WhatsApp adds support for Face ID/Touch ID biometric lock on iOS

WhatsApp users updating to the latest version of the messaging app on iOS will find a new setting lurking at the bottom of the ‘Privacy’ menu that adds support for Apple’s biometric authentication technologies.

WhatsApp users on iOS can now tap into Apple’s biometrics for an extra layer of security

Under the new setting, called ‘Screen Lock’, users of WhatsApp on iOS can tap through to another menu to add an additional layer of security by requiring either their facial biometric or a fingerprint to unlock the messaging app.

iPhone users are either offered the ability to ‘require Face ID’ or ‘require Touch ID’ depending on their handset hardware.

The change, in version 2.19.20 of the WhatsApp iOS app, is listed as: 

• You can now require Face ID or Touch ID to unlock WhatsApp. Tap “Settings” > “Account” > “Privacy” and enable Screen Lock.

While WhatsApp makes use of the respected Signal Protocol to protect users’ comms via end-to-end encryption, the best encryption in the world can’t offer any protection if a person gains possession of your unlocked device as they can just open the app and read everything in plain text.

So the lack of a native lock option in WhatsApp has been a rather big security oversight. But one the messaging giant has at least now rectified on iOS.

Albeit the setting is not enabled by default — and is a bit buried in the menus — so less security savvy users are unlikely to realize it’s there.

There’s also still no native option in WhatsApp to add any kind of passcode to the app. Which would offer a universal ‘extra security’ option that could work across Android and iOS. (Presumably WhatsApp’s parent Facebook isn’t a fan of the added ‘friction’ such a setting could bring.)

Although various third party apps can be downloaded and used to require a passcode before other apps can be opened, a native passcode option would increase accessibility and shrink potential security concerns about using third party downloads for what should really be a core function.

from iPhone – TechCrunch https://tcrn.ch/2GamBHz

Healthcare wearables level up with new moves from Apple and Alphabet

Announcements that Apple has partnered with Aetna health insurance on a new app leveraging data from its Apple Watch and reports that Verily — one of the health-focused subsidiaries of Google‘s parent company — Alphabet, is developing a shoe that can detect weight and movement, indicate increasing momentum around using data from wearables for clinical health applications and treatments.

For venture capital investors, the movea from Apple and Alphabet to show new applications for wearable devices is a step in the right direction — and something that’s been long overdue.

“As a healthcare provider, we talk a lot about the important of preventative medicine, but the US healthcare system doesn’t have the right incentives in place to pay for it,” writes Cameron Sepah, an entrepreneur in residence at Trinity Ventures. “Since large employers largely pay for health care (outside of Medicaid and Medicare), they usually aren’t incentivized to pay for prevention, since employees don’t stay long enough for them to incur the long-term costs of health behaviors. So most startups in this space end up becoming an expendable wellness perk for companies. However, if an insurer like Aetna keeps its members long enough, there’s better alignment for disseminating this app.”

Sepah sees broader implications for the tie ups between health insurers and the tech companies making all sorts of devices to detect and diagnose conditions.

“Most patients relationship with their insurer is just getting paper bills/notifications in the mail, with terrible customer satisfaction (NPS) across the board,” Sepah wrote in an email. “But when there’s a way to build a closer relationship through a device that sits on your wrist, it opens possibilities to partner with other health tech startups that can notify patients when they are having mental health issues before they even recognize it (e.g. Mindstrong); or when they should get treatment for hypertension or sleep apnea (e.g. Cardiogram); or leverage their data into a digital chronic disease treatment program (e.g. Omada Health).”

Apple partners with Aetna to launch health app leveraging Apple Watch data

Aetna isn’t the first insurer to tie Apple Watch data to their policies. In September 2018, John Hancock launched the Vitality program, which also gave users discounts on the latest Apple Watch if they linked it with John Hancock’s app. The company also gave out rewards if users changed their behavior around diet and exercise.

In a study conducted by Rand Europe of 400,000 people in the U.S., the U.K., and South Africa, research showed that users who wore an Apple Watch and participated in the Vitality benefits program averaged a 34 percent increase in physical activity compared to patients without the Apple Watch. It equated to roughly 5 extra days of working out per month.

“[It will] be interesting to see how CVS/Apple deal unfolds. Personalized health guidance based on a combination of individual medical records and real time wearable data is a huge and worthy goal,” wrote Greg Yap, a partner at the venture capital firm, Menlo Ventures. But, Yap wrote,I’m skeptical their first generation app will have enough data or training to deliver value to a broad population, but we’re likely to see some anecdotal benefits, and I find that worthwhile.”

