app-store

A cryptocurrency stealing app found on Google Play was downloaded over a thousand times

Posted by | app-store, apple wallet, Apps, computing, cryptocurrency, e-commerce, Google Play, iPhone, Mobile, mobile app, online marketplaces, operating systems, Security | No Comments

Researchers have found two apps masquerading as cryptocurrency apps on Android’s app store, Google Play.

One of them was largely a dud. The second was designed to steal cryptocurrency, the researchers said.

Security firm ESET said one of the two fake Android apps impersonated Trezor, a hardware cryptocurrency wallet. The good news is that the app couldn’t be used to steal cryptocurrency stored by Trezor. But the researchers found the app was connected to a second Android app that could have been used to scam funds out of unsuspecting victims.

Lukas Stefanko, a security researcher at ESET — who has a long history of finding dodgy Android apps — said the fake Trezor app “appeared trustworthy at first glance” but was using a fake developer name to impersonate the company.

The fake app was designed to trick users into turning over a victim’s login credentials. Uploaded to Google Play on May 1, the app quickly ranked as the second-most popular search result when searching for “Trezor” behind the legitimate app, said Stefanko. Users on Reddit also found the fake app and reported it as recently as two weeks ago.

According to Stefanko, the server where user credentials were sent was linked to a website linked to another fake wallet, purportedly to store cryptocurrency, and also listed on Google Play since February 25.

“The app claims it lets its users create wallets for various cryptocurrencies,” said Stefanko. “However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we’ve named wallet address scams in our previous research into cryptocurrency-targeting malware.”

Both apps were collectively downloaded more than a thousand times. After ESET contacted Google, the apps were pulled offline the next day.

Read more:

Powered by WPeMatico

OpenFin raises $17 million for its OS for finance

Posted by | Android, app-store, Apple, Apps, bain capital ventures, Banking, Barclays, bloomberg terminal, Cloud, Developer, Enterprise, Finance, financial services, funding, Fundings & Exits, J.P. Morgan, nyca partners, OpenFin, operating systems, Private Equity, Recent Funding, Startups, truphone, Uber, Wells Fargo | No Comments

OpenFin, the company looking to provide the operating system for the financial services industry, has raised $17 million in funding through a Series C round led by Wells Fargo, with participation from Barclays and existing investors including Bain Capital Ventures, J.P. Morgan and Pivot Investment Partners. Previous investors in OpenFin also include DRW Venture Capital, Euclid Opportunities and NYCA Partners.

Likening itself to “the OS of finance,” OpenFin seeks to be the operating layer on which applications used by financial services companies are built and launched, akin to iOS or Android for your smartphone.

OpenFin’s operating system provides three key solutions which, while present on your mobile phone, has previously been absent in the financial services industry: easier deployment of apps to end users, fast security assurances for applications and interoperability.

Traders, analysts and other financial service employees often find themselves using several separate platforms simultaneously, as they try to source information and quickly execute multiple transactions. Yet historically, the desktop applications used by financial services firms — like trading platforms, data solutions or risk analytics — haven’t communicated with one another, with functions performed in one application not recognized or reflected in external applications.

“On my phone, I can be in my calendar app and tap an address, which opens up Google Maps. From Google Maps, maybe I book an Uber . From Uber, I’ll share my real-time location on messages with my friends. That’s four different apps working together on my phone,” OpenFin CEO and co-founder Mazy Dar explained to TechCrunch. That cross-functionality has long been missing in financial services.

As a result, employees can find themselves losing precious time — which in the world of financial services can often mean losing money — as they juggle multiple screens and perform repetitive processes across different applications.

Additionally, major banks, institutional investors and other financial firms have traditionally deployed natively installed applications in lengthy processes that can often take months, going through long vendor packaging and security reviews that ultimately don’t prevent the software from actually accessing the local system.

