said the zero day flaw — named as such since it gives companies zero days to roll out a fix — took advantage of a flaw in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist’s phone. The breach was significant because the flaws exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But also the vulnerabilities broke through new iPhone defenses that Apple had baked into iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering potentially malicious code. Citizen Lab calls this particular exploit ForcedEntry for its ability to skirt Apple’s BlastDoor protections.

In its latest findings, Citizen Lab said it found evidence of the ForcedEntry exploit on the iPhone of a Saudi activist, running at the time the latest version of iOS. Citizen Lab now says that the same ForcedEntry exploit works on all Apple devices running the latest software, Citizen Lab said.

Citizen Lab said it reported its findings to Apple on September 7. Apple pushed out the updates for the vulnerability, known officially as CVE-2021-30860. Citizen Lab said it attributes the ForcedEntry exploit to NSO Group with high confidence, citing evidence it has seen that it has not previously published.

When reached, Apple declined to comment. NSO Group did not immediately comment.

Developing… More soon…

Report: India may be next in line to mandate changes to Apple’s in-app payment rules

Summer is still technically in session, but a snowball is slowly developing in the world of apps, and specifically the world of in-app payments. A report in Reuters today says that the Competition Commission of India, the country’s monopoly regulator, will soon be looking at an antitrust suit filed against Apple over how it mandates that app developers use Apple’s own in-app payment system — thereby giving Apple a cut of those payments — when publishers charge users for subscriptions and other items in their apps.

The suit, filed by an Indian non-profit called “Together We Fight Society”, said in a statement to Reuters that it was representing consumer and startup interests in its complaint.

The move would be the latest in what has become a string of challenges from national regulators against app store operators — specifically Apple but also others like Google and WeChat — over how they wield their positions to enforce market practices that critics have argued are anti-competitive. Other countries that have in recent weeks reached settlements, passed laws, or are about to introduce laws include Japan, South Korea, Australia, the U.S. and the European Union.

And in India specifically, the regulator is currently working through a similar investigation as it relates to in-app payments in Android apps, which Google mandates use its proprietary payment system. Google and Android dominate the Indian smartphone market, with the operating system active on 98% of the 520 million devices in use in the country as of the end of 2020.

It will be interesting to watch whether more countries wade in as a result of these developments. Ultimately, it could force app store operators, to avoid further and deeper regulatory scrutiny, to adopt new and more flexible universal policies.

In the meantime, we are seeing changes happen on a country-by-country basis.

Just yesterday, Apple reached a settlement in Japan that will let publishers of “reader” apps (those for using or consuming media like books and news, music, files in the cloud and more) to redirect users to external sites to provide alternatives to Apple’s proprietary in-app payment provision. Although it’s not as seamless as paying within the app, redirecting previously was typically not allowed, and in doing so the publishers can avoid Apple’s cut.

South Korean legislators earlier this week approved a measure that will make it illegal for Apple and Google to make a commission by forcing developers to use their proprietary payment systems.

And last week, Apple also made some movements in the U.S. around allowing alternative forms of payments, but relatively speaking the concessions were somewhat indirect: app publishers can refer to alternative, direct payment options in apps now, but not actually offer them. (Not yet at least.)

Some developers and consumers have been arguing for years that Apple’s strict policies should open up more. Apple however has long said in its defense that it mandates certain developer policies to build better overall user experiences, and for reasons of security. But, as app technology has evolved, and consumer habits have changed, critics believe that this position needs to be reconsidered.

One factor in Apple’s defense in India specifically might be the company’s position in the market. Android absolutely dominates India when it comes to smartphones and mobile services, with Apple actually a very small part of the ecosystem.

As of the end of 2020, it accounted for just 2% of the 520 million smartphones in use in the country, according to figures from Counterpoint Research quoted by Reuters. That figure had doubled in the last five years, but it’s a long way from a majority, or even significant minority.

The antitrust filing in India has yet to be filed formally, but Reuters notes that the wording leans on the fact that anti-competitive practices in payments systems make it less viable for many publishers to exist at all, since the economics simply do not add up:

“The existence of the 30% commission means that some app developers will never make it to the market,” Reuters noted from the filing. “This could also result in consumer harm.”

Reuters notes that the CCI will be reviewing the case in the coming weeks before deciding whether it should run a deeper investigation or dismiss it. It typically does not publish filings during this period.

Jolla hits profitability ahead of turning ten, eyes growth beyond mobile

A milestone for Jolla, the Finnish startup behind the Sailfish OS — which formed, almost a decade ago, when a band of Nokia staffers left to keep the torch burning for a mobile linux-based alternative to Google’s Android — today it’s announcing hitting profitability.

The mobile OS licensing startup describes 2020 as a “turning point” for the business — reporting revenues that grew 53% YoY, and EBITDA (which provides a snapshot of operational efficiency) standing at 34%.

It has a new iron in the fire too now — having recently started offering a new licensing product (called AppSupport for Linux Platforms) which, as the name suggests, can provide linux platforms with standalone compatibility with general Android applications — without a customer needing to licence the full Sailfish OS (the latter has of course baked in Android app compatibility since 2013).

Jolla says AppSupport has had some “strong” early interest from automotive companies looking for solutions to develop their in-case infotainment systems — as it offers a way for embedded Linux-compatible platform the capability to run Android apps without needing to opt for Google’s automotive offerings. And while plenty of car makers have opted for Android, there are still players Jolla could net for its ‘Google-free’ alternative.

Embedded linux systems also run in plenty of other places, too, so it’s hopeful of wider demand. The software could be used to enable an IoT device to run a particularly popular app, for example, as a value add for customers.

“Jolla is doing fine,” says CEO and co-founder Sami Pienimäki. “I’m happy to see the company turning profitable last year officially.

“In general it’s the overall maturity of the asset and the company that we start to have customers here and there — and it’s been honestly a while that we’ve been pushing this,” he goes, fleshing out the reasons behind the positive numbers with trademark understatement. “The company is turning ten years in October so it’s been a long journey. And because of that we’ve been steadily improving our efficiency and our revenue.

