mobile app

A cryptocurrency stealing app found on Google Play was downloaded over a thousand times

Posted by | app-store, apple wallet, Apps, computing, cryptocurrency, e-commerce, Google Play, iPhone, Mobile, mobile app, online marketplaces, operating systems, Security | No Comments

Researchers have found two apps masquerading as cryptocurrency apps on Android’s app store, Google Play.

One of them was largely a dud. The second was designed to steal cryptocurrency, the researchers said.

Security firm ESET said one of the two fake Android apps impersonated Trezor, a hardware cryptocurrency wallet. The good news is that the app couldn’t be used to steal cryptocurrency stored by Trezor. But the researchers found the app was connected to a second Android app that could have been used to scam funds out of unsuspecting victims.

Lukas Stefanko, a security researcher at ESET — who has a long history of finding dodgy Android apps — said the fake Trezor app “appeared trustworthy at first glance” but was using a fake developer name to impersonate the company.

The fake app was designed to trick users into turning over a victim’s login credentials. Uploaded to Google Play on May 1, the app quickly ranked as the second-most popular search result when searching for “Trezor” behind the legitimate app, said Stefanko. Users on Reddit also found the fake app and reported it as recently as two weeks ago.

According to Stefanko, the server where user credentials were sent was linked to a website linked to another fake wallet, purportedly to store cryptocurrency, and also listed on Google Play since February 25.

“The app claims it lets its users create wallets for various cryptocurrencies,” said Stefanko. “However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we’ve named wallet address scams in our previous research into cryptocurrency-targeting malware.”

Both apps were collectively downloaded more than a thousand times. After ESET contacted Google, the apps were pulled offline the next day.

Read more:

Powered by WPeMatico

A powerful spyware app now targets iPhone owners

Posted by | Android, app maker, app-store, computing, data security, Facebook, iOS, iPhone, iTunes, Lookout, mobile app, online marketplaces, privacy, Security, spy | No Comments

Security researchers have discovered a powerful surveillance app first designed for Android devices can now target victims with iPhones.

The spy app, found by researchers at mobile security firm Lookout, said its developer abused their Apple-issued enterprise certificates to bypass the tech giant’s app store to infect unsuspecting victims.

The disguised carrier assistance app once installed can silently grab a victim’s contacts, audio recordings, photos, videos and other device information — including their real-time location data. It can be remotely triggered to listen in on people’s conversations, the researchers found. Although there was no data to show who might have been targeted, the researchers noted that the malicious app was served from fake sites purporting to be cell carriers in Italy and Turkmenistan.

Researchers linked the app to the makers of a previously discovered Android app, developed by the same Italian surveillance app maker Connexxa, known to be in use by the Italian authorities.

The Android app, dubbed Exodus, ensnared hundreds of victims — either by installing it or having it installed. Exodus had a larger feature set and expanded spying capabilities by downloading an additional exploit designed to gain root access to the device, giving the app near complete access to a device’s data, including emails, cellular data, Wi-Fi passwords and more, according to Security Without Borders.

Screenshots of the ordinary-looking iPhone app, which was silently uploading a victim’s private data and real-time location to the spyware company’s servers (Image: supplied)

Both of the apps use the same backend infrastructure, while the iOS app used several techniques — like certificate pinning — to make it difficult to analyze the network traffic, Adam Bauer, Lookout’s senior staff security intelligence engineer, told TechCrunch.

“This is one of the indicators that a professional group was responsible for the software,” he said.

Although the Android version was downloadable directly from Google’s app store, the iOS version was not widely distributed. Instead, Connexxa signed the app with an enterprise certificate issued to the developer by Apple, said Bauer, allowing the surveillance app maker to bypass Apple’s strict app store checks.

Apple says that’s a violation of its rules, which prohibits these certificates designed to be used strictly for internal apps to be pushed to consumers.

It follows a similar pattern to several app makers, as discovered by TechCrunch earlier this year, which abused their enterprise certificates to develop mobile apps that evaded the scrutiny of Apple’s app store. Every app served through an app store has to be certified by Apple or they won’t run. But several companies, like Facebook and Google, used their enterprise-only certificates to sign apps given to consumers. Apple said this violated its rules and banned the apps by revoking enterprise certificates used by Facebook and Google, knocking both of their illicit apps offline, but also every other internal app signed with the same certificate.

Facebook was unable to operate at full capacity for an entire working day until Apple issued a new certificate.