OpenFin CEO and co-founder Mazy Dar (Image via OpenFin)

As former analysts and traders at major financial institutions, Dar and his co-founder Chuck Doerr (now president & COO of OpenFin) recognized these major pain points and decided to build a common platform that would enable cross-functionality and instant deployment. And since apps on OpenFin are unable to access local file systems, banks can better ensure security and avoid prolonged yet ineffective security review processes.

And the value proposition offered by OpenFin seems to be quite compelling. OpenFin boasts an impressive roster of customers using its platform, including more than 1,500 major financial firms, almost 40 leading vendors and 15 of the world’s 20 largest banks.

More than 1,000 applications have been built on the OS, with OpenFin now deployed on more than 200,000 desktops — a noteworthy milestone given that the ever-popular Bloomberg Terminal, which is ubiquitously used across financial institutions and investment firms, is deployed on roughly 300,000 desktops.

Since raising their Series B in February 2017, OpenFin’s deployments have more than doubled. The company’s headcount has also doubled and its European presence has tripled. Earlier this year, OpenFin also launched it’s OpenFin Cloud Services platform, which allows financial firms to launch their own private local app stores for employees and customers without writing a single line of code.

To date, OpenFin has raised a total of $40 million in venture funding and plans to use the capital from its latest round for additional hiring and to expand its footprint onto more desktops around the world. In the long run, OpenFin hopes to become the vital operating infrastructure upon which all developers of financial applications are innovating.

Apple and Google’s mobile operating systems and app stores have enabled more than a million apps that have fundamentally changed how we live,” said Dar. “OpenFin OS and our new app store services enable the next generation of desktop apps that are transforming how we work in financial services.”

Powered by WPeMatico

The EU will reportedly investigate Apple following anti-competition complaint from Spotify

Posted by | Android, app-store, Apple, apple inc, apple music, belgium, Brussels, ceo, computing, daniel ek, EC, Europe, european commission, european union, Facebook, Google, Google Play Store, iPhone, lawsuit, Margrethe Vestager, Media, online marketplaces, Online Music Stores, operating systems, Search, smartphones, social network, Software, Spotify, United States | No Comments

The spat between Spotify and Apple is going to be the focus on a new investigation from the EU, according to a report from the FT.

The paper reported today that the European Commission (EC), the EU’s regulatory body, plans to launch a competition inquiry around Spotify’s claim that the iPhone-maker uses its position as the gatekeeper of the App Store to “deliberately disadvantage other app developers.”

In a complaint filed to the EC in March, Spotify said Apple has “tilted the playing field” by operating iOS, the platform, and the App Store for distribution, as well as its own Spotify rival, Apple Music.

In particular, Spotify CEO Daniel Ek has said that Apple “locks” developers and their platform, which includes a 30 percent cut of in-app spending. Ek also claimed Apple Music has unfair advantages over rivals like Spotify, while he expressed concern that Apple controls communication between users and app publishers, “including placing unfair restrictions on marketing and promotions that benefit consumers.”

Spotify’s announcement was unprecedented — Ek claimed many other developers feel the same way, but do not want to upset Apple by speaking up. The EU is sure to tap into that silent base if the investigation does indeed go ahead as the FT claims.

Apple bit back at Spotify’s claims, but its response was more a rebuttal — or alternative angle — on those complaints. Apple did not directly address any of the demands that Spotify put forward, and those include alternative payment options (as offered in the Google Play store) and equal treatment for Apple apps and those from third-parties like Spotify.

The EU is gaining a reputation as a tough opponent that’s reining in U.S. tech giants.

Aside from its GDPR initiative, it has a history of taking action on apparent monopolies in tech.

Google fined €1.49 billion ($1.67 billion) in March of this year over antitrust violations in search ad brokering, for example. Google was fined a record $5 billion last year over Android abuses and there have been calls to look into breaking the search company up. Inevitably, Facebook has come under the spotlight for a series of privacy concerns, particularly around elections.