Meanwhile the types of devices that record consumer health information are proliferating — thanks in no small part to Verily.

With the company reportedly working to co-develop shoes with sensors that monitor users’ movement and weight, according to CNBC, Verily is expanding its portfolio of connected devices for health monitoring and management. The company already has a watch that monitors certain patient data — including an FDA approved electrocardiogram — and is developing technologies to track diabetes-related eye disease in patients alongside smart lenses for cataract recovery.

It’s part of a broader push from technology companies to tie themselves closer to consumer health as they look to seize a part of the nearly $3 trillion healthcare industry.

If more data can be collected from wearable devices (or consumer behavior) and then monitored in a consistent fashion, tech companies ideally could suggest interventions faster and provide lower cost treatments to help avoid the need for urgent or emergency care.

These “top of the funnel” communications and monitoring services from tech companies could conceivably divert users and future healthcare patients into an alternative system that is potentially lower-cost with more of a focus on outcomes than on the volume of care and number of treatments prescribed.

Not all physicians are convinced that the use of persistent monitoring will result in better care. Dr. John Ioannidis, a celebrated professor from Stanford University, is skeptical about the utility of monitoring without a better understanding of what the data actually reveals.

“Information is good for you provided you know what it means. For much of that information we have no clue what it means. We have absolutely no idea what to do with it other than creating more anxiety,” Dr. Ioannidis said

The goal is to provide personalized guidance where machine learning can be used to identify problems and come up in concert with established therapeutic practices, according to investors who back life sciences starups.

“I think startups like Omada, Livongo, Lark, Vida, Virta, and others, can work and are already working on this overall vision of combining real time and personal historical data to deliver personalized guidance. But to be successful, startups need to be more narrowly focused and deliver improved outcomes and financial benefits right away,” according to Yap.

 

from Apple – TechCrunch https://tcrn.ch/2S9d0Yd

Spotify, eBay set standard for fertility benefits, study finds

The technology sector awards women and same-sex couples the most comprehensive fertility benefit packages, according to a survey by FertilityIQ, an online platform for fertility patients to review doctors and research treatments.

The company asked 30,000 in vitro fertilisation (IVF) patients across industries about their employers’ — or their spouse’s employer’s’ — 2019 fertility treatment policy, and allocated points based on their support for IVF procedures and egg freezing, among other services.

Silicon Valley semiconductor business Analog Devices and eBay led the ranking. The two companies offer employees unlimited IVF cycles with no pre-authorization requirement, meaning employees do not need permission from insurance providers before seeking certain medical services. Pre-authorization has historically impacted lesbian, gay or unpartnered employees from accessing care quickly or at all, FertilityIQ co-founder Jake Anderson explained

Spotify, Adobe, Lyft, Facebook and Pinterest were amongst the highest-ranked technology businesses, too.

“I think a lot of people see the tech sector as being unenlightened when it comes to family values but it’s still the sector that makes the fertility benefits the most widely acceptable,” Anderson, a former consumer internet investor at Sequoia Capital, told TechCrunch.

FertilityIQ’s fertility benefits survey results.

Despite an initial outpouring of skepticism, Facebook and Apple became leaders in the fertility benefit category when they began paying for their female employees to freeze their eggs in 2014. Since then, smaller firms have opted to beef up those benefits to stay competitive with their much larger and richer counterparts.

“The Lyfts, the Airbnbs and the Ubers of the world, who clearly need to compete for those companies for talent, have effectively matched those companies dollar-for-dollar despite a much smaller war-chest,” Anderson said. “These companies that are worth 1/1000th of these bigger companies are effectively going toe-to-toe to offer whatever women need.”

Anderson and his wife, FertilityIQ co-founder Deborah Anderson, noticed improved benefits in 2018 from companies implicated by the #MeToo movement, such as Vice Media, Under Armour and Uber.

“Silicon Valley is notorious for talent moving around on you but it’s probably not coincidental that some of the companies that were in the spotlight in the #MeToo movement have added really generous benefits,” Deborah Anderson told TechCrunch.

Uber, for example, now pays for its employees to complete two IVF cycles but still requires pre-authorization.

One in 7 Americans struggle with infertility and the rate of IVF procedures only continues to increase, with the latest data indicating a 15 percent year-over-year growth rate. IVF costs roughly $22,000 per cycle, per FertilityIQ’s survey, a cost which has similarly increased 15 percent since 2015.

