Pages Navigation Menu

The blog of DataDiggers

Categories Navigation Menu

Foxconn halts some production lines for Huawei phones, according to reports

Posted by on Jun 1, 2019 in android, Apple, Companies, Donald Trump, Foxconn, Google, Huawei, mobile phones, operating system, president, shenzhen, smart phone, smartphone, Smartphones, TC, telecommunications, United States, Xiaomi | 0 comments

Huawei, the Chinese technology giant whose devices are at the center of a far-reaching trade dispute between the U.S. and Chinese governments, is reducing orders for new phones, according to a report in The South China Morning Post.

According to unnamed sources, the Taiwanese technology manufacturer Foxconn has halted production lines for several Huawei phones after the Shenzhen-based company reduced orders. Foxconn also makes devices for most of the major smart phone vendors including Apple and Xiaomi (in addition to Huawei).

In the aftermath of President Donald Trump’s declaration of a “national emergency” to protect U.S. networks from foreign technologies, Huawei and several of its affiliates were barred from acquiring technologies from U.S. companies.

The blacklist has impacted multiple lines of Huawei’s business including it handset manufacturing capabilities given the company’s reliance on Google’s Android operating system for its smartphones.

In May, Google reportedly suspended business with Huawei, according to a Reuters report. Last year, Huawei shipped over 200 million handsets and the company had a stated goal to become the world’s largest vendor of smartphones by 2020.

These reports from The South China Morning Post are the clearest indication that the ramifications of the U.S. blacklisting are beginning to be felt across Huawei’s phone business outside of China.

Huawei was already under fire for security concerns, and will be forced to contend with more if it can no longer provide Android updates to global customers.

Contingency planning is already underway at Huawei. The company has built its own Android -based operating system, and can use the stripped down, open source version of Android that ships without Google Mobile Services. For now, its customers also still have access to Google’s app store. But if the company is forced to make developers sell their apps on a siloed Huawei-only store, it could face problems from users outside of China.

Huawei and the Chinese government are also retaliating against the U.S. efforts. The company has filed a legal motion to challenge the U.S. ban on its equipment, calling it “unconstitutional.”  And Huawei has sent home its American employees deployed at R&D functions at its Shenzhen headquarters.

It has also asked its Chinese employees to limit conversations with overseas visitors, and cease any technical meetings with their U.S. contacts.

Still, any reduction in orders would seem to indicate that the U.S. efforts to stymie Huawei’s expansion (at least in its smartphone business) are having an impact.

A spokesperson for Huawei U.S. did not respond to a request for comment.


Source: The Tech Crunch

Read More

Notes from the Samsung Galaxy Fold: day two

Posted by on Apr 17, 2019 in galaxy fold, Hardware, Samsung, samsung galaxy fold, Smartphones | 0 comments

I would be remiss if I didn’t mention the technical difficulties multiple reviewers have been experiencing with their units. This sort of thing can happen with pre-production models. I’ve certainly had issues with review units in the past, but these reports are worth mentioning as a note of caution with a product, which we were concerned might not be ready for prime time only a couple of weeks ago.

At the very least, it’s as good a reason as any to wait a couple of weeks before more of these are out in the world before dropping $2,000 to determine how widespread these issues are.

All of that said, I’ve not had any technical issues with my Samsung Galaxy Fold. So far, so good. A day or so in does, however, tend to be the time when the harsh light of day starts to seep in on these things, after that initial novelty of the company’s admittedly impressive feat begins wane.

Using the device in the lead up to our big robotics event tomorrow, a number of TechCrunch co-workers have demanded a few minutes with the the device. The reviews so far have been mixed, with most calling out the thick form factor when closed, as well as the crease. The latter, at least, is really dependent on environmental lighting. In the case of the backstage area at this event, it’s harsh overhead office lighting, which tends to bring the crease out when the phone is facing the ceiling.

On the other hand, I used the phone to watch videos while using the elliptical at the gym this morning. Titled toward me, the crease wasn’t noticeable. It’s also one of the ideal use cases for the product.

