Category: UNCATEGORIZED

Being able to pay for things like subways and buses with your phone just makes sense, but in much of the US, you’ll still need a paper ticket or an oh-so-losable reloadable card if you want a ride.

At its big press event this afternoon, Apple announced that transit systems in a few major US cities are picking up support for Apple Pay, allowing you to tap your phone or Apple Watch to pay for your ride.

Details were light, but Apple confirmed that transit systems in New York City, Chicago, and Portland would play friendly with Apple Pay starting later this year.

This isn’t the first time we’ve seen Apple Pay pick up compatibility with transit; support went live in Beijing and Shanghai, for example, nearly a year ago. Still, more cities is a great thing, if only because it makes it that much easier to figure out the transit system when you land somewhere new.

Today, Apple announced… a credit card. The Apple Card is designed for the iPhone and will work with the Wallet app. You sign up from your iPhone and you can use it with Apple Pay in just a few minutes.

Before introducing the card, Apple CEO Tim Cook shared a few numbers about Apple Pay. This year, Apple Pay will reach 10 billion transactions this year. By the end of this year, Apple Pay will be available in more than 40 countries.

Retail acceptance of Apple Pay is always growing. In the U.S., 70 percent of businesses accept Apple Pay. But it’s higher in some countries — Australia is at 99 percent acceptance for instance.

But let’s talk about the Apple Card. After signing up, you control the Apple Card from the Wallet app. When you tap on the card, you can see your last transactions, how much you owe, how much money you spent on each category.

You can tap on a transaction and see the location in a tiny Apple Maps view. Every time you make an Apple Pay transaction, you get 2 percent in cash back. You don’t have to wait until the end of the month as your cash is credited every day. For Apple purchases, you get 3 percent back.

As previously rumored, Apple has partnered with Goldman Sachs and Mastercard to issue that card. Apple doesn’t know what you bought, where you bought it and how much you paid for it. And Goldman Sachs promises that it won’t sell your data for advertising or marketing.

When it comes to the fine prints, there’s no late fees, no annual fees, no international fees and no over-limit fees. You can contact customer support through text messages in the Messages app.

The Apple Card isn’t limited to a virtual card. You get a physical titanium card with a laser-etched name. There’s no card number, no CVV code, no expiration date and no signature on the card. You have to use the Wallet app to get that information. Physical transactions are eligible to 1 percent in daily cash.

A large-scale independent study of pre-installed Android apps has cast a critical spotlight on the privacy and security risks that preloaded software poses to users of the Google developed mobile platform.

The researchers behind the paper, which has been published in preliminary form ahead of a future presentation at the IEEE Symposium on Security and Privacy, unearthed a complex ecosystem of players with a primary focus on advertising and “data-driven services” — which they argue the average Android user is unlikely to be unaware of (while also likely lacking the ability to uninstall/evade the baked in software’s privileged access to data and resources themselves).

The study, which was carried out by researchers at the Universidad Carlos III de Madrid (UC3M) and the IMDEA Networks Institute, in collaboration with the International Computer Science Institute (ICSI) at Berkeley (USA) and Stony Brook University of New York (US), encompassed more than 82,000 pre-installed Android apps across more than 1,700 devices manufactured by 214 brands, according to the IMDEA institute.

“The study shows, on the one hand, that the permission model on the Android operating system and its apps allow a large number of actors to track and obtain personal user information,” it writes. “At the same time, it reveals that the end user is not aware of these actors in the Android terminals or of the implications that this practice could have on their privacy.  Furthermore, the presence of this privileged software in the system makes it difficult to eliminate it if one is not an expert user.”

An example of a well-known app that can come pre-installed on certain Android devices is Facebook .

Earlier this year the social network giant was revealed to have inked an unknown number of agreements with device makers to preload its app. And while the company has claimed these pre-installs are just placeholders — unless or until a user chooses to actively engage with and download the Facebook app, Android users essentially have to take those claims on trust with no ability to verify the company’s claims (short of finding a friendly security researcher to conduct a traffic analysis) nor remove the app from their device themselves. Facebook pre-loads can only be disabled, not deleted entirely.