That’s a whole lot of cash for a fertility patient to dole out. If companies foot the bill, they’ll have a better shot at retaining talent.

“Best we can tell, there is no question that employees that get this benefit and use it are more loyal and more likely to stick around,” Jake Anderson said. “The company that helps you build your family is the company that you remain committed to.”

Dadi brings in $2M to democratize sperm storage

from Apple – TechCrunch https://tcrn.ch/2BgYdQs

Apple’s long-time Siri leader reportedly no longer in charge

The man who has headed up Siri at Apple since 2012 is no longer at the helm, according to The Information. Bill Stasior remains at the company in a different role, the report states.

We’ve reached out to Apple for comment.

Stasior joined Apple to take over Siri in 2012 after being poached from Amazon’s A9 retail search team. At this in time, most of the original Siri co-founders had already left Apple and Stasior was tasked with taking on the mantle of deciding where the digital assistant should move next.

Siri has had a troubled history at Apple. Though the voice assistant arrived with a big splash, the company’s inability to iterate the product quickly left its competitors ample opportunity to leapfrog its capabilities. Something that both Amazon and Google clearly have with their Alexa and Google Assistant platforms.

This past April, Apple hired Google’s John Giannandrea to lead AI and machine learning efforts at the company, a division that includes Siri and CoreML. Giannandrea is expected to be leading the search for a new leader for the Siri team, the report says.

from Apple – TechCrunch https://tcrn.ch/2MJ7F3T

Everything you need to know about Facebook, Google’s app scandal

Facebook and Google landed in hot water with Apple this week after two investigations by TechCrunch revealed the misuse of internal-only certificates — leading to their revocation, which led to a day of downtime at the two tech giants.

Confused about what happened? Here’s everything you need to know.

How did all this start, and what happened?

On Monday, we revealed that Facebook was misusing an Apple-issued certificate that is only meant for companies to use to distribute internal, employee-only apps without having to go through the Apple App Store. But the social media giant used that certificate to sign an app that Facebook distributed outside the company, violating Apple’s rules.

The app, known simply as “Research,” allowed Facebook access to all the data flowing out of the device it was installed on. Facebook paid users — including teenagers — $20 per month to install the app. But it wasn’t clear exactly what kind of data was being vacuumed up, or for what reason.

It turns out that the app was a repackaged app that was effectively banned from Apple’s App Store last year for collecting too much data on users.

Apple was angry that Facebook was misusing its special-issue certificates to push an app it already banned, and revoked it — rendering the app useless. But Facebook was using that same certificate to sign its other employee-only apps, effectively knocking them offline until Apple re-issued the certificate.

Then, it turned out Google was doing almost exactly the same thing with its Screenwise app, and Apple’s ban-hammer fell again.

What’s the controversy over these certificates and what can they do?

If you want to develop Apple apps, you have to abide by its rules.

A key rule is that Apple doesn’t allow app developers to bypass the App Store, where every app is vetted to ensure it’s as secure as it can be. It does, however, grant exceptions for enterprise developers, such as to companies that want to build apps that are only used internally by employees. Facebook and Google in this case signed up to be enterprise developers and agreed to Apple’s developer terms.

Apple granted each a certificate that grants permission to distribute apps they develop internally — including pre-release versions of the apps they make, for testing purposes. But these certificates aren’t allowed to be used for ordinary consumers, as they have to download apps through the App Store.

Why is “root” certificate access a big deal?

Because Facebook’s Research and Google’s Screenwise apps were distributed outside of Apple’s App Store, it required users to manually install the app — known as sideloading. That requires users to go through a convoluted few steps of downloading the app itself, and opening and installing either Facebook or Google’s certificate.

Both apps then required users to open another certificate — known as a VPN configuration profile — allowing all of the data flowing out of that user’s phone to funnel down a special tunnel that directs it all to either Facebook or Google, depending on the app you installed.

This is where Facebook and Google’s cases differ.

Google’s app collected data and sent it off to Google for research purposes, but couldn’t access encrypted data — such as iMessages, or other end-to-end encrypted content.

Facebook, however, went far further. Its users were asked to go through an additional step to trust the certificate at the “root” level of the phone. Trusting this “root certificate” allowed Facebook to look at all of the encrypted traffic flowing out of the device — essentially what we call a “man-in-the-middle” attack. That allowed Facebook to sift through your messages, your emails, and any other bit of data that leaves your phone. Only apps that use certificate pinning — which reject any certificate that isn’t its own — were protected.

