Everything Apple

Thursday, 31 January 2019

Pandora-powered channels will come to SiriusXM’s app this year

SiriusXM this week offered a few more details on how it plans to leverage its newest asset, Pandora, following its $3.5 billion acquisition of the streaming music service last year, which officially closes on Friday. At the time of the deal, the company spoke about the potential for cross-promotion opportunities between the services and new subscription packages. Now, those efforts are getting off the ground — starting with a promotion within the Pandora app for SiriusXM subscriptions, followed by the launch of Pandora channels within the SiriusXM app.

Currently, SiriusXM offers a variety of programming packages, ranging from a cheaper ($11/mo) “Mostly Music” sampling of channels all the way up to a premium “All Access” ($21/mo) subscription. It also runs various time-limited promotions that offer its service for as little as $5 per month for a set period, like six months.

According to Sirius XM CEO James Meyer — speaking to investors on the Q4 earnings call on Wednesday — the company will now start promoting special SiriusXM packages to Pandora listeners.

The company, he said, intends “to capitalize on cross-promotion opportunities between SiriusXM’s more than 36 million subscribers across North America and Pandora’s approximately 70 million monthly active users. In early February, we will begin a targeted promotion to SiriusXM subscribers and Pandora listeners,” he noted. “Select Pandora listeners will receive an offer to obtain a unique $5 a month ‘Mostly News,’ ‘Mostly Music’ or ‘News Talk’ [SiriusXM subscription] package in their satellite-equipped vehicle.”

In other words, SiriusXM will be pushing low-cost $5 per month streaming plans within the Pandora app itself.

The company believes the cross-promotions will be successful because of the overlap in the two services’ customer bases. It found that approximately half of the owners of the SiriusXM-enabled vehicle fleet of 100 million cars have used Pandora in the past two years, for example. SiriusXM aims to leverage those Pandora listeners’ data in order to convert, retain or bring them back to SiriusXM.

In addition, the exec said that existing SiriusXM subscribers would receive extended 14-day trials to Pandora’s Premium service.

By mid-2019, the company plans to launch a new Pandora-powered channel within its own SiriusXM app, based on their favorite artist. It will also add a new radio channel to the SiriusXM app that’s driven by the latest trends from Pandora’s “billions of thumbs” — meaning the “thumbs up” (likes), songs receive within the streaming app.

Meyer spoke briefly about the challenges facing Pandora — specifically a decline in listening hours, which SiriusXM believes can be fixed by improving Pandora’s in-car listening statistics, making the Pandora app more compelling, and adding more content.

“This is just the beginning. We expect, over time, to create new, unique audio packages that will bring together the best of both services, creating a powerful platform for artists to reach their fans and to create new audiences,” said Meyer.

The merger of the two companies has not been without upheaval, though.

This week, the company announced that Pandora CEO Roger Lynch and other executives would be stepping down, including general counsel Steve Bene, CFO Naveen Chopra and chief human resources officer Kristen Robinson. Meyer will instead lead the combined company, he said, in order to streamline decision-making and increase the speed of the integrations.

SiriusXM reported record revenues for the fourth quarter and year, at $1.5 billion and $5.8 billion, respectively. Net income was $251 million for the quarter, up from a loss of $37 million in the year-ago period. Full-year 2018 net income grew 81 percent to a record $1.2 billion.

The newly combined company will have more than 100 million listeners in North America, with nearly 40 million self-paying subscribers and more than 75 million on trials or using ad-based products.

Nintendo’s Mario Kart mobile game won’t launch until the summer

It’s been a long year for Nintendo fans waiting on Mario Kart Tour to come to mobile and, unfortunately, more patience is required after the game’s launch was moved back to this summer.

Nintendo announced plans to bring the much-loved franchise to smartphones one year ago. It was originally slated to launch by the end of March 2019, but the Japanese games giant said today it is pushing that date back to summer 2019.

The key passage sits within Nintendo’s latest earnings report, released today, which explains that additional time is needed “to improve [the] quality of the application and expand the content offerings after launch.”

It’s frustrating but, as The Verge points out, you can refer to a famous Nintendo phrase if you are seeking comfort.

Shigeru Miyamoto, who created the Mario and Zelda franchises, once remarked that “a delayed game is eventually good, but a rushed game is forever bad.”

There’s plenty riding on the title — excuse the pun. Super Mario Run, the company’s first major game for the iPhone, showed its most popular IP has the potential to be a success on mobile, even though Mario required a $9.99 payment to go beyond the limited demo version. Mario Kart is the most successful Switch title to date, so it figures that it can be a huge smash on mobile if delivered in the right way.