“Our revenue grew over 50% since 2019 to 2020 and we made €5.4M revenue. At the same time the cost base of the operation has stablized quite well so the sum of those resulted to nice profitability.”

While the consumer mobile OS market has — for years — been almost entirely sewn up by Google’s Android and Apple’s iOS, Jolla licenses its open source Sailfish OS to governments and business as an alternative platform they can shape to their needs — without requiring any involvement of Google.

Perhaps unsurprisingly, Russia was one of the early markets that tapped in.

The case for digital sovereignty in general — and an independent (non-US-based) mobile OS platform provider, specifically — has been strengthened in recent years as geopolitical tensions have played out via the medium of tech platforms; leading to, in some cases, infamous bans on foreign companies being able to access US-based technologies.

In a related development this summer, China’s Huawei launched its own Android alternative for smartphones, which it’s called HarmonyOS.

Pienimäki is welcoming of that specific development — couching it as a validation of the market in which Sailfish plays.

“I wouldn’t necessarily see Huawei coming out with the HarmonyOS value proposition and the technology as a competitor to us — I think it’s more proving the point that there is appetite in the market for something else than Android itself,” he says when we ask whether HarmonyOS risks eating Sailfish’s lunch.

“They are tapping into that market and we are tapping into that market. And I think both of our strategies and messages support each other very firmly.”

Jolla has been working on selling Sailfish into the Chinese market for several years — and that sought for business remains a work in progress at this stage. But, again, Pienimäki says Jolla doesn’t see Huawei’s move as any kind of blocker to its ambitions of licensing its Android alternative in the Far East.

“The way we see the Chinese market in general is that it’s been always open to healthy competition and there is always competing solutions — actually heavily competing solutions — in the Chinese market. And Huawei’s offering one and we are happy to offer Sailfish OS for this very big, challenging market as well.”

“We do have good relationships there and we are building a case together with our local partners also to access the China market,” he adds. “I think in general it’s also very good that big corporations like Huawei really recognize this opportunity in general — and this shapes the overall industry so that you don’t need to, by default, opt into Android always. There are other alternatives around.”

On AppSupport, Jolla says the automative sector is “actively looking for such solutions”, noting that the “digital cockpit is a key differentiator for car markers — and arguing that makes it a strategically important piece for them to own and control.

“There’s been a lot of, let’s say, positive vibes in that sector in the past few years — new comers on the block like Tesla have really shaken the industry so that the traditional vendors need to think differently about how and what kind of user experience they provide in the cockpit,” he suggests.

“That’s been heavily invested and rapidly developing in the past years but I’m going to emphasize that at the same time, with our limited resources, we’re just learning where the opportunities for this technology are. Automative seems to have a lot of appetite but then [we also see potential in] other sectors — IoT… heavy industry as well… we are openly exploring opportunities… but as we know automotive is very hot at the moment.”

“There is plenty of general linux OS base in the world for which we are offering a good additional piece of technology so that those operating solutions can actually also tap into — for example — selected applications. You can think of like running the likes of Spotify or Netflix or some communications solutions specific for a certain sector,” he goes on.

“Most of those applications are naturally available both for iOS and Android platforms. And those applications as they simply exist the capability to run those applications independently on top of a linux platform — that creates a lot of interest.”

In another development, Jolla is in the process of raising a new growth financing round — it’s targeting €20M — to support its push to market AppSupport and also to put towards further growing its Sailfish licensing business.

It sees growth potential for Sailfish in Europe, which remains the biggest market for licensing the mobile OS. Pienimäki also says it’s seeing “good development” in certain parts of Africa. Nor has it given up on its ambitions to crack into China.

The growth round was opened to investors in the summer and hasn’t yet closed — but Jolla is confident of nailing the raise.

“We are really turning a next chapter in the Jolla story so exploring to new emerging opportunities — that requires capital and that’s what are looking for. There’s plenty of money available these days, in the investor front, and we are seeing good traction there together with the investment bank with whom we are working,” says Pienimäki.

“There’s definitely an appetite for this and that will definitely put us in a better position to invest further — both to Sailfish OS and the AppSupport technology. And in particular to the go-to market operation — to make this technology available for more people out there in the market.”

 

This Week in Apps: OnlyFans bans sexual content, SharePlay delayed, TikTok questioned over biometric data collection

Welcome back to This Week in Apps, the weekly TechCrunch series that recaps the latest in mobile OS news, mobile applications and the overall app economy.

The app industry continues to grow, with a record 218 billion downloads and $143 billion in global consumer spend in 2020. Consumers last year also spent 3.5 trillion minutes using apps on Android devices alone. And in the U.S., app usage surged ahead of the time spent watching live TV. Currently, the average American watches 3.7 hours of live TV per day, but now spends four hours per day on their mobile devices.

Apps aren’t just a way to pass idle hours — they’re also a big business. In 2019, mobile-first companies had a combined $544 billion valuation, 6.5x higher than those without a mobile focus. In 2020, investors poured $73 billion in capital into mobile companies — a figure that’s up 27% year-over-year.

This Week in Apps offers a way to keep up with this fast-moving industry in one place with the latest from the world of apps, including news, updates, startup fundings, mergers and acquisitions, and suggestions about new apps and games to try, too.

Do you want This Week in Apps in your inbox every Saturday? Sign up here: techcrunch.com/newsletters

Top Stories

OnlyFans to ban sexually explicit content

OnlyFans logo displayed on a phone screen and a website

(Photo Illustration by Jakub Porzycki/NurPhoto via Getty Images)

Creator platform OnlyFans is getting out of the porn business. The company announced this week it will begin to prohibit any “sexually explicit” content starting on October 1, 2021 — a decision it claimed would ensure the long-term sustainability of the platform. The news angered a number of impacted creators who weren’t notified ahead of time and who’ve come to rely on OnlyFans as their main source of income.