Pressure from the EU has already led to the social network introduce clear terms and conditions around its use of data for advertising, while it may also change its rules limiting overseas ad spending around EU elections following concern from Brussels.

Despite what some in the U.S. may think, the EU’s competition commissioner, Margrethe Vestager, has said publicly that she is against breaking companies up. Instead, Vestager has pledged to regulate data access.

“To break up a company, to break up private property would be very far-reaching and you would need to have a very strong case that it would produce better results for consumers in the marketplace than what you could do with more mainstream tools. We’re dealing with private property. Businesses that are built and invested in and become successful because of their innovation,” she said in an interview at SXSW earlier this year.

Powered by WPeMatico

A powerful spyware app now targets iPhone owners

Posted by | Android, app maker, app-store, computing, data security, Facebook, iOS, iPhone, iTunes, Lookout, mobile app, online marketplaces, privacy, Security, spy | No Comments

Security researchers have discovered a powerful surveillance app first designed for Android devices can now target victims with iPhones.

The spy app, found by researchers at mobile security firm Lookout, said its developer abused their Apple-issued enterprise certificates to bypass the tech giant’s app store to infect unsuspecting victims.

The disguised carrier assistance app once installed can silently grab a victim’s contacts, audio recordings, photos, videos and other device information — including their real-time location data. It can be remotely triggered to listen in on people’s conversations, the researchers found. Although there was no data to show who might have been targeted, the researchers noted that the malicious app was served from fake sites purporting to be cell carriers in Italy and Turkmenistan.

Researchers linked the app to the makers of a previously discovered Android app, developed by the same Italian surveillance app maker Connexxa, known to be in use by the Italian authorities.

The Android app, dubbed Exodus, ensnared hundreds of victims — either by installing it or having it installed. Exodus had a larger feature set and expanded spying capabilities by downloading an additional exploit designed to gain root access to the device, giving the app near complete access to a device’s data, including emails, cellular data, Wi-Fi passwords and more, according to Security Without Borders.

Screenshots of the ordinary-looking iPhone app, which was silently uploading a victim’s private data and real-time location to the spyware company’s servers (Image: supplied)

Both of the apps use the same backend infrastructure, while the iOS app used several techniques — like certificate pinning — to make it difficult to analyze the network traffic, Adam Bauer, Lookout’s senior staff security intelligence engineer, told TechCrunch.

“This is one of the indicators that a professional group was responsible for the software,” he said.

Although the Android version was downloadable directly from Google’s app store, the iOS version was not widely distributed. Instead, Connexxa signed the app with an enterprise certificate issued to the developer by Apple, said Bauer, allowing the surveillance app maker to bypass Apple’s strict app store checks.

Apple says that’s a violation of its rules, which prohibits these certificates designed to be used strictly for internal apps to be pushed to consumers.

It follows a similar pattern to several app makers, as discovered by TechCrunch earlier this year, which abused their enterprise certificates to develop mobile apps that evaded the scrutiny of Apple’s app store. Every app served through an app store has to be certified by Apple or they won’t run. But several companies, like Facebook and Google, used their enterprise-only certificates to sign apps given to consumers. Apple said this violated its rules and banned the apps by revoking enterprise certificates used by Facebook and Google, knocking both of their illicit apps offline, but also every other internal app signed with the same certificate.

Facebook was unable to operate at full capacity for an entire working day until Apple issued a new certificate.

The certificate Apple issued to Connexxa (Image: supplied)

But Facebook and Google weren’t the only companies abusing their enterprise certificates. TechCrunch found dozens of porn and gambling apps — not permitted on Apple’s app store — signed with an enterprise certificate, circumventing the tech giant’s rules.

After researchers disclosed their findings, Apple revoked the app maker’s enterprise certificate, knocking every installed app offline and unable to run.

The researchers said they did not know how many Apple users were affected.

Connexxa did not respond to a request for comment. Apple did not comment.