The company’s preloads also sometimes include a handful of other Facebook-branded system apps which are even less visible on the device and whose function is even more opaque.

Facebook previously confirmed to TechCrunch there’s no ability for Android users to delete any of its preloaded Facebook system apps either.

“Facebook uses Android system apps to ensure people have the best possible user experience including reliably receiving notifications and having the latest version of our apps. These system apps only support the Facebook family of apps and products, are designed to be off by default until a person starts using a Facebook app, and can always be disabled,” a Facebook spokesperson told us earlier this month.

But the social network is just one of scores of companies involved in a sprawling, opaque and seemingly interlinked data gathering and trading ecosystem that Android supports and which the researchers set out to shine a light into.

In all 1,200 developers were identified behind the pre-installed software they found in the data-set they examined, as well as more than 11,000 third party libraries (SDKs). Many of the preloaded apps were found to display what the researchers dub potentially dangerous or undesired behavior.

The data-set underpinning their analysis was collected via crowd-sourcing methods — using a purpose-built app (called Firmware Scanner), and pulling data from the Lumen Privacy Monitor app. The latter provided the researchers with visibility on mobile traffic flow — via anonymized network flow metadata obtained from its users. 

They also crawled the Google Play Store to compare their findings on pre-installed apps with publicly available apps — and found that just 9% of the package names in their dataset were publicly indexed on Play. 

Another concerning finding relates to permissions. In addition to standard permissions defined in Android (i.e. which can be controlled by the user) the researchers say they identified more than 4,845 owner or “personalized” permissions by different actors in the manufacture and distribution of devices.

So that means they found systematic user permissions workarounds being enabled by scores of commercial deals cut in a non-transparency data-driven background Android software ecosystem.

“This type of permission allows the apps advertised on Google Play to evade Android’s permission model to access user data without requiring their consent upon installation of a new app,” writes the IMDEA.

The top-line conclusion of the study is that the supply chain around Android’s open source model is characterized by a lack of transparency — which in turn has enabled an ecosystem to grow unchecked and get established that’s rife with potentially harmful behaviors and even backdoored access to sensitive data, all without most Android users’ consent or awareness. (On the latter front the researchers carried out a small-scale survey of consent forms of some Android phones to examine user awareness.)

tl;dr the phrase ‘if it’s free you’re the product’ is a too trite cherry atop a staggeringly large yet entirely submerged data-gobbling iceberg. (Not least because Android smartphones don’t tend to be entirely free.)

“Potential partnerships and deals — made behind closed doors between stakeholders — may have made user data a commodity before users purchase their devices or decide to install software of their own,” the researchers warn. “Unfortunately, due to a lack of central authority or trust system to allow verification and attribution of the self-signed certificates that are used to sign apps, and due to a lack of any mechanism to identify the purpose and legitimacy of many of these apps and custom permissions, it is difficult to attribute unwanted and harmful app behaviors to the party or parties responsible. This has broader negative implications for accountability and liability in this ecosystem as a whole.”

The researchers go on to make a series of recommendations intended to address the lack of transparency and accountability in the Android ecosystem — including suggesting the introduction and use of certificates signed by globally-trusted certificate authorities, or a certificate transparency repository “dedicated to providing details and attribution for certificates used to sign various Android apps, including pre-installed apps, even if self-signed”.

They also suggest Android devices should be required to document all pre-installed apps, plus their purpose, and name the entity responsible for each piece of software — and do so in a manner that is “accessible and understandable to users”.

“[Android] users are not clearly informed about third-party software that is installed on their devices, including third-party tracking and advertising services embedded in many pre-installed apps, the types of data they collect from them, the capabilities and the amount of control they have on their devices, and the partnerships that allow information to be shared and control to be given to various other companies through custom permissions, backdoors, and side-channels. This necessitates a new form of privacy policy suitable for preinstalled apps to be defined and enforced to ensure that private information is at least communicated to the user in a clear and accessible way, accompanied by mechanisms to enable users to make informed decisions about how or whether to use such devices without having to root their devices,” they argue, calling for overhaul of what’s long been a moribund T&Cs system, from a consumer rights point of view.