However, word is that OnlyFans was struggling to find outside investors, despite its sizable user base, due to the adult content it hosts. Some VC firms are prohibited from investing in adult content businesses, while others may be concerned over other matters — like how NSFW content could have limited interest from advertisers and brand partners. They may have also worried about OnlyFans’ ability to successfully restrict minors from using the app, in light of what appears to be soon-to-come increased regulations for online businesses. Plus, porn companies face a number of other issues, too. They have to continually ensure they’re not hosting illegal content like child sex abuse material, revenge porn or content from sex trafficking victims — the latter which has led to lawsuits at other large porn companies.

The news followed a big marketing push for OnlyFans’ porn-free (SFW) app, OFTV, which circulated alongside reports that the company was looking to raise funds at a $1 billion+ valuation. OnlyFans may not have technically needed the funding to operate its current business — it handled more than $2 billion in sales in 2020 and keeps 20%. Rather, the company may have seen there’s more opportunity to cater to the “SFW” creator community, now that it has big names like Bella Thorne, Cardi B, Tyga, Tyler Posey, Blac Chyna, Bhad Bhabie and others on board.

U.S. lawmakers demand info on TikTok’s plans for biometric data collection

The TikTok logo is seen on an iPhone 11 Pro max

The TikTok logo is seen on an iPhone 11 Pro max. Image Credits: Nur Photo/Getty Images

U.S. lawmakers are challenging TikTok on its plans to collect biometric data from its users. TechCrunch first reported on TikTok’s updated privacy policy in June, where the company gave itself permission to collect biometric data in the U.S., including users’ “faceprints and voiceprints.” When reached for comment, TikTok could not confirm what product developments necessitated the addition of biometric data to its list of disclosures about the information it automatically collects from users, but said it would ask for consent in the case such data collection practices began.

Earlier this month, Senators Amy Klobuchar (D-MN) and John Thune (R-SD) sent a letter to TikTok CEO Shou Zi Chew, which said they were “alarmed” by the change, and demanded to know what information TikTok will be collecting and what it plans to do with the data. This wouldn’t be the first time TikTok got in trouble for excessive data collection. Earlier this year, the company paid out $92 million to settle a class-action lawsuit that claimed TikTok had unlawfully collected users’ biometric data and shared it with third parties.

Weekly News

Platforms: Apple

Image Credits: Apple

  • ⭐ Apple told developers that some of the features it announced as coming in iOS 15 won’t be available at launch. This includes one of the highlights of the new OS, SharePlay, a feature that lets people share music, videos and their screen over FaceTime calls. Other features that will come in later releases include Wallet’s support for ID cards, the App Privacy report and others that have yet to make it to beta releases.
  • Apple walked back its controversial Safari changes with the iOS 15 beta 6 update. Apple’s original redesign had shown the address bar at the bottom of the screen, floating atop the page’s content. Now the tab bar will appear below the page’s content, offering access to its usual set of buttons as when it was at the top. Users can also turn off the bottom tab bar now and revert to the old, Single Tab option that puts the address bar back at the top as before.
  • In response to criticism over its new CSAM detection technology, Apple said the version of NeuralHash that was reverse-engineered by a developer, Asuhariet Ygvar, was a generic version, and not the complete version that will roll out later this year.
  • The Verge dug through over 800 documents from the Apple-Epic trial to find the best emails, which included dirt on a number of other companies like Netflix, Hulu, Sony, Google, Nintendo, Valve, Microsoft, Amazon and more. These offered details on things like Netflix’s secret arrangement to pay only 15% of revenue, how Microsoft also quietly offers a way for some companies to bypass its full cut, how Apple initially saw the Amazon Appstore as a threat and more.

Platforms: Google

  • A beta version of the Android Accessibility Suite app (12.0.0) which rolled out with the fourth Android beta release added something called “Camera Switches” to Switch Access, a toolset that lets you interact with your device without using the touchscreen. Camera Switches allows users to navigate their phone and use its features by making face gestures, like a smile, open mouth, raised eyebrows and more.
  • Google announced its Pixel 5a with 5G, the latest A-series Pixel phone, will arrive on August 27, offering IP67 water resistance, long-lasting Adaptive Battery, Pixel’s dual-camera system and more, for $449. The phone makes Google’s default Android experience available at a lower price point than the soon to arrive Pixel 6.
  • An unredacted complaint from the Apple-Epic trial revealed that Google had quietly paid developers hundreds of millions of dollars via a program known as “Project Hug,” (later “Apps and Games Velocity Program”) to keep their games on the Play Store. Epic alleges Google launched the program to keep developers from following its lead by moving their games outside the store.

Augmented Reality

  • Snap on Thursday announced it hired its first VP of Platform Partnerships to lead AR, Konstantinos Papamiltiadis (“KP”). The new exec will lead Snap’s efforts to onboard partners, including individual AR creators building via Lens Studio as well as large companies that incorporate Snapchat’s camera and AR technology (Camera Kit) into their apps. KP will join in September, and report to Ben Schwerin, SVP of Content and Partnerships.

Fintech

  • Crypto exchange Coinbase will enter the Japanese market through a new partnership with Japanese financial giant Mitsubishi UFJ Financial Group (MUFG). The company said it plans to launch other localized versions of its existing global services in the future.

Social

Image Credits: Facebook

  • Facebook launched a “test” of Facebook Reels in the U.S. on iOS and Android. The new feature brings the Reels experience to Facebook, allowing users to create and share short-form video content directly within the News Feed or within Facebook Groups. Instagram Reels creators can also now opt in to have their Reels featured on users’ News Feed. The company is heavily investing its its battle with TikTok, even pledging that some portion of its $1 billion creator fund will go toward Facebook Reels.
  • Twitter’s redesign of its website and app was met with a lot of backlash from users and accessibility experts alike. The company choices add more visual contrast between various elements and may have helped those with low vision. But for others, the contrast is causing strain and headaches. Experts believe accessibility isn’t a one-size fits all situation, and Twitter should have introduced tools that allowed people to adjust their settings to their own needs.
  • The pro-Trump Twitter alternative Gettr’s lack of moderation has allowed users to share child exploitation images, according to research from the Stanford Internet Observatory’s Cyber Policy Center.
  • Pinterest rolled out a new set of more inclusive search filters that allow people to find styles for different types of hair textures — like coily, curly, wavy, straight, as well as shaved or bald and protective styles. 