Some more notes:

  • The company’s stated “day long” life is pretty on the money. I got just over 24 hours of standard use (subtracting my five hours on a plane).
  • The screen has a built-in protector that looks a lot like the kind of adhesive guard Samsung’s phones ship with. Don’t peel it off. You will damage the phone.
  • I accidentally (I swear) dropped it off a table. It survived unscathed.
  • So many fingerprints.
  • The green finish looks like gold under certain lights. I definitely would have gone in for blue.
  • We used the handset for a Google Hangout. It was kind of perfect. Kept open at an angle, it can prop itself up.
  • The snap to close is still satisfying.

Day One Notes 

 


Source: The Tech Crunch

Read More

African e-commerce startup Jumia files for IPO on NYSE

Posted by on Mar 12, 2019 in africa, eCommerce, Egypt, Fundings & Exits, Ghana, Goldman Sachs, IPO, jumia, kenya, Lagos, morgan stanley, morocco, Naspers, Nigeria, online retail, Rocket Internet, Smartphones, Startup company, Startups, TC, tech startup, travel bookings, U.S. Securities and Exchange Commission, unicorn | 0 comments

Pan-African e-commerce company Jumia filed for an IPO on the New York Stock Exchange today, per SEC documents and confirmation from CEO Sacha Poignonnec to TechCrunch.

The valuation, share price and timeline for public stock sales will be determined over the coming weeks for the Nigeria-headquartered company.

With a smooth filing process, Jumia will become the first African tech startup to list on a major global exchange.

Poignonnec would not pinpoint a date for the actual IPO, but noted the minimum SEC timeline for beginning sales activities (such as road shows) is 15 days after submitting first documents. Lead adviser on the listing is Morgan Stanley .

There have been numerous press reports on an anticipated Jumia IPO, but none of them confirmed by Jumia execs or an actual SEC, S-1 filing until today.

Jumia’s move to go public comes as several notable consumer digital sales startups have faltered in Nigeria — Africa’s most populous nation, largest economy and unofficial bellwether for e-commerce startup development on the continent. Konga.com, an early Jumia competitor in the race to wire African online retail, was sold in a distressed acquisition in 2018.

With the imminent IPO capital, Jumia will double down on its current strategy and regional focus.

“You’ll see in the prospectus that last year Jumia had 4 million consumers in countries that cover the vast majority of Africa. We’re really focused on growing our existing business, leadership position, number of sellers and consumer adoption in those markets,” Poignonnec said.

The pending IPO creates another milestone for Jumia. The venture became the first African startup unicorn in 2016, achieving a $1 billion valuation after a $326 funding round that included Goldman Sachs, AXA and MTN.

Founded in Lagos in 2012 with Rocket Internet backing, Jumia now operates multiple online verticals in 14 African countries, spanning Ghana, Kenya, Ivory Coast, Morocco and Egypt. Goods and services lines include Jumia Food (an online takeout service), Jumia Flights (for travel bookings) and Jumia Deals (for classifieds). Jumia processed more than 13 million packages in 2018, according to company data.

Starting in Nigeria, the company created many of the components for its digital sales operations. This includes its JumiaPay payment platform and a delivery service of trucks and motorbikes that have become ubiquitous with the Lagos landscape.

Jumia has also opened itself up to traders and SMEs by allowing local merchants to harness Jumia to sell online. “There are over 81,000 active sellers on our platform. There’s a dedicated sellers page where they can sign-up and have access to our payment and delivery network, data, and analytic services,” Jumia Nigeria CEO Juliet Anammah told TechCrunch.

The most popular goods on Jumia’s shopping mall site include smartphones (priced in the $80 to $100 range), washing machines, fashion items, women’s hair care products and 32-inch TVs, according to Anammah.