Step targets teens and parents with a no-fees mobile bank account and Visa card

A new mobile banking startup called Step wants to help bring teenagers and other young adults into the cashless era. Today, cash is used less often, as more consumers shop online and send money to one another through payment apps like Venmo. But teenagers in particular are still heavily burdened with cash — even though they, too, want to spend their money on things that require a payment card, like Amazon.com purchases or mobile gaming, for example.

That’s where Step comes in.

The company aims to address the needs of what it believes is an underserved market in mobile banking — the 75 million children and young adults under the age of 21 in the U.S., who are still being forced to use cash.

This market isn’t the “unbanked,” it’s the “pre-banked,” explains Step CEO CJ MacDonald, whose previous startup, mobile gift card platform Gyft, sold to First Data several years ago.

Above: Step CEO, CJ MacDonald

“We’re building an all-in-one banking solution that primarily focuses on teens and parents,” he says. “We want it to be a teen’s first bank account. We want to be a teen’s first spending card. And we want to teach financial literacy and responsibility firsthand.”

MacDonald, along with CTO Alexey Kalinichenko, previously of Square and financial services startup Token, founded Step in May 2018. The 10-person team also includes several prior Gyft employees.

Last summer, Step closed on $3.8 million in seed funding from Sesame Ventures, Crosslink Capital and Collaborative Fund. Crosslink general partner Eric Chin sits on the board.

While there are a number of mobile banking apps out there today — like Chime, Monzo, Simple, Revolut and others — Step will specifically target teens, 13 and up, and other young adults with its marketing. Teens under 18 still need parents’ approval to sign up, of course. But the goal is to encourage the teens to bring the idea to their parents — not the other way around.

Step’s focus on this younger demographic puts it in a different space, where there are fewer competitors. Its more direct rivals are not the bigger mobile banks, but rather startups like teen debit card and bank app Current, or the parent-managed debit card for kids from Greenlight.

The mobile banking service Step provides will also aim to be more comprehensive than just a debit card. It will offer a combination of checking, savings and a Visa card that works as both credit and debit.

The card includes Visa’s Zero Liability Protection on all purchases from unauthorized use, and allows parents to set spending limits.

Parents will also be able to connect their own bank accounts to Step to instantly transfer in funds, which can then be distributed to kids’ accounts for things like allowances and chores, or other everyday spending needs. Step’s bank account itself is backed by Evolve Bank, so it’s FDIC-insured up to $250,000.

Unlike Current, which charges a subscription to use its service, Step aims to be a fee-free bank for consumers. Users don’t have to pay for their account, and there are no fees for things like overdrafts. Instead, Step’s plan is to generate revenue through traditional means — like interchange fees and by way of lending practices, once it has established a deposit base.

The company pays a 2.5 percent interest rate on deposits, offers a round-up savings feature and a range of budgeting tools and supports free instant transfers between Step accounts. It also provides access to a network of 35,000 ATMs with no fees.

Beyond simply facilitating mobile banking, Step’s bigger goal is to teach teens to become financially responsible.

“Schools do not teach kids about money. A lot of families don’t talk about money. And it’s a crucial life skill that’s not really addressed properly when people are growing up,” says MacDonald, who says he was lacking in life skills in this area, even as a young college grad.

“There were ‘Money 101’ skills that I had not learned — that no one had talked to me about. Things like building credit, how many credit cards you should have, debt to income ratio,” he continues. “A lot of people get released into the real world without experience [in those areas],” he says.

Long-term, after solving the needs associated with everyday banking transactions, Step wants to layer on other products and services — like tools that allow a family to save together for college, for example.

The company is launching the banking service under an invite-only system to scale up.

Today, it’s opening a waitlist and referral program. When you invite a friend, you each receive one dollar. Access will then be rolled out on a first-come, first-serve basis this spring. Users can join Step through the website, iOS or Android application.

Poor smartphones sales drag LG to first quarterly loss in 2 years

We’ve written extensively about LG’s struggling mobile business, which has suffered at the hands of aggressive Chinese Android makers, and now that unit has dragged its parent company into posting its first quarterly loss for two years.

The Korean electronics giant is generally in good health — it posted a $2.4 billion profit for 2018 — but its smartphone business’s failings saw it post a loss in Q4 2018, its first quarterly negative since Q4 2016.

Overall, the company posted a KRW 75.7 billion ($67.1 million) operating loss as revenue slid seven percent year-on-year to KRW 15.77 trillion ($13.99 billion). LG said the change was “primarily due to lower sales of mobile products.”

We’ve known for some time that LG’s mobile business is strugglingthe division got another new head last November — but things went from bad to worse in Q4. LG Mobile saw revenue fall by 42 percent to reach KRW 1.71 trillion, $1.51 billion. The operating loss for the period grew to KRW 322.3 billion, or $289.8 million, from KRW 216.3 billion, $194 million, one year previous.