Powered by WPeMatico

New Android adware found in 200 apps on Google Play

Posted by | Android, app developer, app-store, Google Play, google search, malware, Security, simulation | No Comments

Security researchers have found a new kind of mobile adware hidden in hundreds of Android apps, and downloaded more than 150 million times from Google Play.

The malware masquerading as an ad-serving platform, dubbed SimBad by researchers at security firm Check Point, infected more than 200 apps which, likely unbeknownst to the app developer, would open a backdoor to install additional malware as a way to outsmart Google’s app store scanning. Once installed, the downloaded malware also removes the app icon and persists in the background, loading each time the device boots up.

Once the malware retrieves its instructions from the command and control server, the malware runs through lists of web addresses in the background, serving ads to generate fraudulent revenue.

Check Point provided a list of the apps, which Google pulled from Google Play following a disclosure by the security researchers. The list can be found here. Google’s removal from the app store does not delete the app from users’ devices.

The top 10 downloaded games amount to 55 million downloads alone:

  • Snow Heavy Excavator Simulator (10,000,000 downloads)
  • Hoverboard Racing (5,000,000 downloads)
  • Real Tractor Farming Simulator (5,000,000 downloads)
  • Ambulance Rescue Driving (5,000,000 downloads)
  • Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
  • Fire Truck Emergency Driver (5,000,000 downloads)
  • Farming Tractor Real Harvest Simulator (5,000,000 downloads)
  • Car Parking Challenge (5,000,000 downloads)
  • Speed Boat Jet Ski Racing (5,000,000 downloads)
  • Water Surfing Car Stunt (5,000,000 downloads)

Some of the games, mostly simulation games — hence the malware’s name — date back on Google Play to March 2017, said Aviran Hazum, mobile threat intelligence team leader at Check Point, in an email to TechCrunch.

Hazum said the malware might be an adware for now, but has the potential to evolve into a larger threat.

A Google spokesperson, when reached, did not provide comment. The search giant typically doesn’t discuss app removals, largely because it’s an issue that keeps occurring. It’s far from the first time Google was forced to remove apps from its supposedly vetted app store. But time and again, the company had to react to dozens of bad apps that slip through its scanning efforts.

Google’s official figures put the number of apps it removed last year at about 700,000.

Powered by WPeMatico

Apple removes VoIP app clones from the App Store

Posted by | App Store clones, app-store, Apple, Apps, Mobile | No Comments

Following my report from yesterday, Apple has removed many of the apps I pointed out. When you try to find them on the App Store, they are no longer available.

App Store Review Guidelines are very clear when it comes to app duplicates. According to rule 4.3, you can’t release the same app multiple times on the App Store as it is considered as spamming.

But that rule has been poorly enforced, and some companies have taken advantage of that. In my original report, I focused on one category in particular — VoIP apps that let you get a second phone number and send and receive calls and texts from that new number.

Developers release multiple versions of the same app so they can use different names, different keywords and different categories. This way, they can cover a wide range of keywords when you’re searching for an app in the App Store.

So let’s look at the developers I called out yesterday. It’s still unclear if some of these apps will reappear after some changes.

TextMe, Inc.

BinaryPattern and Flexible Numbers LLC

Appverse Inc.

Dingtone Inc.

This case illustrates once again that Apple holds the keys to the App Store kingdom. The company acts as a judge and can make or break some companies.

Some of those companies have released clones of their apps and benefited from that strategy for many years. The main issue here is that App Store rules aren’t enforced consistently.

Plenty of clones in other categories

The clone plague is far from over. Many categories also use this App Store optimization strategy.

JPEG Labs has released four different apps that let you print photos in Walgreens or CVS stores around you. They all do the same thing but have different names and keywords. (They also tell you to leave a review right after opening the app.)