E-commerce ventures, particularly in Nigeria, have captured the attention of VC investors looking to tap into Africa’s growing consumer markets. McKinsey & Company projects consumer spending on the continent to reach $2.1 trillion by 2025, with African e-commerce accounting for up to 10 percent of retail sales.

Jumia has not yet turned a profit, but a snapshot of the company’s performance from shareholder Rocket Internet’s latest annual report shows an improving revenue profile. The company generated €93.8 million in revenues in 2017, up 11 percent from 2016, though its losses widened (with a negative EBITDA of €120 million). Rocket Internet is set to release full 2018 results (with updated Jumia figures) April 4, 2019.

Jumia’s move to list on the NYSE comes during an up and down period for B2C digital commerce in Nigeria. The distressed acquisition of Konga.com, backed by roughly $100 million in VC, created losses for investors, such as South African media, internet and investment company Naspers .

In late 2018, Nigerian online sales platform DealDey shut down. And TechCrunch reported this week that consumer-focused venture Gloo.ng has dropped B2C e-commerce altogether to pivot to e-procurement. The CEO cited better unit economics from B2B sales.

As demonstrated in other global startup markets, consumer-focused online retail can be a game of capital attrition to outpace competitors and reach critical mass before turning a profit. With its unicorn status and pending windfall from an NYSE listing, Jumia could be better positioned than any venture to win on e-commerce at scale in Africa.


Source: The Tech Crunch

Read More

If Stalin Had a Smartphone

Posted by on Mar 12, 2019 in computer security, Computers and the Internet, Privacy, Propaganda, Smartphones, Stalin, Joseph, The Age of Surveillance Capitalism: The Fight for the Future at the New Frontier of Power (Book), Zuboff, Shoshana | 0 comments

Suddenly technology has a centralizing effect.
Source: New York Times

Read More

Smart Lights Are the One Smart Home Gadget for Everyone

Posted by on Mar 8, 2019 in Electric Light Bulbs, Home Appliances, Home Automation and Smart Homes, lighting, Smartphones, your-feed-wirecutter | 0 comments

Expensive smart home gadgets are still niche and of limited use. Smart lights, on the other hand, are useful to just about everyone.
Source: New York Times

Read More

Xiaomi-backed electric toothbrush Soocas raises $30 million Series C

Posted by on Feb 11, 2019 in alibaba, alibaba group, Asia, China, Companies, electric toothbrush, funding, Hardware, procter & gamble, shenzhen, Smartphones, toothbrush, Xiaomi | 0 comments

China’s Soocas continues to jostle with global toothbrush giants as it raises 200 million yuan ($30 million) in a series C funding round. The Shenzhen-based oral care manufacturer has secured the new capital from lead investor Vision Knight Capital, with Kinzon Capital, Greenwoods Investment, Yunmu Capital and Cathay Capital also participating in the round.

The new proceeds arrived less than a year after Soocas, one of Xiaomi’s home appliance portfolio startups, snapped up close to 100 million yuan in a Series B round last March. Best known for its budget smartphones, Xiaomi has a grand plan to construct an Internet of Things empire that encompasses smart TVs to electric toothbrushes, and it has been gearing up by shelling out strategic investments for consumer goods makers such as Soocas.

Founded in 2015, Soocas’s rise reflects a growing demand for personal care accessories as people’s disposable income increases. Electric toothbrushes are a relatively new concept to most Chinese consumers but the category is picking up steam fast. According to data compiled by Alibaba’s advertising service Alimama, gross merchandise volume sales of electric toothbrushes grew 97 percent between 2015 and 2017. Multinational brands still dominate the oral care space in China, with Procter & Gamble, Colgate and Hawley & Hazel Chemical occupying the top three spots as of 2017, a report from Euromonitor International shows, but local players are rapidly catching up.

Soocas faces some serious competition from its Chinese peers Usmile and Roaman. Like Soocas, the two rivals have also placed their offices in southern China for proximity to the region’s robust supply chain resources. Part of Soocas’s strength comes from its tie-up with Xiaomi, which gives its portfolio companies access to a massive online and offline distribution network worldwide. That comes at a cost, however, as Xiaomi is known to impose razor-thin margins on the companies it backs and controls.