Over the full year, LG Mobile posted a $700 million loss (KRW 790.1 billion) but the company claimed things are improving thanks to “better material cost controls and overhead efficiencies based on the company’s platform modularization strategy.”

LG used CES to showcase a range of home entertainment products — that division is doing far better than mobile, with a record annual profit of $1.35 billion in 2018 — so we’ll have to wait until Mobile World Congress in February to see exactly what LG has in mind. Already, though, we have a suggestion and it isn’t exactly set-the-world-on-fire stuff.

“LG’s mobile division will push 5G products and smartphones featuring different form factors while focusing on key markets where the LG brand remains strong,” the company said in a statement.

It will certainly take something very special to turn things around. It seems more likely that LG Mobile head Brian Kwon — who also heads up that hugely-profitable home entertainment business — will focus on cutting costs and squeezing out the few sweet spots left. Continued losses, particularly against success from other units, might eventually see LG shutter its mobile business.

Still, things could be worse for LG, it could be HTC.

Samsung posts fourth-quarter profit drop, warns of weak demand until the second half of 2019

Samsung Electronics reported its largest quarterly profit decline in two years during its earnings report today. As the Galaxy maker warned in its earnings guidance earlier this month, its results were hurt by slower-than-expected demand for semiconductors, which had bolstered its earnings in previous quarters even when smartphone sales were slow.

Samsung’s forecast was also dour, at least for the first half of the year. It said annual earnings will decline thanks to continuing weak demand for chips, but expects demand for memory products and OLED panels to improve during the second half.

The company’s fourth-quarter operating profit was 10.8 trillion won (about $9.7 billion), a 28.7 percent decrease from the 15.15 trillion won it recorded in the same period one year ago. Revenue was 59.27 trillion won, a 10.2 percent drop year over year.

Broken out by business, Samsung’s semiconductor unit recorded quarterly operating profit of 7.8 trillion won, down from 10.8 trillion won a year ago. Its mobile unit’s operating profit was 1.5 trillion won, compared to 2.4 trillion won a year ago.

Smartphone makers, including Samsung rival Apple, have been hit hard by slowing smartphone sales around the world, especially in China. Upgrade cycles are also becoming longer as customers wait to buy newer models.

This hurt both Samsung’s smartphone and chip sales, as “overall market demand for NAND and DRAM drop[ped] due to macroeconomic uncertainties and adjustments in inventory levels by customers including datacenter companies and smartphone makers,” said the company’s earnings report.

Samsung expects chip sales to be sluggish during the first quarter because of weak seasonality and inventory adjustments by its biggest customers. The company was optimistic about the last two quarters of 2019, when it expects demand for chips and OLED panels to pick up thanks seasonal demand and customers finishing their inventory adjustments.

Wednesday, 30 January 2019

Facebook shares shoot up after strong Q4 earnings despite data breach

Facebook managed to beat Wall Street’s estimates in its Q4 earnings amidst a constant beat down in the press. Facebook hit 2.32 billion monthly users, up 2.2 perecent from 2.27 billion last quarter, speeding up its growth rate. Facebook climbed to 1.52 billion daily active users from 1.49 billion last quarter for a 2 percent growth rate that dwarfed last quarter’s 1.36 percent.

Facebook earned $16.91 billion off all those users with a $2.38 GAAP earnings per share. Those numbers handily beat Wall Street’s expectations of $16.39 billion in revenue and $2.18 GAAP earnings per share, plus 2.32 billion monthly and 1.51 billion daily active users. Facebook’s daily to monthly user ratio, or stickiness, held firm at 66 percent where it’s stayed for years, showing those still on Facebook aren’t using it much less.

Facebook shares had closed today at $150.42 but shot up over 9 percent following the record revenue and profit announcements to hover around $162. A big 30 percent year-over-year boost in average revenue per user in North America fueled those gains. Yet that’s still way down from $186 where it was a year ago and a peak of $217 in July.

CEO Mark Zuckerberg went beyond his usual intro to the earnings report where he assures investors things are going well and highlights new opportunities. This quarter he noted “We’ve fundamentally changed how we run our company to focus on the biggest social issues, and we’re investing more to build new and inspiring ways for people to connect.”

Squeezing Money From The Olds

Facebook managed to grow its DAU in both the critical US & Canada and Europe markets where it earns the most money after stagnation or shrinkage in previous quarters. The fact that Facebook is no longer dwindling it its most lucrative markets is surely contributing to its share price climb. Facebook’s monthly active user plateaued in North America but roared up in Europe. That was shored up by a reversal of last quarter’s decline in Rest Of World average revenue per user, which fell 4.7% in Q3 but bounced back with 16.5 percent growth in Q4.