Photo Prints: 1 Hour Photos

Print Photos: 1 Hour Prints

Printmatic 1 Hour Photo Print

Same Day Canvas Photo Prints

When you can’t beat them, acquire them

Another good example is MailPix, Inc. You can find multiple copies of the same app. The company is also slowly expanding its App Store footprint by acquiring competitors and changing those apps into duplicated versions of the main app.

MailPix acquired Photobucket’s printing app to turn it into a clone.

Powered by WPeMatico

Virtual phone number apps are gaming the App Store with duplicates

Posted by | app-store, Apple, Apps, Developer, Mobile | No Comments

If you’ve searched the App Store for an app to get a second phone number, chances are you found dozens of apps with very little differences. A handful of companies are spamming the App Store with duplicated apps. This strategy is against Apple’s rules.

The App Store Review Guidelines are detailed rules that define what you can and cannot do on the App Store. As soon as you sign up for a developer account and submit an app to the App Store review team, you agree to comply with those rules. It’s a long document, but rule 4.3 titled “Spam” is straightforward:

Don’t create multiple Bundle IDs of the same app. If your app has different versions for specific locations, sports teams, universities, etc., consider submitting a single app and provide the variations using in-app purchase. Also avoid piling on to a category that is already saturated; the App Store has enough fart, burp, flashlight, and Kama Sutra apps already. Spamming the store may lead to your removal from the Developer Program.

A tipster looked at a specific category in the App Store — VoIP apps that let you get a second phone number and send and receive calls and texts from that new number. I looked at that category myself, and here are the results of my investigation.

Companies don’t even try to hide the fact that have submitted multiple versions of the same app with different names and icons. But core features remain the same. Apple hasn’t enforced its own guideline properly and developers took advantage of that grey area.

Example 1: TextMe

As you can see on the company’s website, TextMe currently operates three apps and is open about it — TextMe Up, TextMe and FreeTone. These three apps all have an average of 4.7 stars in the App Store with hundreds of thousands of reviews in total.

The wording is slightly different for each app. TextMe Up lets you “call & text anyone in the world from your mobile, tablet, and computer,” while TextMe lets you “get a new phone number and start texting and making calls for free” and FreeTone is all about “[enjoying] free calls & texts to the phone numbers in the US and Canada.”

But if you look at the App Store screenshots, the company doesn’t even bother changing the screenshots or marketing copy.

“Our apps have a different marketing target,” TextMe, Inc. co-founder and co-CEO Patrice Giami told me in a phone interview. “They share the same code base, but we can activate or deactivate some features in order to differentiate the apps. We manage that depending on the competitive environment and if we need to optimize distribution.”

Giami also believes that his company complies with the App Store guidelines. “Apple is doing a very systematic review — we’re constantly scrutinized because we release a lot of app updates. We’ve never been flagged or contacted by Apple — they’ve never said that we’re releasing complete clones of the same app,” he said.

TextMe uses the same developer account for its three apps, Text Me, Inc. Apple could easily compare those apps if it wanted to.

Example 2: BinaryPattern and Flexible Numbers LLC

This case is a bit more sophisticated. The company behind these apps has two different developer accounts and tried to differentiate its App Store listings a bit. Similarly, buttons and colors vary slightly from one app to another, but it’s the same feature set.

Here are a few screenshots I took:

Texting/Calling Phone Burner

Smiley Private Texting SMS

Texting Shield – Phone Number

Burner Phone Numbers SMS/Calls

Business Line Phone Number

I’ve reached out to BinaryPattern/Flexible Numbers and haven’t heard back.

Example 3: Appsverse Inc.

This time, Phoner, Second Line and Text Burner all share the same developer account. Even though these apps let you do the same thing, Appsverse has released its app in three different App Store categories — utilities, productivity and social networking.

By doing that, the company’s apps appear in multiple categories. Text Burner is No. 88 in social networking, Second Line is No. 74 in productivity and Phoner is No. 106 in utilities.