In conclusion they couch the study as merely scratching the surface of “a much larger problem”, saying their hope for the work is to bring more attention to the pre-installed Android software ecosystem and encourage more critical examination of its impact on users’ privacy and security.

They also write that they intend to continue to work on improving the tools used to gather the data-set, as well as saying their plan is to “gradually” make the data-set itself available to the research community and regulators to encourage others to dive in.  

Apple today unveiled a revamped Apple News app which now includes a premium tier called Apple News+,  offering access to over 300 magazines and newspapers for $9.99 per month. At launch, the subscription includes magazine titles like Bon Appétit, People and Glamour, along with top publishers like The Wall Street Journal and Los Angeles Times, among others.

TechCrunch’s premium product, Extra Crunch, is among the new participants.

“When we created Apple news over three years ago, we wanted to provide the best way to read the news on your iPhone and iPad,” said Apple CEO Tim Cook, in introducing the company’s plans for Apple News+. “And we felt we can make a difference in the way that news is experienced and understood – a place where the news would come from trusted sources and be curated by experts,” he added.

The subscription introduces a new design feature called “Live Covers,” which shows animated images instead of static photos for the magazine’s cover. Inside the digital magazine’s pages, readers can view a table of contents, swipe through beautifully designed pages filled with text, photos and infographic content, and more. The experience looks very much like the popular digital magazine app, Flipboard.

The magazine publishers can also express their own unique look and feel through their design and photography, noted Apple designer Wyatt Mitchell, in presenting the new feature.

The News+ tab is where you can begin to explore the available magazines, while the Today tab features more recommendations of articles and issues. The service will also customize itself to your interests, but won’t do so by tracking what you read.

Instead, Apple says the service will download groups of articles from its servers. And then it uses on device intelligence to make recommendations. That means Apple won’t know what you read and won’t allow advertisers to track you either.

When you subscribe, your whole family can access the magazines through Apple Family Sharing, for the same price.

Apple had signaled its intention to enter the premium news subscription businesses when it acquired digital newsstand startup Texture in spring 2018. Shortly thereafter, reports surfaced that Apple was planning to relaunch Texture’s product as part of the existing Apple News application. The company had been courting high-profile publishers, but industry reaction was mixed.

That appears to remain the case as the service goes to launch. While it does offer The Wall Street Journal – announced ahead of today’s event – other top publishers like The New York Times and The Washington Post have chosen not to participate.

Apple News+ is available today in the U.S. and Canada, starting today. In Canada, The Star is participating. Later this year, Apple News+ will arrive in Europe, starting with the UK, and Australia.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. What to expect from Apple’s ‘Show Time’ event

Apple is holding a big press event today, where it’s expected to finally unveil its streaming strategy, combining original content with the ability to sign up for subscriptions from HBO, Showtime and others. Also likely: A bundled news subscription.

The event kicks off at 10am Pacific today. Follow along with our live coverage.

2. Hackers dropped a secret backdoor in Asus’ update software

The bombshell claims, first reported by Motherboard, say the malicious updates were pushed to Asus computers, which has the software installed by default.

3. Telegram adds ‘delete everywhere’ nuclear option — killing chat history

The new “nuclear option” delete feature allows a user to selectively delete their own messages and/or messages sent by any others in the chat. They don’t even have to have composed the original message or begun the thread to do so.

4. Hackers conquer Tesla’s in-car web browser and win a Model 3

A pair of security researchers dominated Pwn2Own, the annual high-profile hacking contest, taking home $375,000 in prizes, including a Tesla Model 3 — their reward for successfully exposing a vulnerability in the electric vehicle’s infotainment system.

5. Alibaba acquires Israeli startup Infinity Augmented Reality

Alibaba and InfinityAR have had a strategic partnership since 2016, when Alibaba Group led InfinityAR’s Series C. Since then, the two have collaborated on augmented reality, computer vision and artificial intelligence projects.

6. MoviePass parent’s CEO discusses the service’s rocky year

“We’ve changed the whole model forever.” Here’s a transcript of our conversation with Helios and Matheson CEO Ted Farnsworth.