According to a statement from Soocas’s founder Meng Fandi, the company has achieved profitability since its launch and has seen its margin increase over the years. It plans to spend its fresh proceeds on marketing in a race to lure China’s increasingly sophisticated young consumers with toothbrushes and its new lines of hair dryers, nasal trimmers and other tools that make you squeaky-clean.


Source: The Tech Crunch

Read More

Apple tells app developers to disclose or remove screen recording code

Posted by on Feb 7, 2019 in app developer, app developers, app-store, apple inc, Apps, E-Commerce, Google Play, iOS, iPhone, iTunes, mobile app, online marketplaces, operating systems, Privacy, Security, Smartphones, Software | 0 comments

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm.

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.

Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking.

Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it provides the technology, among many reasons, to help reduce app error rates. But the company “doesn’t enforce its customers” to mention that they use Glassbox’s screen recording tools in their privacy policies.

But Apple expressly forbids apps that covertly collect data without a user’s permission.

TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen afoul of Apple’s rules. One app developer was told by Apple to remove code that recorded app activities, citing the company’s app store guidelines.

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.

Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.

When asked if Glassbox was aware of the app store removals, a spokesperson for Glassbox said that “the communication with Apple is through our customers.”

Glassbox is also available to Android app developers. Google did not immediately comment if it would also ban the screen recording code. Google Play also expressly prohibits apps from secretly collecting device usage. “Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality,” the developer rules state. We’ll update if and when we hear back.

It’s the latest privacy debacle that has forced Apple to wade in to protect its customers after apps were caught misbehaving.

Last week, TechCrunch reported that Apple banned Facebook’s “research” app that the social media giant paid teenagers to collect all of their data.

It followed another investigation by TechCrunch that revealed Facebook misused its Apple-issued enterprise developer certificate to build and provide apps for consumers outside Apple’s App Store. Apple temporarily revoked Facebook’s enterprise developer certificate, knocking all of the company’s internal iOS apps offline for close to a day.


Source: The Tech Crunch

Read More

LG’s next flagship is getting a 3D front-facing camera

Posted by on Feb 7, 2019 in 3D camera, cell phone cameras, Hardware, LG, Mobile, mwc 2019, Smartphones | 0 comments

LG’s never been much on waiting for a big show to announce its latest offering. Mobile World Congress is still weeks away, and the company just dropped what’s likely to be the biggest new feature of its upcoming flagship, the G8 ThinQ.

Clunky naming conventions aside, the handset once again finds LG focusing its efforts on imaging, with a time-of-flight sensor built-in to the front-facing camera array (sensor pictured above, incidentally). Here’s LG on what that means:

While other 3D technologies utilize complex algorithms to calculate an object’s distance from the camera lens, the ToF image sensor chip delivers more accurate measurements by capturing infrared light as it is reflected off the subject. As a result, ToF is faster and more effective in ambient light, reducing the workload on the application processor thereby also reducing power consumption.

For the end-user, that means the camera will be more capable of advanced face recognition than what most Android handsets currently offer. The addition of depth sensing brings more advanced biometric authentication, closer to what you get with the iPhone. The feature also goes a way toward validating earlier leaks of the phone, which bring a larger top notch.

As for the rest of the details — LG’s got to save something for MWC, I guess. 


Source: The Tech Crunch

Read More

Many popular iPhone apps secretly record your screen without asking

Posted by on Feb 6, 2019 in analyst, app-store, apple inc, Banking, iOS, iPhone, iTunes, Mobile, mobile app, mobile software, operating systems, Privacy, Security, Smartphones, terms of service, travel sites | 0 comments

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either.

We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.