 

Facebook raked in $6.8 billion in profit this quarter as it slowed down hiring and only grew headcount 5 percent from 33,606 to 35,587. It seems Facebook has gotten to a comfortable place with its security staff-up in the wake of election interference, fake news, and content moderation troubles. Its revenue is up 30 percent year-over-year while profits grew 61 percent, which is pretty remarkable for a 15-year old technology company.

But morale isn’t quite as rosy. It’s been a brutal quarter for Facebook At least its swifter user growth rates show Facebook survived its biggest ever data breach without scaring off too many people. Meanwhile it’s continuously struggled with scandals like hiring opposition research firm Definers, and it saw its new teen app Lasso largely flop. Facebook will have to convince investors it knows how to win back the next generation, or at least keep squeezong a lot more money out of the last one like it did in Q4.

Senator Warner calls on Zuckerberg to support market research consent rules

In response to TechCrunch’s investigation of Facebook paying teens and adults to install a VPN that lets it analyze all their phone’s traffic, Senator Mark Warner (D-VA) has sent a letter to Mark Zuckerberg. It admonishes Facebook for not spelling out exactly what data the Facebook Research app was collecting or giving users adequate information necessary to determine if they should accept payment in exchange for selling their privacy. Following our report, Apple banned Facebook’s Research app from iOS and shut down its internal employee-only workplace apps too as punishment, causing mayhem in Facebook’s office.

Warner wrote to Zuckerberg, “In both the case of Onavo and the Facebook Research project, I have concerns that users were not appropriately informed about the extent of Facebook’s data-gathering and the commercial purposes of this data collection. Facebook’s apparent lack of full transparency with users – particularly in the context of ‘research’ efforts – has been a source of frustration for me,”

Warner is working on writing new laws to govern data collection initiatives like Facebook Research. He asks Zuckerberg, “Will you commit to supporting legislation requiring individualized, informed consent in all instances of behavioral and market research conducted by large platforms on users?”

Meanwhile, Senator Richard Blumenthal (D-CT) provided TechCrunch with a fiery statement regarding our investigation. He calls Facebook anti-competitive, which could fuel calls to regulate or break up Facebook, says the FTC must address the issue, and that he’s planning to work with congress to safeguard teens’ privacy:

“Wiretapping teens is not research, and it should never be permissible. This is yet another astonishing example of Facebook’s complete disregard for data privacy and eagerness to engage in anti-competitive behavior. Instead of learning its lesson when it was caught spying on consumers using the supposedly ‘private’ Onavo VPN app, Facebook rebranded the intrusive app and circumvented Apple’s attempts to protect iPhone users. Facebook continues to demonstrate its eagerness to look over everyone’s shoulder and watch everything they do in order to make money. 

Mark Zuckerberg’s empty promises are not enough. The FTC needs to step up to the plate, and the Onavo app should be part of its investigation. I will also be writing to Apple and Google on Facebook’s egregious behavior, and working in Congress to make sure that teens are protected from Big Tech’s privacy intrusions.”

The Senators’ statements do go a big overboard. Though Facebook Research was aggressively competitive and potentially misleading, Blumenthal calling it “anti-competitive” is a stretch. And Warner’s questioning on whether “any user reasonably understood that they were giving Facebook root device access through the enterprise certificate” or that it uses the data to track competitors goes a bit too far. Surely some savvy technologists did, but the question is whether all the teens and everyone else understood.

Facebook isn’t the only one paying users to analyze all their phone data. TechCrunch found that Google had a similar program called Screenwise Meter. Though it was more upfront about it, Google also appears to have violated Apple’s employee-only Enterprise Certificate rules. We may be seeing the start to an industry-wide crack down on market research surveillance apps that dangle gift cards in front of users to get them to give up a massive amount of privacy.

Warner’s full letter to Zuckerberg can be found below:

Dear Mr. Zuckerberg: 

I write to express concerns about allegations of Facebook’s latest efforts to monitor user activity. On January 29th, TechCrunch revealed that under the auspices of partnerships with beta testing firms, Facebook had begun paying users aged 13 to 35 to install an enterprise certificate, allowing Facebook to intercept all internet traffic to and from user devices.  According to subsequent reporting by TechCrunch, Facebook relied on intermediaries that often “did not disclose Facebook’s involvement until users had begun the signup process.” Moreover, the advertisements used to recruit participants and the “Project Disclosure” make no mention of Facebook or the commercial purposes to which this data was allegedly put.