7. This week’s TechCrunch podcasts

The team at Equity has some thoughts on Lyft’s IPO plans, while over at Original Content, we review the Hulu series “Shrill.”

Video sharing app TikTok passed 1 billion downloads last month, and its parent company ByteDance is ramping up its efforts to monetize those users with ads, while also continuing to add more features to the app to keep people engaged. In a move that could help both of those efforts, ByteDance has made a small acquisition, picking up the assets of a defunct startup called GeoGif, which developed location-specific, animated stickers and overlays for videos, suggested to users when they capture video or images in specific places.

It seems that the location-based, animated element of what GeoGif built is the key part of what might be coming soon to TikTok, since the app already had a range of visual and audio filters and stickers to alter appearances and your voice, or just to embellish and further personalize your video.

Here’s the general gist of what GeoGif can do for a video if you are, for example, in Miami for Spring Break. (Note: This is not the greatest example given the naff and objectifying subject matter, but it’s the only example the startup has provided.)

The terms of the acquisition have not been disclosed, although we are asking both Dean Glas, one of GeoGif’s co-founders, as well as ByteDance and we will update if we learn more. In any case, the deal appears to include only the assets of the startup, which ceased operating more than two years ago, judging by activity on its social media accounts and LinkedIn profiles. CEO Dean Glas and his co-founder Mendy Raskin are now both working on new startups.

“We are excited for GeoGif to have a new home at TikTok,” said GeoGif’s CEO Dean Glas, “and we believe our features will be enjoyed by millions of users. We will work closely to make sure it’s a smooth transition that provides a long-term positive impact for the TikTok community.”

A TikTok spokesperson also confirmed that the features that were built for GeoGif will get rolled into the main TikTok app: “GeoGif and TikTok share a common goal which is enabling people to connect, consume, and create great content. We’re impressed with what the team at GeoGif has built and with TikTok’s resources, we believe that we will deliver an even better user experience for our millions of users who love using TikTok to express their creativity through short videos.”

With TikTok, China’s ByteDance has created one of the world’s biggest video apps — and subsequently become one of the world’s most valuable startups — and it has used acquisition as a key lever for adding both users and features.

To help break into the US, the main app itself merged with Musical.ly last year after being acquired for between $800 million and $1 billion by Toutiao (a ByteDance sub-brand) in 2017. Other acquisitions have included Flipagram — another music-video app and startup — in 2017 for an undisclosed sum; the AR selfie camera FaceU in 2018, reportedly for $300 million; payments startup UIPay also in 2018; and — just last week — it appears ByteDance acquired a gaming startup, Mokun Technology, from previous owner 37 Interactive, also for an undisclosed sum.

It’s likely that the GeoGif acquisition was for a small sum: the company did not have anything close to mass-market traction, and it had raised only seed round of an undisclosed amount. It was originally spun out of parent company Bivid — which is also now defunct but had been a hyperlocal social network akin to YikYak, Highlight and Zenly, suggesting friends and others who were near to you for chit-chat and simply to know their whereabouts.

TikTok already runs ads and has other paid features in China, but in Western markets like the US, the company has largely only been doing limited runs and tests of different formats, such as this native video ad test we spotted in February.

In January, a leaked ad deck from the company in Europe also mentioned several advertising and marketing units it was running and planning to run including brand takeovers; in-feed native video; hashtag challenges; Snapchat-style 2D lens filters for photos; and 3D and AR lenses. It’s the latter of these where GeoGif’s efforts could be rolled in.

Also in January, Bloomberg reported that in 2018, ByteDance, for the first time, had failed to beat its own revenue forecasts: It had told investors when it was fundraising a monster $3 billion round that it expected to make between $7.4 billion and $8.1 billion in revenues for the year, and sources said it would be coming in at the lower end of that range.

These are, relatively speaking, huge numbers when you consider that ByteDance’s currency is social media apps, which often spend years making no money at all. But in the context of missing growth expectations, this slower expansion could be a lever for the company launching more ad formats in more places and launching more products, such as the Slack competitor it is also reportedly building.

It’s been just over a year since Google announced its $300 million News Initiative, which included funding for independent journalism efforts along with products developed by Google.