Photos

  • Photoshop for iPad gained new image correction tools, including the Healing Brush and Magic Wand, and added support for connecting an iPad to external monitors via HDMI or USB-C. The company also launched a Photoshop Beta program on the desktop.

Messaging

  • WhatsApp is being adopted by the Taliban to spread its message across Afghanistan, despite being on Facebook’s list of banned organizations. The company says it’s proactively removing Taliban content — but that may be difficult to do since WhatsApp’s E2E encryption means it can’t read people’s texts. This week, Facebook shut down a Taliban helpline in Kabul, which allowed civilians to report violence and looting, but some critics said this wasn’t actually helping local Afghans, as the group was now in effect governing the region.
  • WhatsApp is also testing a new feature that will show a large preview when sharing links, which some suspect may launch around the time when the app adds the ability to have the same account running on multiple devices.

Streaming & Entertainment

  • Netflix announced it’s adding spatial audio support on iPhone and iPad on iOS 14, joining other streamers like HBO Max, Disney+ and Peacock that have already pledged to support the new technology. The feature will be available to toggle on and off in the Control Center, when it arrives.
  • Blockchain-powered streaming music service Audius partnered with TikTok to allow artists to upload their songs using TikTok’s new SoundKit in just one click.
  • YouTube’s mobile app added new functionality that allows users to browse a video’s chapters, and jump into the chapter they want directly from the search page.
  • Spotify’s Anchor app now allows users in global markets to record “Music + Talk” podcasts, where users can combine spoken word recordings with any track from Spotify’s library of 70 million songs for a radio DJ-like experience.
  • Podcasters are complaining that Apple’s revamped Podcasts platform is not working well, reports The Verge. Podcasts Connect has been buggy, and sports a confusing interface that has led to serious user errors (like entire shows being archived). And listeners have complained about syncing problems and podcasts they already heard flooding their libraries.

Dating

  • Tinder announced a new feature that will allow users to voluntarily verify their identity on the platform, which will allow the company to cross-reference sex offender registry data. Previously, Tinder would only check this database when a user signed up for a paid subscription with a credit card.

Gaming

Image Source: The Pokémon Company

  • Pokémon Unite will come to iOS and Android on September 22, The Pokémon Company announced during a livestream this week. The strategic battle game first launched on Nintendo Switch in late July.
  • Developer Konami announced a new game, Castlevania: Grimoire of Souls, which will come exclusively to Apple Arcade. The game is described as a “full-fledged side-scrolling action game,” featuring a roster of iconic characters from the classic game series. The company last year released another version of Castelvania on the App Store and Google Play.
  • Dragon Ball Z: Dokkan Battle has now surpassed $3 billion in player spending since its 2015 debut, reported Sensor Tower. The game from Bandai Namco took 20 months to reach the figure after hitting the $2 billion milestone in 2019. The new landmark sees the game joining other top-grossers, including Clash Royale, Lineage M and others.
  • Sensor Tower’s mobile gaming advertising report revealed data on top ad networks in the mobile gaming market, and their market share. It also found puzzle games were among the top advertisers on gaming-focused networks like Chartboost, Unity, IronSource and Vungle. On less game-focused networks, mid-core games were top titles, like Call of Duty: Mobile and Top War. 

Image Credits: Sensor Tower

Health & Fitness

  • Apple is reportedly scaling back HealthHabit, an internal app for Apple employees that allowed them to track fitness goals, talk to clinicians and coaches at AC Wellness (a doctors’ group Apple works with) and manage hypertension. According to Insider, 50 employees had been tasked to work on the project.
  • Samsung launched a new product for Galaxy smartphones in partnership with healthcare nonprofit The Commons Project, that allows U.S. users to save a verifiable copy of their vaccination card in the Samsung Pay digital wallet.

Image Credits: Samsung

Adtech

Government & Policy

  • China cited 43 apps, including Tencent’s WeChat and an e-reader from Alibaba, for illegally transferring user data. The regulator said the apps had transferred users location data and contact list and harassed them with pop-up windows. The apps have until August 25 to make changes before being punished.

Security & Privacy

  • A VICE report reveals a fascinating story about a jailbreaking community member who had served as a double agent by spying for Apple’s security team. Andrey Shumeyko, whose online handles included JVHResearch and YRH04E, would advertise leaked apps, manuals and stolen devices on Twitter and Discord. He would then tell Apple things like which Apple employees were leaking confidential info, which reporters would talk to leakers, who sold stolen iPhone prototypes and more. Shumeyko decided to share his story because he felt Apple took advantage of him and didn’t compensate him for the work.

Funding and M&A

💰 South Korea’s GS Retail Co. Ltd will buy Delivery Hero’s food delivery app Yogiyo in a deal valued at 800 billion won ($685 million USD). Yogiyo is the second-largest food delivery app in South Korea, with a 25% market share.

💰 Gaming platform Roblox acquired a Discord rival, Guilded, which allows users to have text and voice conversations, organize communities around events and calendars and more. Deal terms were not disclosed. Guilded raised $10.2 million in venture funding. Roblox’s stock fell by 7% after the company reported earnings this week, after failing to meet Wall Street expectations.

💰 Travel app Hopper raised $175 million in a Series G round of funding led by GPI Capital, valuing the business at over $3.5 billion. The company raised a similar amount just last year, but is now benefiting from renewed growth in travel following COVID-19 vaccinations and lifting restrictions.

💰 Indian quiz app maker Zupee raised $30 million in a Series B round of funding led by Silicon Valley-based WestCap Group and Tomales Bay Capital. The round values the company at $500 million, up 5x from last year.

💰 Danggeun Market, the publisher of South Korea’s hyperlocal community app Karrot, raised $162 million in a Series D round of funding led by DST Global. The round values the business at $2.7 billion and will be used to help the company launch its own payments platform, Karrot Pay.