This arrangement comes in the wake of revelations that Facebook had previously engaged in similar efforts through a virtual private network (VPN) app, Onavo, that it owned and operated. According to a series of articles by the Wall Street Journal, Facebook used Onavo to scout emerging competitors by monitoring user activity – acquiring competitors in order to neutralize them as competitive threats, and in cases when that did not work, monitor usage patterns to inform Facebook’s own efforts to copy the features and innovations driving adoption of competitors’ apps.  In 2017, my staff contacted Facebook with questions about how Facebook was promoting Onavo through its Facebook app – in particular, framing the app as a VPN that would “protect” users while omitting any reference to the main purpose of the app: allowing Facebook to gather market data on competitors.

Revelations in 2017 and 2018 prompted Apple to remove Onavo from its App Store in 2018 after concluding that the app violated its terms of service prohibitions on monitoring activity of other apps on a user’s device, as well as a requirement to make clear what user data will be collected and how it will be used. In both the case of Onavo and the Facebook Research project, I have concerns that users were not appropriately informed about the extent of Facebook’s data-gathering and the commercial purposes of this data collection.

Facebook’s apparent lack of full transparency with users – particularly in the context of ‘research’ efforts – has been a source of frustration for me. As you recall, I wrote the Federal Trade Commission in 2014 in the wake of revelations that Facebook had undertaken a behavioral experiment on hundreds of thousands of users, without obtaining their informed consent. In submitted questions to your Chief Operating Officer, Sheryl Sandberg, I once again raised these concerns, asking if Facebook provided for “individualized, informed consent” in all research projects with human subjects – and whether users had the ability to opt out of such research. In response, we learned that Facebook does not rely on individualized, informed consent (noting that users consent under the terms of the general Data Policy) and that users have no opportunity to opt out of being enrolled in research studies of their activity.  In large part for this reason, I am working on legislation to require individualized, informed consent in all instances of behavioral and market research conducted by large platforms on users. 

Fair, robust competition serves as an impetus for innovation, product differentiation, and wider consumer choice. For these reasons, I request that you respond to the following questions: 

1.      Do you think any user reasonably understood that they were giving Facebook root device access through the enterprise certificate? What specific steps did you take to ensure that users were properly informed of this access? 

2.      Do you think any user reasonably understood that Facebook was using this data for commercial purposes, including to track competitors?

3.      Will you release all participants from the confidentiality agreements Facebook made them sign?

4.      As you know, I have begun working on legislation that would require large platforms such as Facebook to provide users, on a continual basis, with an estimate of the overall value of their data to the service provider. In this instance, Facebook seems to have developed valuations for at least some uses of the data that was collected (such as market research). This further emphasizes the need for users to understand fully what data is collected by Facebook, the full range of ways in which it is used, and how much it is worth to the company. Will you commit to supporting this legislation and exploring methods for valuing user data holistically?

5.      Will you commit to supporting legislation requiring individualized, informed consent in all instances of behavioral and market research conducted by large platforms on users?

I look forward to receiving your responses within the next two weeks. If you should have any questions or concerns, please contact my office at 202-224-2023.

You can pre-order Meizu’s crazy phone with no port for $1,299

If you’re interested in Meizu’s insane smartphone that doesn’t have any port or button, you can now pre-order it on Indiegogo for $1,299. Supply is limited as the company is only selling 100 units for now.

The Meizu Zero looks like any modern phone at first sight. But if you look beyond the display, you’ll notice that there’s absolutely zero port or button.

The volume button has been replaced with a touch-sensitive surface. The fingerprint sensor is integrated in the display. Wireless charging is the only way to charge the device. And if you’re thinking about putting your SIM card in the phone, there’s no SIM slot either — I hope your carrier supports eSIM cards.

There’s no speaker grille either. Meizu is using the screen as a speaker by sending vibrations through the display. It also works as a microphone, apparently.

It’s unclear if this is just a giant joke or an actual product. But it’s an interesting experiment. For $1,299, you get a phone with a 5.99-inch AMOLED display and a Snapdragon 845 system-on-a-chip. The company expects to ship the device in April 2019.

Apple bans Facebook’s Research app that paid users for data

In the wake of TechCrunch’s investigation yesterday, Apple blocked Facebook’s Research VPN app before the social network could voluntarily shut it down. The Research app asked users for root network access to all data passing through their phone in exchange for $20 per month. Apple tells TechCrunch that yesterday evening it pulled the certificate that allows Facebook to distribute the Research app through Apple’s Enterprise Certificate system.

TechCrunch had reported that Facebook was breaking Apple’s policy that the Enterprise system is only for distributing internal corporate apps to employees, not paid external testers. That was actually before Facebook released a statement last night saying that it had shut down the iOS version of the Research program without mentioning that it was forced by Apple to do so.