One of those products was News Consumer Insights, which has been used by publishers like BuzzFeed, Business Insider and Conde Nast. It takes data already collected through Google Analytics and makes it more useful for publishers, particularly when it comes to understanding different audience segments and whether they’re likely to become paying subscribers.

“It’s turning raw data into business intelligence and actionable insights,” said Amy Adams Harding, Google’s head of analytics and revenue optimization and head of publisher development.

Now Google is building on the NCI product with a new tool called Real-time Content Insights.

As the name implies, RCI is focused on telling publishers what’s happening on their site at this moment, and on helping them identify trending news stories that could attract more readers. The initial NCI data is more useful for the publisher’s business or audience development teams, Harding said RCI is designed “to help the editorial side of our partners understand the dynamics of content on their site — what’s trending, what’s falling off, what’s getting traction.”

Google is hardly the first company to offer real-time data to news publishers, but Harding said this “off-the-shelf, click-to-play” product could be particularly useful for smaller newsrooms that don’t have a lot of resources and aren’t particularly data-savvy.

“Local is a huge pillar of the Google News Initiative,” Harding said. “What can we do to help develop tools where we can be support mechanisms for our partners as they try to stay sustainable during this transition … not only to digital, but one more transition over to this diversified revenue stream? That’s something that many of our publishers are not resourced well enough to take on on their own.”

RCI presents the data in the form of an image-heavy dashboard showing how many readers are looking at a story currently, and how many views the story’s gotten in the past 30 minutes. You can also see how well the site is doing today, compared to a normal day’s traffic, and break down your traffic by geography and referral sources.

The dashboard also shows the topics that are currently trending on Google and Twitter. Of course, not all of those topics will be right for your publication, but Harding said it can help editors and writers identify the gaps in their coverage, based on, “What are people curious about?” (on Google) and “What are people talking about?” (on Twitter).

At first glance, RCI doesn’t seem to tie directly into the bigger goals of helping publishers building sustainable, diversified business models. However, Harding that it can be used in conjunction with the existing NCI product, which helps them identify their most valuable audiences.

“Where the publisher would see value is, ‘Okay, we know that users coming from direct referral traffic are more valuable, [and] this article is driving is driving viewership from those types of readers,'” she said.

Harding added that Google is making the RCI source code available on GitHub, so that more sophisticated publishers can customize it to create their own data visualizations.

China’s Pinduoduo was all the rage in 2018 as the ecommerce upstart quickly rose to challenge Alibaba and raised $1.63 billion through a Nasdaq listing. Much of its success was attributable to its link to WeChat, China’s messaging leader. Now, another emerging ecommerce player that has leveraged WeChat is gearing up for a listing in the United States.

Yunji, which was founded in 2015, the same year Pinduoduo launched, is raising up to $200 million according to its prospectus filed with the Securities and Exchange Commission last week. Reuters reported citing sources in September that Yunji planned to raise around $1 billion in the IPO at a valuation of between $7 billion and $10 billion.

Like Pinduoduo, Yunji bills itself as a “social ecommerce” service, which means it takes advantage of social relationships on apps like WeChat to acquire, engage and sell to users. The pair differ, however, in how exactly they make money. Pinduoduo generates the bulk of its revenues — nearly 90 percent in the fourth quarter — from advertising fees collected from merchants. This is akin to Alibaba’s marketplace play of connecting buyers and third-party sellers. Yunji, which was started by ecommerce veteran Xiao Shanglue, focuses on direct sales like Alibaba’s arch-foe JD.com and derived 88 percent of its fourth-quarter revenues from selling to users.

In terms of size, Yunji was about $15 million behind Pinduoduo in revenue last year. It was, however, much closer to achieving profitability than Pinduoduo, which spent most of its money on sales and marketing. Most of Yunji’s expenses went to fulfillment and logistics.

From inception, Yunji has boasted of its “innovative” membership-based ecommerce model. To join, people typically pay a fee, upon which they gain access to a variety of benefits and discounts as well as the permission to open their own micro-stores. Members then get compensated for successfully selling to others and recruiting new members.