💰 Bangalore-based fintech app Smallcase raised $40 million in Series C funding round led by Faering Capital and Premji Invest, with participation from existing investors, as well as Amazon. The Robinhood-like app has over 3 million users who are transacting about $2.5 billion per year.

💰 Social listening app Earbuds raised $3 million in Series A funding led by Ecliptic Capital. Founded by NFL star Jason Fox, the app lets anyone share their favorite playlists, livestream music like a DJ or comment on others’ music picks.

💰 U.S. neobank app One raised $40 million in Series B funding led by Progressive Investment Company (the insurance giant’s investment arm), bringing its total raise to date to $66 million. The app offers all-in-one banking services and budgeting tools aimed at middle-income households who manage their finances on a weekly basis.

Public Markets

📈 Indian travel booking app ixigo is looking to raise Rs 1,600 crore in its initial public offering, The Economic Times reported this week.

📉 Trading app Robinhood disappointed in its first quarterly earnings as a publicly traded company, when it posted a net loss of $502 million, or $2.16 per share, larger than Wall Street forecasts. This overshadowed its beat on revenue ($565 million versus $521.8 million expected) and its more than doubling of MAUs to 21.3 million in Q2.  Also of note, the company said dogecoin made up 62% of its crypto revenue in Q2.

Downloads

Polycam (update)

Image Credits: Polycam

3D scanning software maker Polycam launched a new 3D capture tool, Photo Mode, that allows iPhone and iPad users to capture professional-quality 3D models with just an iPhone. While the app’s scanner before had required the use of the lidar sensor built into newer devices like the iPhone 12 Pro and iPad Pro models, the new Photo Mode feature uses just an iPhone’s camera. The resulting 3D assets are ready to use in a variety of applications, including 3D art, gaming, AR/VR and e-commerce. Data export is available in over a dozen file formats, including .obj, .gtlf, .usdz and others. The app is a free download on the App Store, with in-app purchases available.

Jiobit (update)

Jiobit, the tracking dongle acquired by family safety and communication app Life360, this week partnered with emergency response service Noonlight to offer Jiobit Protect, a premium add-on that offers Jiobit users access to an SOS Mode and Alert Button that work with the Jiobit mobile app. SOS Mode can be triggered by a child’s caregiver when they detect — through notifications from the Jiobit app — that a loved one may be in danger. They can then reach Noonlight’s dispatcher who can facilitate a call to 911 and provide the exact location of the person wearing the Jiobit device, as well as share other details, like allergies or special needs, for example.

Tweets

When your app redesign goes wrong…

Image Credits: Twitter.com

Prominent App Store critic Kosta Eleftheriou shut down his FlickType iOS app this week after too many frustrations with App Review. He cited rejections that incorrectly argued that his app required more access than it did — something he had successfully appealed and overturned years ago. Attempted follow-ups with Apple were ignored, he said. 

Image Credits: Twitter.com

Anyone have app ideas?

Taking consumer subscription software to the great outdoors

The pandemic has been extremely painful for many. But as lockdowns lifted and people began resuming their outdoor hobbies, mobile-first businesses have seen growth accelerate as consumers turned to digital tools to improve their time outdoors.

The Dyrt, for example, is the top camping app on the Apple and Google Play App Stores. The app sits at the confluence of two trends: An increased interest in outdoor recreation and travel, and an explosion in consumer subscription software (CSS).

The Dyrt launched its premium offering in 2019, The Dyrt PRO, in time to take advantage of the rising number of Americans making the great outdoors part of their lifestyle. A year later, it had a new subscriber every two minutes paying for features like offline maps and detailed camping information.

CSS businesses at the forefront of outdoor activities have closed major deals in recent years such as hunting app OnX (Summit Partners), hiking app Alltrails (Spectrum Equity), Surfline (The Chernin Group) and mountain bike leader Pinkbike (Outside Media). Companies like Netflix and Spotify have trained consumers to pay monthly or annual fees for software that enhances their lives, creating a business model investors view as reliable and poised for growth.

I think of different outdoor activities almost like individual genres on Netflix. Dominating camping or surfing might be like capturing the streaming market for comedy or horror.

Fitness and the outdoor passion space is one of the most exciting CSS categories in a growing landscape that includes everything from family planning/management services to entertainment and education. I believe CSS is still in the early stages of its growth — perhaps where B2B SaaS was a decade ago.

So what sets apart the great CSS businesses from the good ones?

Passion equals profits on the CSS flywheel

The beauty of the CSS model is the complete alignment between the business and its customers. CSS companies don’t have to please advertisers, and they can design purely for their users.

This dynamic is particularly powerful for CSS companies in the outdoors space, which make your favorite outdoor activity better with performance analytics and enhanced information such as maps, reviews, air quality reports and fire warnings. Consumers are happy to spend money on the activities and hobbies they enjoy, and CSS companies are able to make pleasing those consumers their top priority.

The result is what I call the CSS flywheel, in which a quality CSS product attracts and retains loyal users. Those users contribute their data through posts, photos and reviews, which creates a better product that further attracts new users, and so on.

The CSS flywheel shows the cycle that results when a quality CSS product attracts and retains loyal users.

The CSS flywheel shows the cycle that results when a quality CSS product attracts and retains loyal users. Image Credits: GP Bullhound

When companies get this flywheel right, it’s incredibly appealing to investors, because of the advantages of scale in CSS. Each niche will probably be dominated by one or two players, and a given niche can have tens of millions of consumers.

A new Senate bill would totally upend Apple and Google’s app store dominance

With two giants calling the shots and collecting whatever tolls they see fit, mobile software makers have long complained that app stores take an unfair cut of the cash that should be flowing directly to developers. Hearing those concerns, a group of senators introduced a new bill this week that, if passed, would greatly diminish Apple and Google’s ability to control app purchases in their operating systems and completely shake up the way that mobile software gets distributed.

The new bill, called the Open App Markets Act, would enshrine quite a few rights that could benefit app developers tired of handing 30 percent of their earnings to Apple and Google. The bill, embedded in full below, would require companies that control operating systems to allow third party apps and app stores.