The certificate Apple issued to Connexxa (Image: supplied)

But Facebook and Google weren’t the only companies abusing their enterprise certificates. TechCrunch found dozens of porn and gambling apps — not permitted on Apple’s app store — signed with an enterprise certificate, circumventing the tech giant’s rules.

After researchers disclosed their findings, Apple revoked the app maker’s enterprise certificate, knocking every installed app offline and unable to run.

The researchers said they did not know how many Apple users were affected.

Connexxa did not respond to a request for comment. Apple did not comment.

Powered by WPeMatico

Sam’s Club to test new Scan & Go system that uses computer vision instead of barcodes

Posted by | Apps, barcode, Computer Vision, e-commerce, eCommerce, machine learning, Mobile, mobile app, retail, retailers, sams club, shopping, TC, Walmart | No Comments

In October, Walmart-owned Sam’s Club opened a test store in Dallas where it planned to trial new technology, including mobile checkout, an Amazon Go-like camera system, in-store navigation, electronic shelf labels and more. This morning, the retailer announced it will now begin testing a revamped Scan & Go service as well, which leverages computer vision and machine learning to make mobile scanning easier and faster.

The current Scan & Go system, launched two years ago, requires Sam’s Club shoppers to locate the barcode on the item they’re buying and scan it using the Sam’s Club mobile app. The app allows shoppers to account for items they’re buying as they place them in their shopping cart, then pay in the app instead of standing in line at checkout.

However convenient, the system itself can still be frustrating at times because you’ll need to actually find the barcode on the item — often turning the item over from one side to the other to find the sticker or tag. This process can be difficult for heavier items, and frustrating when the barcoded label or tag has fallen off.

It also can end up taking several seconds to complete — which adds up when you’re filling a cart with groceries during a big stocking-up trip.

The new scanning technology will instead use computer vision and ML (machine learning) to recognize products without scanning the barcode, cutting the time it takes for the app to identify the product in question, the retailer explains.

In a video demo, Sam’s Club showed how it might take a typical shopper 9.3 seconds to scan a pack of water using the old system, versus 3.4 seconds using the newer technology.

Of course, the times will vary based on the shopper’s skill, the item being scanned and how well the technology performs, among other factors. A large package of water is a more extreme example, but one that demonstrates well the potential of the system… if it works.

The idea with the newly opened Dallas test store is to put new technology into practice quickly in a real-world environment, to see what performs well and what doesn’t, while also gathering customer feedback. Dallas was chosen as the location for the store because of the tech talent and recruiting potential in the area, and because it’s a short trip from Walmart’s Bentonville, Arkansas headquarters, the company said earlier.

Sam’s Club says it has filed a patent related to the new scanning technology, and will begin testing it this spring at the Dallas area “Sam’s Club Now” store. It will later expand the technology to the tools used by employees, too.

Powered by WPeMatico

Many popular iPhone apps secretly record your screen without asking

Posted by | analyst, app-store, apple inc, Banking, iOS, iPhone, iTunes, Mobile, mobile app, mobile software, operating systems, privacy, Security, smartphones, terms of service, travel sites | No Comments

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either.

We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Powered by WPeMatico

InVision mobile app updates include studio features and desktop to mobile mirroring

Posted by | Adobe, adobe systems, Android, app-store, apple inc, Atlassian, ceo, clark valberg, designer, InVision, inVisionApp, mobile app, mobile device, mobile devices, Software, TC | No Comments

InVision, the software a service challenger to Adobe’s design dominance, has just released a new version of its mobile app for iOS and is beta-testing new features for Android users as it tries to bring additional functionality to designers on-the-go.

The new app tools feature “studio mirroring” for reviews of new designs directly on mobile devices, so that designers can see design changes to applications made on the desktop display on mobile in real time.

The mirroring feature works by scanning a QR code on a mobile device which lets users view design changes and test user experiences immediately.

The company is also bringing its Freehand support — which allows for collaborative commenting on design prototypes to tablets so teams can comment on the fly, the company said.

The tools will give InVision another arrow in its quiver as it tries to take on other design platforms (notably the 100 pound gorilla known as Adobe) and are a useful addition to a service that’s trying to woo the notoriously fickle design community with an entire toolkit.

As we wrote in May when the company launched its app store:

While collaboration is the bread and butter of InVision’s business, and the only revenue stream for the company, CEO and founder Clark Valberg feels that it isn’t enough to be complementary to the current design tool ecosystem. Which is why InVision launched Studio in late 2017, hoping to take on Adobe and Sketch head-on with its own design tool.