Facebook’s Research app requires Root Certificate access, which Facebook gather almost any piece of data transmitted by your phone. (Image: supplied)

Google’s app might not have been able to look at encrypted traffic, but the company still flouted the rules and got its certificate revoked anyway.

What data did Facebook have access to on iOS?

It’s hard to know for sure, but it definitely had access to more data than Google.

Facebook said its app was to help it “understand how people use their mobile devices.” In reality, at root traffic level, Facebook could have accessed any kind of data that left your phone.

Will Strafach, a security expert who we spoke to for our story, said: “If Facebook makes full use of the level of access they are given by asking users to install the certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.”

Remember: this isn’t “root” access to your phone, like jailbreaking, but root access to the network traffic.

How does this compare to the technical ways other market research programs work?

In fairness, these aren’t market research apps unique to Facebook or Google. Several other companies, like Nielsen and comScore, run similar programs, but neither ask users to install a VPN or provide root access to the network.

In any case, Facebook already has a lot of your data — as does Google. Even if the companies only wanted to look at your data in aggregate with other people, it can still hone in on who you talk to, when, for how long, and in some cases what about. It might not have been such an explosive scandal had Facebook not spent the last year cleaning up after several security and privacy breaches.

Mark Zuckerberg is ‘proud’ of how Facebook handled its scandals this year

Can they capture the data of people the phone owner interacts with?

In both cases, yes. In Google’s case, any unencrypted data that involves another person’s data could have been collected. In Facebook’s case, it goes far further — any data of yours that interacts with another person, such as an email or a message, could have been collected by Facebook’s app.

How many people did this affect?

It’s hard to know for sure. Neither Google nor Facebook have said how many users they have. Between them, it’s believed to be in the thousands. As for the employees affected by the app outages, Facebook has more than 35,000 employees and Google has more than 94,000 employees.

Why did internal apps at Facebook and Google break after Apple revoked the certificates?

You might own your Apple device, but Apple still gets to control what goes on it.

After Facebook was caught out, Apple said: “Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” That meant any app that relied on the certificate — including inside the company — would fail to load. That’s not just pre-release builds of Facebook, Instagram and WhatsApp that staff were working on, but reportedly the company’s travel and collaboration apps were down. In Google’s case, even its catering and lunch menu apps were down.

Facebook’s internal apps were down for about a day, while Google’s internal apps were down for a few hours. None of Facebook or Google’s consumer services were affected, however.

How are people viewing Apple in all this?

Nobody seems thrilled with Facebook or Google at the moment, but not many are happy with Apple, either. Even though Apple sells hardware and doesn’t use your data to profile you or serve you ads — like Facebook and Google do — some are uncomfortable with how much power Apple has over the customers — and enterprises — that use its devices.

In revoking Facebook and Google’s enterprise certificates and causing downtime, it has a knock-on effect internally.

Is this legal in the U.S.? What about in Europe with GDPR?

Well, it’s not illegal — at least in the U.S. Facebook says it gained consent from its users. The company even said its teenage users must obtain parental consent, even though it was easily skippable and no verification checks were made. It wasn’t even explicitly clear that the children who “consented” really understood how much privacy they were really handing over.

Facebook’s VPN app puts spotlight on kids’ consent

That could lead to major regulatory headaches down the line. “If it turns out that European teens have been participating in the research effort Facebook could face another barrage of complaints under the bloc’s General Data Protection Regulation (GDPR) — and the prospect of substantial fines if any local agencies determine it failed to live up to consent and ‘privacy by design’ requirements baked into the bloc’s privacy regime,” wrote TechCrunch’s Natasha Lomas.

Who else have been misusing certificates?

Don’t think that Facebook and Google are alone in this. It turns out that a lot of companies might be flouting the rules, too.

According to many finding companies on social media, Sonos uses enterprise certificates for its beta program, as does finance app Binance, as well as DoorDash for its fleet of contractors. It’s not known if Apple will also revoke their certificates.

What next?

It’s anybody’s guess, but don’t expect this situation to die down any time soon.

Facebook may face repercussions with Europe, as well as at home. Two U.S. senators, Mark Warner and Richard Blumenthal, have already called for action, accusing Facebook of “wiretapping teens.” The Federal Trade Commission may also investigate, if Blumenthal gets his way.

Senator Warner calls on Zuckerberg to support market research consent rules

from Apple – TechCrunch https://tcrn.ch/2HLKWoY

Apple fixes FaceTime eavesdrop bug, with software update incoming

Three days after Apple pulled its new Group FaceTime feature offline after users found they could eavesdrop on people before accepting a call, the company says it’s fixed the bug on its end.