It would also prevent those companies from blocking developers from telling users about lower prices for their software that they might find outside of official app stores. Apple and Google would also be barred from leveraging “non-public” information collecting through their platforms to create competing apps.

“This legislation will tear down coercive anticompetitive walls in the app economy, giving consumers more choices and smaller startup tech companies a fighting chance,” said Senator Richard Blumenthal (D-CT), who introduced the bipartisan bill with Sen. Marsha Blackburn (R-TN), and Sen. Amy Klobuchar (D-MN). Klobuchar chairs the Senate’s antitrust subcommittee and Blackburn and Blumenthal are both subcommittee members.

Senator Blackburn called Apple and Google’s app store practices a “direct affront to a free and fair marketplace” and Sen. Klobuchar noted that their behavior raises “serious competition concerns.”

The bill draws on information collected earlier this year from that subcommittee’s hearing on app stores and competition. In the hearing, lawmakers heard from Apple and Google as well as Spotify, Tile and Match Group, three companies that argued their businesses have been negatively impacted by anti-competitive app store policies.

“… We urge Congress to swiftly pass the Open App Markets Act,” Spotify Chief Legal Officer Horacio Gutierrez said of the new bill. “Absent action, we can expect Apple and others to continue changing the rules in favor of their own services, and causing further harm to consumers, developers, and the digital economy.”

The Coalition for App Fairness, a developer advocacy group, praised the bill for its potential to spur innovation in digital markets. “The bipartisan Open App Markets Act is a step towards holding big tech companies accountable for practices that stifle competition for developers in the U.S. and around the world,” CAF executive director Meghan DiMuzio said.

Hoping to head off future regulatory headaches, Apple dropped its own fees for companies that generate less than $1 million in App Store revenue from 30 to 15 percent last year. Google followed suit with its own gesture, dropping fees to 15 percent for the first $1 million in revenue a developer earns through the Play Store in a year. Some developers critical of the companies’ practices saw those changes as little more than a publicity stunt.

Developers have long complained about the high tolls they pay to distribute their software through the world’s two major mobile operating systems. That fight escalated over the last year when Epic Games circumvented Apple’s payments rules by allowing Fortnite players to pay Epic directly, setting off a legal fight that has huge implications for the mobile software world. Following a May trial, the verdict is expected later this year.

Unlike Apple, Google does allow apps to be “sideloaded,” installed onto devices outside of the Google Play Store. But documents unsealed in Epic’s parallel case against Google revealed that the Play Store’s creator knows the sideloading process is a terrible experience for users — something the company brings up when pressuring developers to stick with its official app marketplace.

The counterargument here is that official app stores make apps safer and smoother for consumers. While Apple and Google extract heavy fees for selling mobile software through the App Store and the Google Play Store, the companies both argue that streamlining apps through those official channels protects people from malware and allows for prompt software updates to patch security concerns that could jeopardize user privacy.

Adam Kovacevich, a former Google policy executive who leads the new tech-backed industry group Chamber of Progress, called the new bill “a finger in the eye” for Android and iPhone owners.

“I don’t see any consumers marching in Washington demanding that Congress make their smartphones dumber,” Kovacevich said. “And Congress has better things to do than intervene in a multi-million dollar dispute between businesses.”

At least in Google’s case, the counterargument has its own counterargument. Android has long been notorious for malware, but apparently most of that malicious software isn’t making its way onto devices through sideloading — it’s walking through the Google Play Store’s front door.

 

FEMA just tested the US national emergency alert system

emergency alert

FEMA will test its national emergency alert system later this week. Image Credits: Getty Images

Did you hear it? FEMA just ran its first nationwide test of the U.S. emergency alert system since the pandemic.

The Federal Emergency Management Agency, or FEMA, tested both the Emergency Alert System (EAS), which broadcasts an emergency tone and message on televisions and radios, and the Wireless Emergency Alerts (WEA), a newer system that sends emergency notifications to smartphones. This was the second nationwide test of the WEA after its debut in 2018, and the first test for all U.S. cell phones of users who chose to opt-in to receive test alerts.

The test began around 2:20 p.m. ET. If you opted-in to the test, you likely got a message on your phone that said: “THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed.” (The FCC explains how to opt-in to test alerts.)

For the first time, the WEA test sent the same test message in Spanish to phones that have Spanish set as the default language.

This is what the test WEA emergency alert looks like. Image Credits: WA Emergency Management (opens in a new window)

Since the last nationwide test in 2019, FEMA said it has improved WEA to send longer, detailed messages to the majority of phones that support it. The update also allows authorities to include tappable links, like web addresses.

FEMA runs these tests every year or two to ensure the system is working properly. It’s no small task: A national emergency alert system designed to broadcast the same message to potentially hundreds of millions of people at any given time is fraught with technological hurdles that require close co-operation from the cell carriers and broadcast networks.

The EAS system has been around since the late 1990s, but WEA was developed more recently as more Americans rely on their phones. WEA alerts, like EAS alerts, are designed to be sent by local and state authorities for public safety alerts, missing children and imminent threats, such as severe weather. More recently, FEMA rolled out “presidential alerts,” which are supposed to be sent to every phone in the U.S. in the event of a national emergency. Presidential alerts, unlike other alerts, can be issued by the sitting president for any reason, and Americans cannot opt out.

WEA broadcasts emergency notifications through the cell towers of an affected area — such as an area about to be hit by a storm — rather than sending tens of millions of text messages, which would grind the cell networks to a halt. The alerts are created by local, state or federal authorities and are authenticated by FEMA through the Integrated Public Alert & Warning System, or IPAWS, and then passed to cell carriers to deliver the emergency alert.

The emergency alert system, though, is far from perfect. In 2018, an erroneous alert sent to Hawaii residents warned of an imminent ballistic missile threat,” and that “this is not a drill.” Minutes later, the alert was canceled. The false warning came as tensions between the U.S. and North Korea were at an all-time high, during which Pyongyang was regularly test-firing rockets used for its nuclear weapons program.