Source: The Tech Crunch

Read More

Everything you need to know about Facebook, Google’s app scandal

Posted by on Feb 1, 2019 in app-store, Apple, Apple App Store, Apps, Europe, Facebook, Federal Trade Commission, Finance, General Data Protection Regulation, Google, messaging apps, mobile devices, operating systems, Privacy, Security, Smartphones, Social Media, Sonos, United States | 0 comments

Facebook and Google landed in hot water with Apple this week after two investigations by TechCrunch revealed the misuse of internal-only certificates — leading to their revocation, which led to a day of downtime at the two tech giants.

Confused about what happened? Here’s everything you need to know.

How did all this start, and what happened?

On Monday, we revealed that Facebook was misusing an Apple-issued enterprise certificate that is only meant for companies to use to distribute internal, employee-only apps without having to go through the Apple App Store. But the social media giant used that certificate to sign an app that Facebook distributed outside the company, violating Apple’s rules.

The app, known simply as “Research,” allowed Facebook unparalleled access to all of the data flowing out of a device. This included access to some of the users’ most sensitive network data. Facebook paid users — including teenagers — $20 per month to install the app. But it wasn’t clear exactly what kind of data was being vacuumed up, or for what reason.

It turns out that the app was a repackaged app that was effectively banned from Apple’s App Store last year for collecting too much data on users.

Apple was angry that Facebook was misusing its special-issue enterprise certificates to push an app it already banned, and revoked it — rendering the app unable to open. But Facebook was using that same certificate to sign its other employee-only apps, effectively knocking them offline until Apple re-issued the certificate.

Then, it turned out Google was doing almost exactly the same thing with its Screenwise app, and Apple’s ban-hammer fell again.

What’s the controversy over these enterprise certificates and what can they do?

If you want to develop Apple apps, you have to abide by its rules — and Apple expressly makes companies agree to its terms.

A key rule is that Apple doesn’t allow app developers to bypass the App Store, where every app is vetted to ensure it’s as secure as it can be. It does, however, grant exceptions for enterprise developers, such as to companies that want to build apps that are only used internally by employees. Facebook and Google in this case signed up to be enterprise developers and agreed to Apple’s developer terms.

Each Apple-issued certificate grants companies permission to distribute apps they develop internally — including pre-release versions of the apps they make, for testing purposes. But these certificates aren’t allowed to be used for ordinary consumers, as they have to download apps through the App Store.

What’s a “root” certificate, and why is its access a big deal?

Because Facebook’s Research and Google’s Screenwise apps were distributed outside of Apple’s App Store, it required users to manually install the app — known as sideloading. That requires users to go through a convoluted few steps of downloading the app itself, and opening and trusting either Facebook or Google’s enterprise developer code-signing certificate, which is what allows the app to run.

Both companies required users after the app installed to agree to an additional configuration step — known as a VPN configuration profile — allowing all of the data flowing out of that user’s phone to funnel down a special tunnel that directs it all to either Facebook or Google, depending on which app you installed.

This is where the Facebook and Google cases differ.

Google’s app collected data and sent it off to Google for research purposes, but couldn’t access encrypted data — such as the content of any network traffic protected by HTTPS, as most apps in the App Store and internet websites are.

Facebook, however, went far further. Its users were asked to go through an additional step to trust an additional type of certificate at the “root” level of the phone. Trusting this Facebook Research root certificate authority allowed the social media giant to look at all of the encrypted traffic flowing out of the device — essentially what we call a “man-in-the-middle” attack. That allowed Facebook to sift through your messages, your emails and any other bit of data that leaves your phone. Only apps that use certificate pinning — which reject any certificate that isn’t its own — were protected, such as iMessage, Signal and additionally any other end-to-end encrypted solutions.

Facebook’s Research app requires Root Certificate access, which Facebook gather almost any piece of data transmitted by your phone (Image: supplied)

Google’s app might not have been able to look at encrypted traffic, but the company still flouted the rules — and had its separate enterprise developer code-signing certificate revoked anyway.

What data did Facebook have access to on iOS?

It’s hard to know for sure, but it definitely had access to more data than Google.