The marketing practice helped Yunji quickly build up a large network of users but the firm went too far in exploiting the social links it controlled that it started to look like a pyramid scheme, which is banned in China. In 2017, the local government slapped Yunji with a $1.4 million fine for pyramid selling. The firm subsequently apologized and promised to revamp its marketing strategy. For instance, to avoid crossing the red line of awarding salespeople with “material” or “financial” benefits, Yunji resorted to virtual Yun-coins, which are not redeemable for cash and can only be used as coupons for future purchase.

But Yunji is still on the edge. The company warns in its prospectus that China could redefine what constitutes pyramid selling anytime.

“[T]here is no assurance that the competent governmental authorities in China that we communicate with will not change their views, or the other relevant government authorities will share the same view as our PRC legal counsel, or they will find our business model, not in violation of any applicable regulations, given the uncertainties in the interpretation and application of existing PRC laws, regulations and policies relating to our current business model, including, but not limited to, regulations regulating pyramid selling.”

In 2018, Yunji accumulated 7.4 million members who contributed 11.9 percent of its total revenues and 66.4 percent of its transactions. Some of the firm’s more notable investors include China’s CDH Investments and Huaxing Growth Capital, China Renaissance’s subsidiary focusing on high-growth startups.

You know Apple’s got something big in the works when it went ahead and launched new iPads, iMacs and AirPods in one week with little fanfare. And while this week’s event was a bit of a surprise, Apple’s clearly been working to it for a long time.

The company sent out invites for “Show Time” a few weeks back, and since then we’ve been piecing together the clues of what we expect will be announced. A new video-streaming service will most likely be the centerpiece of the big event. The company has budgeted at least $1 billion on content for the Netflix competitor. A new news service and even a credit card also appear to be on tap for what looks to be a packed show.

Editors Matthew Panzarino and Brian Heater are on the ground in Cupertino today, set to bring you live updates from the Steve Jobs Theater. Bookmark this space. Things kick off at 10AM PT/1PM ET.

Hackers targeted and compromised “hundreds of thousands” of Asus computer owners by pushing a backdoored update software tool from the company’s own servers.

The bombshell claims, first reported by Motherboard, said the hackers digitally signed the Asus Live Update tool with one of the company’s own code-signing certificates before pushing it to Asus’ download servers, which hosted the backdoored tool for months last year. The malicious updates were pushed to Asus computers, which has the software installed by default.

TechCrunch can confirm much of Motherboard’s reporting after we learned of the attack some weeks ago from a source with direct knowledge of the incident.

Kaspersky, which first found the backdoored software, said the malicious update tool was installed on as many as half a million computers. The backdoor would scan a device for a target’s unique MAC address and pulls a malicious payload from a command and control server.

Motherboard’s reporting said the backdoor was scanning for some 600 MAC addresses, matching what TechCrunch has learned, that the backdoor was likely targeted to infect only a small number of victims rather than cause infections on a large scale.

Symantec confirmed Kaspersky’s findings, the company told TechCrunch, describing it as a software supply chain attack. “Our findings suggest the trojanized version of the software were sent to ASUS customers between June and October,” said spokesperson Jennifer Duffourg.

It’s believed the hackers had access to Asus’ own certificates to sign the malware. One of the backdoored files used a certificate created in mid-2018 but were different from Asus’ regularly used certificates. Motherboard reported the certificates were still active and had not been revoked, posing a continued risk to Asus customers.

It’s not known exactly what payload was delivered to victims, however.

The backdoor bears a resemblance to CCleaner, which similarly used a code-signing certificate to hide any malicious component. Some 2.3 million customers were affected by the backdoor, blamed on hackers who reportedly targeted tech giants.

Asus has not informed customers of the vulnerability after it was discovered earlier this year. Motherboard said Kaspersky reported the backdoored software on January 31. Taiwan-based Asus is said to have some 6 percent of the computer market share, according to Gartner, shipping tens of millions of computers each year.

When reached last week about the claims, Asus spokesperson Gary Key had no immediate answer to several questions we had and referred comment to its headquarters.

Kaspersky’s Sarah Kitsos did not comment on the findings.