Security experts have also long warned that the EAS systems pose security risks. Last year, researchers found dozens of internet-connected, special-purpose servers used by television and radio stations to interrupt their broadcasts to relay an emergency alert, which they said could allow a hacker to break in and compromise the servers.

Privacy-oriented search app Xayn raises $12M from Japanese backers to go into devices

Back in December 2020 we covered the launch of a new kind of smartphone app-based search engine, Xayn.

“A search engine?!” I hear you say? Well, yes, because despite the convenience of modern search engines’ ability to tailor their search results to the individual, this user-tracking comes at the expense of privacy. This mass surveillance might be what improves Google’s search engine and Facebook’s ad targeting, to name just two examples, but it’s not very good for our privacy.

Internet users are admittedly able to switch to the U.S.-based DuckDuckGo, or perhaps France’s Qwant, but what they gain in privacy, they often lose in user experience and the relevance of search results, through this lack of tailoring.

What Berlin-based Xayn has come up with is personalized, but a privacy-safe web search on smartphones, which replaces the cloud-based AI employed by Google et al. with the innate AI in-built into modern smartphones. The result is that no data about you is uploaded to Xayn’s servers.

And this approach is not just for “privacy freaks”. Businesses that need search but don’t need Google’s dominant market position are increasingly attracted by this model.

And the evidence comes today with the news that Xayn has now raised almost $12 million in Series A funding led by the Japanese investors Global Brain and KDDI (a Japanese telecommunications operator), with participation from previous backers, including the Earlybird VC in Berlin. Xayn’s total financing now comes to more than $23 million.

It would appear that Xayn’s fusion of a search engine, a discovery feed and a mobile browser has appealed to these Asian market players, particularly because Xayn can be built into OEM devices.

The result of the investment is that Xayn will now also focus on the Asian market, starting with Japan, as well as Europe.

Leif-Nissen Lundbæk, co-founder and CEO of Xayn said: “We proved with Xayn that you can have it all: great results through personalization, privacy by design through advanced technology and a convenient user experience through clean design.”

He added: “In an industry in which selling data and delivering ads en masse are the norm, we choose to lead with privacy instead and put user satisfaction front and center.”

The funding comes as legislation such as the EU’s GDPR or California’s CCPA have both raised public awareness about personal data online.

Since its launch, Xayn says its app has been downloaded around 215,000 times worldwide, and a web version of its app is expected soon.

Over a call, Lundbæk expanded on the KDDI aspect of the fund-raising: “The partnership with KDDI means we will give users access to Xayn for free, while the corporate — such as KDDI — is the actual customer but gives our search engine away for free.”

The core features of Xayn include personalized search results; a personalized feed of the entire internet, which learns from their Tinder-like swipes, without collecting or sharing personal data; and an ad-free experience.

Naoki Kamimeada, partner at Global Brain Corporation said: “The market for private online search is growing, but Xayn is head and shoulders above everyone else because of the way they’re re-thinking how finding information online should be.”

Kazuhiko Chuman, head of KDDI Open Innovation Fund, said: “This European discovery engine uniquely combines efficient AI with a privacy-protecting focus and a smooth user experience. At KDDI, we’re constantly on the lookout for companies that can shape the future with their expertise and technology. That’s why it was a perfect match for us.”

In addition to the three co-founders (Leif-Nissen Lundbæk, chief executive officer, Professor Michael Huth, chief research officer, and Felix Hahmann, chief operations officer), Dr Daniel von Heyl will come on board as chief financial officer. Frank Pepermans will take on the role of chief technology officer and Michael Briggs will join as chief growth officer.

China Roundup: Kai-Fu Lee’s first Europe bet, WeRide buys a truck startup

Hello and welcome back to TechCrunch’s China Roundup, a digest of recent events shaping the Chinese tech landscape and what they mean to people in the rest of the world.

Despite the geopolitical headwinds for foreign tech firms to enter China, many companies, especially those that find a dependable partner, are still forging ahead. For this week’s roundup, I’m including a conversation I had with Prophesee, a French vision technology startup, which recently got funding from Kai-Fu Lee and Xiaomi, along with the usual news digest.

Spotting opportunities in China

Like many companies working on futuristic, cutting-edge tech in Europe, Prophesee was a spinout from university research labs. Previously, I covered two such companies from Sweden: Imint, which improves smartphone video production through deep learning, and Dirac, an expert in sound optimization.

The three companies have two things in common: They are all in niche fields, and they have all found eager customers in China.

For Prophesee, they are production lines, automakers and smartphone companies in China looking for breakthroughs in perception technology, which will in turn improve how their robots respond to the environment. So it’s unsurprising that Xiaomi and Chinese chip-focused investment firm Inno-Chip backed Prophesee in its latest funding round, which was led by Sinovation Venture.

The funding size was undisclosed but TechCrunch learned it was in the range of “tens of million USD.” It was also the first investment that Kai-Fu Lee has made through Sinovation in Europe. As Prophesee CEO Luca Verre recalled:

I met Dr. Kai-Fu Lee three years ago during the World Economic Forum … and when I pitched to him about Prophesee, he got very intrigued. And then over the past three years, actually, we kept in touch and last year, given the growing traction we were having in China, particularly in the mobile and IoT industry, he decided to jump in. He said okay, it is now the right timing Prophesee becomes big.

The Paris-based company wasn’t actively seeking funding, but it believed having Chinese strategic investors could help it gain greater access to the complex market.

Rather than sending information collected by sensors and cameras to computing platforms, Prophesee fits that process inside a chip (fabricated by Sony) that mimics the human eyes, a technology that is built upon neuromorphic engineering.

The old method snaps a collection of fixed images so when information grows in volume, a tremendous amount of computing power is needed. In contrast, Prophesee’s sensors, which it describes as “event-based,” only pick up changes in the environment just as the photoreceptors in our eyes and can process information continuously and quickly.

Europe has been pioneering neuromorphic computing, but in recent years, Verre saw a surge in research coming from Chinese universities and tech firms, which reaffirmed his confidence in the market’s appetite.