Facebook said its app was to help it “understand how people use their mobile devices.” In reality, at root traffic level, Facebook could have accessed any kind of data that left your phone.

Will Strafach, a security expert with whom we spoke for our story, said: “If Facebook makes full use of the level of access they are given by asking users to install the certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.”

Remember: this isn’t “root” access to your phone, like jailbreaking, but root access to the network traffic.

How does this compare to the technical ways other market research programs work?

In fairness, these aren’t market research apps unique to Facebook or Google. Several other companies, like Nielsen and comScore, run similar programs, but neither ask users to install a VPN or provide root access to the network.

In any case, Facebook already has a lot of your data — as does Google. Even if the companies only wanted to look at your data in aggregate with other people, it can still hone in on who you talk to, when, for how long and, in some cases, what about. It might not have been such an explosive scandal had Facebook not spent the last year cleaning up after several security and privacy breaches.

Can they capture the data of people the phone owner interacts with?

In both cases, yes. In Google’s case, any unencrypted data that involves another person’s data could have been collected. In Facebook’s case, it goes far further — any data of yours that interacts with another person, such as an email or a message, could have been collected by Facebook’s app.

How many people did this affect?

It’s hard to know for sure. Neither Google nor Facebook have said how many users they have. Between them, it’s believed to be in the thousands. As for the employees affected by the app outages, Facebook has more than 35,000 employees and Google has more than 94,000 employees.

Why did internal apps at Facebook and Google break after Apple revoked the certificates?

You might own your Apple device, but Apple still gets to control what goes on it.

Apple can’t control Facebook’s root certificates, but it can control the enterprise certificates it issues. After Facebook was caught out, Apple said: “Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” That meant any app that relied on Facebook’s enterprise certificate — including inside the company — would fail to load. That’s not just pre-release builds of Facebook, Instagram and WhatsApp that staff were working on, but reportedly the company’s travel and collaboration apps were down. In Google’s case, even its catering and lunch menu apps were down.

Facebook’s internal apps were down for about a day, while Google’s internal apps were down for a few hours. None of Facebook or Google’s consumer services were affected, however.

How are people viewing Apple in all this?

Nobody seems thrilled with Facebook or Google at the moment, but not many are happy with Apple, either. Even though Apple sells hardware and doesn’t use your data to profile you or serve you ads — like Facebook and Google do — some are uncomfortable with how much power Apple has over the customers — and enterprises — that use its devices.

In revoking Facebook and Google’s enterprise certificates and causing downtime, it has a knock-on effect internally.

Is this legal in the U.S.? What about in Europe with GDPR?

Well, it’s not illegal — at least in the U.S. Facebook says it gained consent from its users. The company even said its teenage users must obtain parental consent, even though it was easily skippable and no verification checks were made. It wasn’t even explicitly clear that the children who “consented” really understood how much privacy they were really handing over.

That could lead to major regulatory headaches down the line. “If it turns out that European teens have been participating in the research effort Facebook could face another barrage of complaints under the bloc’s General Data Protection Regulation (GDPR) — and the prospect of substantial fines if any local agencies determine it failed to live up to consent and ‘privacy by design’ requirements baked into the bloc’s privacy regime,” wrote TechCrunch’s Natasha Lomas.

Who else has been misusing certificates?

Don’t think that Facebook and Google are alone in this. It turns out that a lot of companies might be flouting the rules, too.

According to many finding companies on social media, Sonos uses enterprise certificates for its beta program, as does finance app Binance, as well as DoorDash for its fleet of contractors. It’s not known if Apple will also revoke their enterprise certificates.

What next?

It’s anybody’s guess, but don’t expect this situation to die down any time soon.

Facebook may face repercussions with Europe, as well as at home. Two U.S. senators, Mark Warner and Richard Blumenthal, have already called for action, accusing Facebook of “wiretapping teens.” The Federal Trade Commission may also investigate, if Blumenthal gets his way.


Source: The Tech Crunch

Read More