“We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week,” said Apple in a statement. “We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.”

The bug allowed anyone to swipe up and add themselves to a Group FaceTime call, a new group video feature that Apple introduced last year. TechCrunch verified the bug after it began making the rounds on social media.

To prevent misuse, Apple pulled the plug on Group FaceTime on its servers.

Apple continued: “We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix.”

But the privacy issue came after reports that a 14-year-old from Arizona and his mother tried to report the bug to Apple days before to no avail, citing difficulties in contacting the company.

In Friday’s statement, Apple thanked the Thompson family for reporting the bug,

“We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us,” the statement added.

New York’s attorney general Letitia James and governor Andrew Cuomo said they would investigate the incident.

Apple’s FaceTime bug will be investigated by New York’s Attorney General

from Apple – TechCrunch https://tcrn.ch/2RZ0v1b

First China, now Starbucks gets an ambitious VC-funded rival in Indonesia

Asia’s venture capital-backed startups are gunning for Starbucks.

In China, the U.S. coffee giant is being pushed by Luckin Coffee, a $2.2 billion challenger surfing China’s on-demand wave, and on the real estate side, where WeWork China has just unveiled an on-demand product that could tempt people who go to Starbucks to kill time or work.

That trend is picking up in Indonesia, the world’s fourth largest country and Southeast Asia’s largest economy, where an on-demand challenger named Fore Coffee has fuelled up for a fight after it raised $8.5 million.

Fore was started in August 2018 when associates at East Ventures, a prolific early-stage investor in Indonesia, decided to test how robust the country’s new digital infrastructure can be. That means it taps into unicorn companies like Grab, Go-Jek and Tokopedia and their army of scooter-based delivery people to get a hot brew out to customers. Incidentally, the name ‘Fore’ comes from ‘forest’ — “we aim to grow fast, strong, tall and bring life to our surrounding” — rather than in front of… or a shout heard on the golf course.

The company has adopted a similar hybrid approach to Luckin, and Starbucks thanks to its alliance with Alibaba. Fore operates 15 outlets in Jakarta, which range from ‘grab and go’ kiosks for workers in a hurry, to shops with space to sit and delivery-only locations, Fore co-founder Elisa Suteja told TechCrunch. On the digital side, it offers its own app (delivery is handled via Tokopedia’s Go-Send service) and is available via Go-Jek and Grab’s apps.

So far, Fore has jumped to 100,000 deliveries per month and its app is top of the F&B category for iOS and Android in Indonesia — ahead of Starbucks, McDonald’s and Pizza Hut.

It’s early times for the venture — which is not a touch on Starbuck’s $85 billion business; it does break out figures for Indonesia — but it is a sign of where consumption is moving to Indonesia, which has become a coveted beachhead for global companies, and especially Chinese, moving into Southeast Asia. Chinese trio Tencent, Alibaba and JD.com and Singapore’s Grab are among the outsiders who have each spent hundreds of millions to build or invest in services that tap growing internet access among Indonesia’s population of over 260 million.

There’s a lot at stake. A recent Google-Temasek report forecast that Indonesia alone will account for over 40 percent of Southeast Asia’s digital economy by 2025, which is predicted to triple to reach $240 billion.

As one founder recently told TechCrunch anonymously: “There is no such thing as winning Southeast Asia but losing Indonesia. The number one priority for any Southeast Asian business must be to win Indonesia.”

Forecasts from a recent Google-Temasek report suggest that Indonesia is the key market in Southeast Asia

This new money comes from East Ventures — which incubated the project — SMDV, Pavilion Capital, Agaeti Venture Capital and Insignia Ventures Partners with participation from undisclosed angel backers. The plan is to continue to invest in growing the business.

“Fore is our model for ‘super-SME’ — SME done right in leveraging technology and digital ecosystem,” Willson Cuaca, a managing partner at East Ventures, said in a statement.

There’s clearly a long way to go before Fore reaches the size of Luckin, which has said it lost 850 million yuan, or $124 million, inside the first nine months in 2018.

The Chinese coffee challenger recently declared that money is no object for its strategy to dethrone Starbucks. The U.S. firm is currently the largest player in China’s coffee market, with 3,300 stores as of last May and a goal of topping 6,000 outlets by 2022, but Luckin said it will more than double its locations to more than 4,500 by the end of this year.

By comparison, Indonesia’s coffee battle is only just getting started.

from Android – TechCrunch https://tcrn.ch/2Gff9dA
via IFTTT