Opera adds a free VPN to its Android browser app

Opera became the first browser-maker to bundle a VPN with its service, and now that effort is expanding to mobile.

The company announced today that its Android browser app will begin offering a free VPN. The feature will be rolled out to beta users on a gradual basis. The VPN is free and unlimited, and it can be set to locations in America, Europe and Asia as well as an ‘optimal’ setting which hooks up the faster available connection. Switching on the VPN means that user traffic data isn’t collected by Opera, while it makes it harder for websites to track location and user data.

There are granular settings too, which include limiting VPN usage to private tabs and switching it off for search engines to get more local results.

Opera previously offered a free VPN app for Android and iOS but that project was closed last year. The new strategy, it seems, was to bake that technology directly into the browser to give it a more competitive advantage and use the tech to bring more users into the Opera ecosystem. There’s no word on an iOS launch.

“The reason why we are including this built-in VPN in our Android browser is because it gives you that extra layer of protection that you are searching for in your daily mobile browsing,” the company — which listed on the Nasdaq last year — said in a blog post.

The VPN — which is powered by a 2015 acquisition — is one of a number of privacy features that Opera offers. Others include cookie dialogue box blocking, cryptojacking and ad blocking. The company has also offered support for crypto with the addition of a crypto wallet, support for Web 3 apps and — as of this week — a feature that lets users buy crypto from inside their browser.

Besides its core apps, Opera also offers a ‘Touch’ browser that is optimized for devices that don’t have a home button. It launched on Android and expanded to iOS late last year.

from Android – TechCrunch https://tcrn.ch/2I1vvJo
via IFTTT

Apple tells app developers to disclose or remove screen recording code

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm.

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister, and Hotels.com, were using a third-party analytics tool, to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.

Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking.

Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it provides the technology, among many reasons, to help reduce app error rates. But the company “doesn’t enforce its customers” to mention that they use Glassbox’s screen recording tools in their privacy policies.

But Apple expressly forbids apps that covertly collect data without a user’s permissions.

TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen foul of Apple’s rules. One app developer was told by Apple to remove code code that recorded app activities, citing the company’s app store guidelines.

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.

Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.

When asked if Glassbox was aware of the app store removals a spokesperson for Glassbox said that “the communication with Apple is through our customers.”

Glassbox is also available to Android app developers. Google did not immediately comment if it would also ban the screen recording code. Google Play also expressly prohibits apps from secretly collecting device usage. “Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality,” the developer rules state. We’ll update if and when we hear back.

It’s the latest privacy debacle that has forced Apple to wade in to protect its customers after apps were caught misbehaving.

Last week, TechCrunch reported that Apple banned Facebook’s “research” app that the social media giant paid teenagers to collect all of their data.

It followed another investigation by TechCrunch that revealed Facebook misused its Apple-issued enterprise developer certificate to build and provide apps for consumers outside Apple’s App Store. Apple temporarily revoked Facebook’s enterprise developer certificate, knocking all of the company’s internal iOS apps offline for close to a day.

Many popular iPhone apps secretly record your screen without asking

from iPhone – TechCrunch https://tcrn.ch/2td1JHc

Apple to compensate teenager who found Group FaceTime eavesdrop bug

Apple has said it will compensate the teenager who first found a security bug in Group FaceTime that allowed users to eavesdrop before a call was picked up.

The bug was initially reported to Apple by 14-year-old Grant Thompson and his mother, but the family struggled getting in contact the company before the bug was discovered elsewhere.

The payout will fall under Apple’s bug bounty, which incentivizes security researchers to claim a reward for privately submitting security bugs and vulnerabilities to the company.

The company said it will also offer an additional gift to Thompson’s education.

“In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security, an Apple spokesperson told TechCrunch. “This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime.”

“To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS,” said Apple.

On Thursday, Apple rolled out iOS 12.4.1, which Apple says “provides important security updates and is recommended for all users.” Apple’s separate security advisory also credited Thompson with finding the bug.

Update to iOS 12.1.4 to re-enable Group FaceTime

from iPhone – TechCrunch https://tcrn.ch/2TCZEQy

Update to iOS 12.1.4 to re-enable Group FaceTime

That nasty FaceTime bug is now a thing of the past. You can now download and update your iPhone and iPad to re-enable Group FaceTime again. iOS 12.1.4 is a bug fix release and doesn’t contain any new feature other than this one.

Shortly after people found out that you could eavesdrop on somebody’s microphone or camera by starting a fake Group FaceTime call, Apple disabled Group FaceTime altogether. If you’re running iOS 12.1.3 or earlier, you simply can’t start or join a FaceTime call with more than two persons.

The company has been working on a fix to re-enable Group FaceTime without the nasty bug. And that update is now available.

“We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week,” Apple said in a statement last week. “We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.”

Back up your iPhone or iPad to iCloud or your computer first using iTunes. You can then head over to the Settings app. Tap on ‘General’ then ‘Software Update’ to download and install the patch. The update is still propagating on Apple’s servers so it could take a few minutes before you see it.

from Apple – TechCrunch https://tcrn.ch/2GtnlHf

Many popular iPhone apps secretly record your screen without asking

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it — or ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking out the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick. (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data, none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and end session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And, in Singapore Airlines’ privacy policy, there’s no mention either.

We asked all of the companies to point us to exactly where in its privacy policies that permit each app to capture what a user does on their phone phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app/ “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s like to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.

---

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Dozens of popular iPhone apps caught sending user location data to monetization firms

from iPhone – TechCrunch https://tcrn.ch/2Dcek24

Tesla has opened an Amazon store to spread its swag far and wide

Tesla has had a brisk merch business for years now, thanks to its fervent owner base and fans, who are enthusiastic supporters of the company and its CEO Elon Musk.

But until now, those Tesla-branded items — everything from water bottles and hats to jackets, chargers and once a surfboard — have been sold through the automaker’s own website.

Tesla has now expanded it merch ambitions and opened a store on Amazon. (A reader tipped TechCrunch off to the store; however, the story was first reported by Electrek). Tesla confirmed the store opened earlier this week.

It should be noted that, for now, the store on Amazon isn’t as robust as the one on Tesla’s website. However, there are at least two items that can only be found on the Amazon page: an iPhone 8+ case and a Tesla iPhone  X folio case. No prices are listed for the items and they’re currently “unavailable.”

 

In fact, every item on the store is “unavailable.”

It’s not clear when these items will be back in stock or why they aren’t available now. Did the company sell out already? Has it simply failed to make the items available? So many questions.

Tesla merchandise, especially specialty items, do tend to sell out quickly. For instance, the Tesla branded surfboard priced at $1,500 sold out in a day. However, the mini diecast Tesla models sold on the Amazon store appear to be in stock over at Tesla’s website. We’ll update the story when the mystery is solved.

from iPhone – TechCrunch https://tcrn.ch/2Bolsbo

Angela Ahrendts is leaving Apple

Angela Ahrendts will depart Apple in April, almost exactly five years after taking on a role as the company’s senior vice president of retail.

The company says Ahrendts’ responsibilities will now be handled by Deirdre O’Brien, whose title is changing from “senior vice president of People” to “senior vice president of Retail + People”

Story developing…

from Apple – TechCrunch https://tcrn.ch/2Bmivbg