It seems a bit counterintuitive as Appsverse splits their downloads between multiple apps. But I believe the main reason the company is releasing multiple apps is for keyword optimization and App Store search results. It then picks a different category for each app, but it’s a side effect.

Appsverse sent me the following statement:

The guideline promotes a healthy App Store ecosystem that is good for both developers and users. It prevents proliferation of similar apps that does not have a differentiation in business model, features, use cases and demographic appeal.

Example 4: Telos Mobile and Dingtone Inc.

On paper, Dingtone and Telos look like two different apps from two different companies. I downloaded the Dingtone app and signed up with my email address. I then downloaded the Telos app and signed up with the same email address. Here’s the message I got:

I’ve reached out to Telos/Dingtone and haven’t heard back.

A level playing field

These companies haven’t done anything illegal. They took advantage of Apple’s lack of oversight on an App Store rule. Releasing multiple versions of the same app is a great App Store optimization strategy. This way, you can pick a different name, different keywords and different categories. Chances are potential customers are going to see your app in their App Store search results.

While Apple is usually quite strict when it comes to App Store guidelines, it hasn’t enforced some of them. And this is unfair for app developers who play by the rules. They can’t compete as effectively with companies that know that they can ignore some rules.

Powered by WPeMatico

Apple’s iOS update makes it easier to get to your subscriptions

Posted by | app-store, Apple, Apps, developers, iOS, Mobile, subscriptions | No Comments

Apple has made a small but important change to iOS that will allow users an easier way to manage their app subscriptions. In the latest release of the mobile operating system (iOS 12.1.4 and 12.2 beta), the company has relocated the “Manage Subscriptions” setting so it’s only one click away when you tap on your profile in the App Store, instead of being buried more deeply within the settings.

This may seem like a minor change, but it was a much-needed one.

As more mobile apps have adopted subscriptions as a means of generating revenue, it’s become critical to ensure consumers know how to turn off their subscriptions. And, based on a reading of many angry App Store app reviews, many people don’t know how to do this. Most assume they should reach out to the developer to have their subscription disabled — after all, it’s the developer who’s charging them.

It’s not really the customer’s fault for being unaware of how the process works, as Apple had made getting to the subscription management screen far more difficult than it should be.

In iOS Settings, for example, you would have to click iTunes & App Store –> Apple ID: –> View Apple ID –> then scroll all the way to the bottom of the screen to find the hidden setting.

In the iOS App Store app, it was a bit simpler.

You would first have to tap your profile icon on the top right of the Home page, then your Apple ID, then scroll down to the bottom of the page again.

By comparison, Google Play put subscriptions in its top-level navigation with no scrolling or extra clicks required.

With the iOS update, when you now tap your profile icon in the App Store, “Manage Subscriptions” is right there — and it’s accessible without scrolling. That’s a huge help in making this critical feature more accessible.

Unfortunately, Apple hasn’t made a similar change to simplify the path to subscription management in iOS’s main Settings.

The change was first spotted by MacStories Editor-in-Chief Federico Viticci, who shared a screenshot on Twitter.

Apple recently made a change (seems iOS 12.1.4 and 12.2 beta) to make it easier to manage subscriptions for iOS apps.

Now you just need to open the App Store, tap your profile, and choose ‘Manage Subscriptions’. pic.twitter.com/4PtxvAQjTm

— Federico Viticci (@viticci) February 13, 2019

Subscriptions are now one of the main driving forces behind the increase in consumer spending on iPhone.

A recent Sensor Tower report said that iPhone users in the U.S. on average spent $79 on apps in 2018, up 36 percent from last year. Much of that is due to mobile gaming, as always, but subscription-based apps are now playing a large role.

Unfortunately, not all developers have been playing by the rules. Many app makers were using misleading tactics to force users to subscribe — like hiding the true costs, using confusing buttons and user interfaces or suggesting they join a free trial that ends up only lasting three days.

Apple later updated its App Store guidelines to further spell out what is and is not allowed.