We see Chinese OEMs (original equipment manufacturers), particularly Xiaomi, Oppo and Vivo pushing the standard of quality of image quality to very, very high … They are very eager to adopt new technology to further differentiate in a way which is faster and more aggressive than Apple. Apple is a company with an attitude which to me looks more similar to Huawei. So maybe for some technology, it takes more time to see the technology mature and adopt, which is right very often but later. So I’m sure that Apple will come at certain point with some products integrating event-based technology. In fact, we see them moving. We see them filing patents in the space. I’m sure that will come, but maybe not the first.

Though China is striving for technological independence, Verre believed Prophesee’s addressable market is large enough — $20 billion by his estimate. Nonetheless, he admitted he’d be “naive to believe Prophesee will be the only one to capture” this opportunity.

WeRide bought a truck company

One of China’s most valuable robotaxi startups has just acquired an autonomous trucking company called MoonX. The size of the deal is undisclosed, but we know that MoonX raised “tens of millions RMB” 15 months ago in a Series A round.

While WeRide is focused on Level 4 self-driving technology, it is also finding new monetization avenues before its robotaxis can chauffeur people at scale. It’s done so by developing minibusses, and the MoonX acqui-hire, which brings the company’s founder and over 50 engineers to WeRide, will likely help diversify its revenue pool.

WeRide and MoonX have deep-rooted relationships. Their respective founders, Tony Han and Yang Qingxiong, worked side by side at Jingchi, which was later rebranded to WeRide. Han co-founded Jingchi and took the helm as CEO in March 2018 while Yang was assigned vice president of engineering. But Yang soon quit and started MoonX.

Han, a Baidu veteran, gave Yang a warm homecoming and put him in charge of the firm’s research institute and its new office in Shenzhen, home to MoonX. WeRide’s sprawling headquarters is just about an hour’s drive away in the adjacent city of Guangzhou.

AI surveillance giant Cloudwalk nears IPO

Cloudwalk belongs to a cohort of Chinese unicorns that flourished through the second half of the 2010s by selling computer vision technology to government agencies across China. Together, Cloudwalk and its rivals SenseTime, Megvii and Yitu were dubbed the “four AI dragons” for their fast ascending valuations and handsome funding rounds.

Of course, the term “AI dragon” is now a misnomer as AI application becomes so pervasive across industries. Investors soon realized these upstarts need to diversify revenue streams beyond smart city contracts, and they’ve been waiting anxiously for exits. Finally, here comes Cloudwalk, which will likely be the first in its cohort to go public.

Cloudwalk’s application to raise 3.75 billion yuan ($580 million) from an IPO on the Shanghai STAR board was approved this week, though it can still be months before it starts trading. The firm’s financials don’t look particularly rosy for investors, with net loss amounting to 720 million yuan in 2020.

Also in the news

  • Speaking of the torrent of news in autonomous driving, vehicle vision provider CalmCar said this week that it has raised $150 million in a Series C round. Founded by several overseas Chinese returnees in 2016, CalmCar uses deep learning to develop ADAS (Advanced Driver Assistance System) used in automotive, industrial and surveillance scenarios. German auto parts maker ZF led the round.
  • Baby clothes direct-to-consumer brand PatPat said it has raised $510 million from Series C and D rounds. The D2C ecosystem leveraging China’s robust supply chains is increasingly gaining interest from venture capitalists. Brands like Shein, PatPat, Cider and Outer have all secured fundings from established VCs. Founded by three Carnegie Mellon grads, PatPat counts IDG Capital, General Atlantic, DST Global, GGV Capital, SIG China and Sequoia China among its investors.

This tool tells you if NSO’s Pegasus spyware targeted your phone

Over the weekend, an international consortium of news outlets reported that several authoritarian governments — including Mexico, Morocco, and the United Arab Emirates — used spyware developed by NSO Group to hack into the phones of thousands of their most vocal critics, including journalists, activists, politicians and business executives.

A leaked list of 50,000 phone numbers of potential surveillance targets was obtained by Paris-based journalism non-profit Forbidden Stories and Amnesty International, and shared with the reporting consortium, including the Washington Post and The Guardian. Researchers analyzed the phones of dozens of victims to confirm they were targeted by the NSO’s Pegasus spyware, which can access all of the data on a person’s phone. The reports also confirm new details of the government customers themselves, which NSO Group closely guards. Hungary, a member of the European Union where privacy from surveillance is supposed to be a fundamental right for its 500 million residents, is named as an NSO customer.

The reporting shows for the first time how many individuals are likely targets of NSO’s intrusive device-level surveillance. Previous reporting had put the number of known victims in the hundreds or over a thousand.

NSO Group sharply rejected the claims. NSO has long said that it doesn’t know who its customers target, which it reiterated in a statement to TechCrunch on Monday.

Researchers at Amnesty, whose work was reviewed by the Citizen Lab at the University of Toronto, found that NSO can deliver Pegasus by sending a victim a link which when opened infects the phone, or silently and without any interaction at all through a “zero-click” exploit, which takes advantage of vulnerabilities in the iPhone’s software. Citizen Lab researcher Bill Marczak said in a tweet that NSO’s zero-clicks worked on iOS 14.6, which until today was the most up-to-date version.

Amnesty’s researchers showed their working by publishing meticulously detailed technical notes and a toolkit that they said may help others identify if their phones have been targeted by Pegasus.

The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.

The Terminal output from the MVT toolkit, which scans iPhone and Android backup files for indicators of compromise. (Image: TechCrunch)

The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about ten minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.

Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files. In our case, we got one “detection,” which turned out to be a false positive and has been removed from the IOCs after we checked with the Amnesty researchers. A new scan using the updated IOCs returned no signs of compromise.

Given it’s more difficult to detect an Android infection, MVT takes a similar but simpler approach by scanning your Android device backup for text messages with links to domains known to be used by NSO. The toolkit also lets you scan for potentially malicious applications installed on your device.

The toolkit is — as command line tools go — relatively simple to use, though the project is open source so not before long surely someone will build a user interface for it. The project’s detailed documentation will help you — as it did us.

Read more:


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more