Studio differentiates itself by focusing on the designer’s real-life workflow, which often involves mocking up designs in one app, pulling assets from another, working on animations and transitions in another, and then stitching the whole thing together to share for collaboration across InVision Cloud. Studio aims to bring all those various services into a single product, and a critical piece of that mission is building out an app store and asset store with the services too sticky for InVision to rebuild from Scratch, such as Slack or Atlassian .

Powered by WPeMatico

Google brings offline neural machine translations for 59 languages to its Translate app

Posted by | Android, Apps, artificial intelligence, deep learning, Google, Google Translate, iOS, Languages, Mobile, mobile app, Translation | No Comments

Currently, when the Google Translate apps for iOS and Android has access to the internet, its translations are far superior to those it produces when it’s offline. That’s because the offline translations are phrase-based, meaning they use an older machine translation technique than the machine learning-powered systems in the cloud that the app has access to when it’s online. But that’s changing today. Google is now rolling out offline Neural Machine Translation (NMT) support for 59 languages in the Translate apps.

Today, only a small number of users will see the updated offline translations, but it will roll out to all users within the next few weeks.

The list of supported languages consists of a wide range of languages. Because I don’t want to play favorites, here is the full list: Afrikaans, Albanian, Arabic, Belarusian, Bengali, Bulgarian, Catalan, Chinese, Croatian, Czech, Danish, Dutch, English, Esperanto, Estonian, Filipino, Finnish, French, Galician, Georgian, German, Greek, Gujarati, Haitian, Creole, Hebrew, Hindi, Hungarian, Icelandic, Indonesian, Irish, Italian, Japanese, Jannada, Korean, Latvian, Lithuanian, Macedonian, Malay, Maltese, Marathi, Norwegian, Persian, Polish, Portuguese, Romanian, Russian, Slovak, Slovenian, Spanish, Swahili, Swedish, Tamil, Telugu, Thai, Turkish, Ukrainian, Urdu, Vietnamese and Welsh.

In the past, running these deep learning models on a mobile device wasn’t really an option since mobile phones didn’t have the right hardware to efficiently run them. Now, thanks to both advances in hardware and software, that’s less of an issue and Google, Microsoft and others have also found ways to compress these models to a manageable size. In Google’s case, that’s about 30 to 40 megabytes per language.

It’s worth noting that Microsoft also announced a similar feature for its Translator app earlier this year. It uses a very similar technique, but for the time being, it only supports about a dozen languages.

Powered by WPeMatico

Supernova promises to automatically convert Sketch mobile app designs into native UI code

Posted by | Android, Apps, artificial intelligence, Co-founder, computing, Credo Ventures, czech republic, designer, Developer, Europe, funding, Fundings & Exits, mobile app, prague, smartphones, Software, Supernova, TC | No Comments

Supernova, a startup operating out of Prague in the Czech Republic, is on a mission to accelerate the app development workflow of mobile designers and developers. More than three years in the making — and the brainchild of co-founder Jiří Třečák — the Supernova Studio macOS app promises to automatically convert mobile app designs created […]

Powered by WPeMatico

Lyft is testing a new rider experience with a small percentage of users

Posted by | Apps, commuting, Lyft, Mobile, mobile app, TC, transport, Uber | No Comments

 Lyft is giving around 1 percent of its riders access to a different, beta user experience in its mobile app, starting today. The new look for passengers offers the same essential functionality, but is definitely a departure in terms of how the interface works for riders. Lyft says via a spokesperson that the new look and feel is “an exercise to learn more about our users” but… Read More

Powered by WPeMatico

App downloads up 15 percent in 2016, revenue up 40 percent thanks to China

Posted by | Android, App Annie, app downloads, app revenue, app-store, Apps, developers, Google Play, iOS, iTunes, Mobile, mobile app, Pokémon Go, TC, trends | No Comments

messaging-apps The app industry is continuing to grow, according to a new year-end analysis from app intelligence firm App Annie, out today, which found that app downloads, time spent in apps and revenue grew across the board over the course of 2016. Worldwide downloads were up 15 percent year-over-year, time spent in apps was up 25 percent, and the revenue paid to developers increased by 40… Read More

Powered by WPeMatico

The mobile app gold rush may be over

Posted by | Apps, flurry, Mobile, mobile app, mobile apps, TC, trends | No Comments

messaging-apps Ten years ago, Apple announced the iPhone, which soon gave birth to the App Store and the resulting broader app ecosystem. That industry has now matured, having reached critical mass, according to a new report from Flurry out this morning. While there’s still some growth to be seen — app usage is up 11 percent over last year, for example — that growth is slowing. And many… Read More

Powered by WPeMatico