TechCrunch’s investigation discovered that Facebook has been quietly operated the Research program on iOS and Android since 2016, recently under the name Project Atlas. It recruited 13 to 35 year olds, 5 percent of which were teenagers, with ads on Instagram and Snapchat and paid them a monthly fee plus referral bonuses to install Facebook’s Research app, the included VPN app that routes traffic to Facebook, and to ‘Trust’ the company with root network access to their phone. That lets Facebook pull in a user’s web browsing activity, what apps are on their phone and how they use them, and even decrypt their encrypted traffic. Facebook went so far as to ask users to screenshot and submit their Amazon order history. Facebook uses all this data to track competitors, assess trends, and plan its product roadmap.

Facebook was forced to remove its similar Onavo Protect app in August last year after Apple changed its policies to prohibit the VPN app’s data collection practices. But Facebook never shut down the Research app with the same functionality it was running in parallel. In fact, TechCrunch commissioned security expert Will Strafach to dig into the Facebook Research app, and we found that it featured tons of similar code and references to Onavo Protect. That means Facebook was purposefully disobeying the spirit of Apple’s 2018 privacy policy change while also abusing the Enterprise Certificate program.

Facebook’s legitimate internal-use only apps like pre-launch versions of Facebook and Instagram as well as its employee logistics apps are still functioning, a source says. That would indicate that Apple didn’t go so far as to completely shut down Facebook’s access to the Enterprise developer program.

This morning, Apple informed us it had banned Facebook’s Research app yesterday before the social network seemingly pulled it voluntarily. Apple provided us with this strongly worded statement condemning the social network’s behavior:

“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

That comes in direct contradiction to Facebook’s initial response to our investigation. Facebook claimed it was in alignment with Apple’s Enterprise Certificate policy and that the program was no different than a focus group.

Seven hours later, a Facebook spokesperson said it was pulling its Research program from iOS without mentioning that Apple forced it to do so, and issued this statement disputing the characterization of our story:

“Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”

We refute those accusations by Facebook. As we wrote yesterday night, Facebook did not publicly promote the Research VPN itself and used intermediaries that often didn’t disclose Facebook’s involvement until users had begun the signup process. While users were given clear instructions and warnings, the program never stresses nor mentions the full extent of the data Facebook can collect through the VPN. A small fraction of the users paid may have been teens, but we stand by the newsworthiness of its choice not to exclude minors from this data collection initiative.

The situation will surely worsen the relationship between Facebook and Apple after years of mounting animosity between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices, and Facebook’s Mark Zuckerberg has countered that it offers products for free for everyone rather than making products few can afford like Apple. Flared tensions could see Facebook receive less promotion in the App Store, fewer integrations into iOS, and more jabs from Cook. Meanwhile, the world sees Facebook as having been caught red-handed threatening user privacy and breaking Apple policy.

India’s largest bank SBI leaked account data on millions of customers

India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.

The server, hosted in a regional Mumbai-based datacenter, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500.

But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.

It’s not known for how long the server was open, but long enough for it to be discovered by a security researcher, who told TechCrunch of the leak, but did not want to be named for the story.

SBI Quick allows SBI’s banking customers to text the bank, or make a missed call, to retrieve information back by text message about their finances and accounts. It’s ideal for millions of the banking giant’s customers who don’t use smartphones or have limited data service. By using predefined keywords, like “BAL” for a customer’s current balance, the service recognizes the customer’s registered phone number and will send back current amount in that customer’s bank account. The system can also be used to send back the last five transactions, block an ATM card, and make inquiries about home or car loans.

It was the back-end text message system that was exposed, TechCrunch can confirm, storing millions of text messages each day.

A redacted example of some of the banking and credit information found in the database. (Image: TechCrunch)

The passwordless database allowed us to see all of the text messages going to customers in real-time, including their phone numbers, bank balances, and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.

The bank sent out close to three million text messages on Monday alone.

The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.

We verified the data by asking India-based security researcher Karan Saini to send a text message to the system. Within seconds, we found his phone number in the database, including the text message that he received back.

“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ride-sharing app.

Saini said that knowing a phone number “could be used to aid social engineering attacks — which is one the most common attack vector here with regard to financial fraud,” he said.

SBI claims more than 500 million customers across the globe with 740 million accounts.

Just days earlier, SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system. (UIDAI often uses the term “fake news” to describe coverage it doesn’t like.)

TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector. The database was secured overnight.

Despite several emails, SBI did not comment prior to publication.

Tuesday, 29 January 2019

Apple’s global active install base of iPhones surpassed 900 million this quarter

It’s not surprising that Apple has a massive active install base of iPhones across the globe, but we now finally have an exact number to put behind it. During its Q1 earnings call, CFO Luca Maestri shared the install base for the first time.

“Our global active install base of iPhone continues to grow and has reached an all-time high at the end of December,” Maestri said. “We are disclosing that number now for the first time; it has surpassed 900 million devices.”