But making the rules and enforcing them are two different matters. In the meantime, being able to figure out which subscriptions you have and turning off those you don’t want needed to be simpler.

Also related to this is the fact that Apple is preparing to launch some new subscriptions of its own — presumably, its long-awaited streaming video service and perhaps the news subscription service as well — at a press event in March.

The update to subscriptions appears to be rolled out worldwide for those on the latest version of iOS.

Powered by WPeMatico

US iPhone users spent, on average, $79 on apps last year, up 36% from 2017

Posted by | app-store, Apps, Mobile, subscriptions | No Comments

Apple’s push to get developers to build subscription-based apps is now having a notable impact on App Store revenues. According to a new report from Sensor Tower due out later this week, revenue generated per U.S. iPhone grew 36 percent, from $58 in 2017 to $79 last year. As is typical, much of that increase can be attributed to mobile gaming, which accounted for more than half of this per-device average. However, more substantial growth took place in the categories outside of gaming — including those categories where subscription-based apps tend to rule the top charts, the firm found.

According to the report’s findings, per-device app spending in the U.S. grew more over the past year than it did in 2017.

From 2017 to 2018, iPhone users spent an average of $21 or more on in-app purchases and paid app downloads — a 36 percent increase compared with the 23 percent increase from 2016 to 2017, when revenue per device grew from $47 to $58.

However, 2018’s figure was slightly lower than the 42 percent increase in average per-device spending seen between 2015 and 2016, when revenue grew from $33 to $47, noted Sensor Tower.

As usual, mobile gaming continued to play a large role in iPhone spending. In 2018, gaming accounted for nearly 56 percent of the average consumer spend — or $44 out of the total $79 spent per iPhone.

But what’s more interesting is how the non-gaming categories fared this past year.

Some categories — including those where subscription-based apps dominate the top charts — saw even higher year-over-year growth in 2018, the firm found.

For example, Entertainment apps grew their spend per device increase by 82 percent to $8 of the total in 2018. Lifestyle apps increased by 86 percent to reach $3.90, up from $2.10.

And though it didn’t make the top five, Health & Fitness apps also grew 75 percent year-over-year to account for an average of $2.70, up from $1.60 in 2017.

Other categories in the top five included Music and Social Networking apps, which both grew by 22 percent.

This data indicates that subscription apps are playing a significant role in helping drive iPhone consumer spending higher.

The news comes at a time when Apple has reported slowing iPhone sales, which is pushing the company to lean more on services to continue to boost its revenue. This includes not just App Store subscriptions, but also things like Apple Music, Apple Pay, iCloud, App Store Search ads, AppleCare and more.

As subscriptions become more popular, Apple will need to remain vigilant against those who would abuse the system.

For example, a number of sneaky subscription apps were found plaguing the App Store in recent weeks. They were duping users into paid memberships with tricky buttons, hidden text, instant trials that converted in days and the use of other misleading tactics.

Apple later cracked down by removing some of the apps, and updated its developer guidelines with stricter rules about how subscriptions should both look and operate.

A failure to properly police the App Store or set boundaries to prevent the overuse of subscriptions could end up turning users off from downloading new apps altogether — especially if users begin to think that every app is after a long-term financial commitment.

Developers will need to be clever to convert users and retain subscribers amid this shift away from paid apps to those that come with a monthly bill. App makers will need to properly market their subscription’s benefits, and even consider offering bundles to increase the value.

But in the near-term, the big takeaway for developers is that there is still good money to be made on the App Store, even if iPhone sales are slowing.

Powered by WPeMatico

Many popular iPhone apps secretly record your screen without asking

Posted by | analyst, app-store, apple inc, Banking, iOS, iPhone, iTunes, Mobile, mobile app, mobile software, operating systems, privacy, Security, smartphones, terms of service, travel sites | No Comments

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either.

We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Powered by WPeMatico