Apple has previously detailed the total active install base of its products. They updated the number today to 1.4 billion devices worldwide at the end of December 2018, up from 1.3 billion at the end of January 2018. It’s interesting that Apple has decided to break out iPhone device numbers even as it shies away from releasing unit sales in its earning calls from this point moving forward.

Maestri detailed that Apple would continue to offer updates on the iPhone install base and total install base on a “periodic basis.”

Apple seems to be seeking bright spots wherever they can find them; the Q1 2019 earnings didn’t deliver great news for the company despite beating already reduced market expectations. iPhone revenues were down 15 percent.

Facebook pays teens to install VPN that spies on them

Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms. Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits.

Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.

We asked Guardian Mobile Firewall’s security expert Will Strafach to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.

The strategy shows how far Facebook is willing to go and how much it’s willing to pay to protect its dominance — even at the risk of breaking the rules of Apple’s iOS platform on which it depends. Apple could seek to block Facebook from continuing to distribute its Research app, or even revoke it permission to offer employee-only apps, and the situation could further chill relations between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices. Facebook disobeying iOS policies to slurp up more information could become a new talking point. TechCrunch has spoken to Apple and it’s aware of the issue, but the company did not provide a statement before press time.

“The fairly technical sounding ‘install our Root Certificate’ step is appalling,” Strafach tells us. “This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.”

Facebook’s surveillance app

Facebook first got into the data-sniffing business when it acquired Onavo for around $120 million in 2014. The VPN app helped users track and minimize their mobile data plan usage, but also gave Facebook deep analytics about what other apps they were using. Internal documents acquired by Charlie Warzel and Ryan Mac of BuzzFeed News reveal that Facebook was able to leverage Onavo to learn that WhatsApp was sending more than twice as many messages per day as Facebook Messenger. Onavo allowed Facebook to spot WhatsApp’s meteoric rise and justify paying $19 billion to buy the chat startup in 2014. WhatsApp has since tripled its user base, demonstrating the power of Onavo’s foresight.

Over the years since, Onavo clued Facebook in to what apps to copy, features to build and flops to avoid. By 2018, Facebook was promoting the Onavo app in a Protect bookmark of the main Facebook app in hopes of scoring more users to snoop on. Facebook also launched the Onavo Bolt app that let you lock apps behind a passcode or fingerprint while it surveils you, but Facebook shut down the app the day it was discovered following privacy criticism. Onavo’s main app remains available on Google Play and has been installed more than 10 million times.

The backlash heated up after security expert Strafach detailed in March how Onavo Protect was reporting to Facebook when a user’s screen was on or off, and its Wi-Fi and cellular data usage in bytes even when the VPN was turned off. In June, Apple updated its developer policies to ban collecting data about usage of other apps or data that’s not necessary for an app to function. Apple proceeded to inform Facebook in August that Onavo Protect violated those data collection policies and that the social network needed to remove it from the App Store, which it did, Deepa Seetharaman of the WSJ reported.

But that didn’t stop Facebook’s data collection.

Project Atlas

TechCrunch recently received a tip that despite Onavo Protect being banished by Apple, Facebook was paying users to sideload a similar VPN app under the Facebook Research moniker from outside of the App Store. We investigated, and learned Facebook was working with three app beta testing services to distribute the Facebook Research app: BetaBound, uTest and Applause. Facebook began distributing the Research VPN app in 2016. It has been referred to as Project Atlas since at least mid-2018, around when backlash to Onavo Protect magnified and Apple instituted its new rules that prohibited Onavo. Facebook didn’t want to stop collecting data on people’s phone usage and so the Research program continued, in disregard for Apple banning Onavo Protect.

Ads (shown below) for the program run by uTest on Instagram and Snapchat sought teens 13-17 years old for a “paid social media research study.” The sign-up page for the Facebook Research program administered by Applause doesn’t mention Facebook, but seeks users “Age: 13-35 (parental consent required for ages 13-17).” If minors try to sign-up, they’re asked to get their parents’ permission with a form that reveal’s Facebook’s involvement and says “There are no known risks associated with the project, however you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of apps. You will be compensated by Applause for your child’s participation.” For kids short on cash, the payments could coerce them to sell their privacy to Facebook.

The Applause site explains what data could be collected by the Facebook Research app (emphasis mine):

“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.”

Meanwhile, the BetaBound sign-up page with a URL ending in “Atlas” explains that “For $20 per month (via e-gift cards), you will install an app on your phone and let it run in the background.” It also offers $20 per friend you refer. That site also doesn’t initially mention Facebook, but the instruction manual for installing Facebook Research reveals the company’s involvement.

 

Facebook seems to have purposefully avoided TestFlight, Apple’s official beta testing system, which requires apps to be reviewed by Apple and is limited to 10,000 participants. Instead, the instruction manual reveals that users download the app from r.facebook-program.com and are told to install an Enterprise Developer Certificate and VPN and “Trust” Facebook with root access to their phone plus much of the data it transmits. Apple requires that developers agree to only use this certificate system for distributing internal corporate apps to their own employees. Randomly recruiting testers and paying them a monthly fee appears to violate the spirit of that rule.

Once installed, users just had to keep the VPN running and sending data to Facebook to get paid. The Applause-administered program requested that users screenshot their Amazon orders page. This data could potentially help Facebook tie browsing habits and usage of other apps with purchase preferences and behavior. That information could be harnessed to pinpoint ad targeting and understand which types of users buy what.

TechCrunch commissioned Strafach to analyze the Facebook Research app and find out where it was sending data. He confirmed that data is routed to “vpn-sjc1.v.facebook-program.com” that is associated with Onavo’s IP address, and that the facebook-program.com domain is registered to Facebook, according to MarkMonitor. The app can update itself without interacting with the App Store, and is linked to the email address PeopleJourney@fb.com. He also discovered that the Enterprise Certificate indicates Facebook renewed it on June 27th, 2018 — weeks after Apple announced its new rules that prohibited the similar Onavo Protect app.

“It is tricky to know what data Facebook is actually saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture,” Strafach explains. “They might respond and claim to only actually retain/save very specific limited data, and that could be true, it really boils down to how much you trust Facebook’s word on it. The most charitable narrative of this situation would be that Facebook did not think too hard about the level of access they were granting to themselves . . . which is a startling level of carelessness in itself if that is the case.”

“Flagrant defiance of Apple’s rules”

In response to TechCrunch’s inquiry, a Facebook spokesperson confirmed it’s running the program to learn how people use their phones and other services. The spokesperson told us “Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time.”

Facebook’s spokesperson claimed that the Facebook Research app was in line with Apple’s Enterprise Certificate program, but didn’t explain how in the face of evidence to the contrary. They said Facebook first launched its Research app program in 2016. They tried to liken the program to a focus group and said Nielsen and comScore run similar programs, yet neither of those ask people to install a VPN or provide root access. The spokesperson confirmed the Facebook Research program does recruit teens but also other age groups from around the world. They claimed that Onavo and Facebook Research are separate programs, but admitted the same team supports both as an explanation for why their code was so similar.

However, Facebook claim that it doesn’t violate Apple’s Enterprise Certificate policy is directly contradicted by the terms of that policy. Those include that developers “Distribute Provisioning Profiles only to Your Employees and only in conjunction with Your Internal Use Applications for the purpose of developing and testing”. The policy also states that “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers” unless under direct supervision of employees or on company premises. Given Facebook’s customers are using the Enterprise Certificate-powered app without supervision, it appears Facebook is in violation.

Facebook disobeying Apple so directly could hurt their relationship. “The code in this iOS app strongly indicates that it is simply a poorly re-branded build of the banned Onavo app, now using an Enterprise Certificate owned by Facebook in direct violation of Apple’s rules, allowing Facebook to distribute this app without Apple review to as many users as they want,” Strafach tells us. ONV prefixes and mentions of graph.onavo.com, “onavoApp://” and “onavoProtect://” custom URL schemes litter the app. “This is an egregious violation on many fronts, and I hope that Apple will act expeditiously in revoking the signing certificate to render the app inoperable.”

Facebook is particularly interested in what teens do on their phones as the demographic has increasingly abandoned the social network in favor of Snapchat, YouTube and Facebook’s acquisition Instagram. Insights into how popular with teens is Chinese video music app TikTok and meme sharing led Facebook to launch a clone called Lasso and begin developing a meme-browsing feature called LOL, TechCrunch first reported. But Facebook’s desire for data about teens riles critics at a time when the company has been battered in the press. Analysts on tomorrow’s Facebook earnings call should inquire about what other ways the company has to collect competitive intelligence.

Last year when Tim Cook was asked what he’d do in Mark Zuckerberg’s position in the wake of the Cambridge Analytica scandal, he said “I wouldn’t be in this situation . . . The truth is we could make a ton of money if we monetized our customer, if our customer was our product. We’ve elected not to do that.” Zuckerberg told Ezra Klein that he felt Cook’s comment was “extremely glib.”

Now it’s clear that even after Apple’s warnings and the removal of Onavo Protect, Facebook is still aggressively collecting data on its competitors via Apple’s iOS platform. “I have never seen such open and flagrant defiance of Apple’s rules by an App Store developer,” Strafach concluded. If Apple shuts the Research program down, Facebook will either have to invent new ways to surveil our behavior amidst a climate of privacy scrutiny, or be left in the dark.

Additional reporting by Zack Whittaker.