All posts in “Apps”

Every secure messaging app needs a self-destruct button

The growing presence of encrypted communications apps makes a lot of communities safer and stronger. But the possibility of physical device seizure and government coercion is growing as well, which is why every such app should have some kind of self-destruct mode to protect its user and their contacts.

End to end encryption like that you see in Signal and (if you opt into it) WhatsApp is great at preventing governments and other malicious actors from accessing your messages while they are in transit. But as with nearly all cybersecurity matters, physical access to either device or user or both changes things considerably.

For example, take this Hong Kong citizen who was forced to unlock their phone and reveal their followers and other messaging data to police. It’s one thing to do this with a court order to see if, say, a person was secretly cyberstalking someone in violation of a restraining order. It’s quite another to use as a dragnet for political dissidents.

This particular protestor ran a Telegram channel that had a number of followers. But it could just as easily be a Slack room for organizing a protest, or a Facebook group, or anything else. For groups under threat from oppressive government regimes it could be a disaster if the contents or contacts from any of these were revealed to the police.

Just as you should be able to choose exactly what you say to police, you should be able to choose how much your phone can say as well. Secure messaging apps should be the vanguard of this capability.

There are already some dedicated “panic button” type apps, and Apple has thoughtfully developed an “emergency mode” (activated by hitting the power button five times quickly) that locks the phone to biometrics and will wipe it if it is not unlocked within a certain period of time. That’s effective against “Apple pickers” trying to steal a phone or during border or police stops where you don’t want to show ownership by unlocking the phone with your face.

Those are useful and we need more like them — but secure messaging apps are a special case. So what should they do?

The best-case scenario, where you have all the time in the world and internet access, isn’t really an important one. You can always delete your account and data voluntarily. What needs work is deleting your account under pressure.

The next best-case scenario is that you have perhaps a few seconds or at most a minute to delete or otherwise protect your account. Signal is very good about this: The deletion option is front and center in the options screen, and you don’t have to input any data. WhatsApp and Telegram require you to put in your phone number, which is not ideal — fail to do this correctly and your data is retained.

Signal, left, lets you get on with it. You’ll need to enter your number in WhatsApp (right) and Telegram.

Obviously it’s also important that these apps don’t let users accidentally and irreversibly delete their account. But perhaps there’s a middle road whereby you can temporarily lock it for a preset time period, after which it deletes itself if not unlocked manually. Telegram does have self-destructing accounts, but the shortest time you can delete after is a month.

What really needs improvement is emergency deletion when your phone is no longer in your control. This could be a case of device seizure by police, or perhaps being forced to unlock the phone after you have been arrested. Whatever the case, there need to be options for a user to delete their account outside the ordinary means.

Here are a couple options that could work:

  • Trusted remote deletion: Selected contacts are given the ability via a one-time code or other method to wipe each other’s accounts or chats remotely, no questions asked and no notification created. This would let, for instance, a friend who knows you’ve been arrested remotely remove any sensitive data from your device.
  • Self-destruct timer: Like Telegram’s feature, but better. If you’re going to a protest, or have been “randomly” selected for additional screening or questioning, you can just tell the app to delete itself after a certain duration (as little as a minute perhaps) or at a certain time of the day. Deactivate any time you like, or stall for the five required minutes for it to trigger.
  • Poison PIN: In addition to a normal unlock PIN, users can set a poison PIN that when entered has a variety of user-selectable effects. Delete certain apps, clear contacts, send prewritten messages, unlock or temporarily hard-lock the device, etc.
  • Customizable panic button: Apple’s emergency mode is great, but it would be nice to be able to attach conditions like the poison PIN’s. Sometimes all someone can do is smash that button.

Obviously these open new avenues for calamity and abuse as well, which is why they will need to be explained carefully and perhaps initially hidden in “advanced options” and the like. But overall I think we’ll be safer with them available.

Eventually these roles may be filled by dedicated apps or by the developers of the operating systems on which they run, but it makes sense for the most security-forward app class out there to be the first in the field.

Laundry startup FlyCleaners confirms major layoffs

FlyCleaners, a New York startup offering on-demand laundry pickup and delivery, has laid off “a large number” of its employees, co-founder and CEO David Salama told TechCrunch.

This confirms a story earlier this week in Crain’s New York reporting that FlyCleaners filed a notification with the Department of Labor outlining plans to close its Long Island City plant and lay off 116 employees.

As Salama explained when we profiled him several years ago, FlyCleaners customers can use the mobile app whenever they want someone to pick up their laundry — the startup handles pickup and return, while the actual cleaning is handled by local businesses.

In an email about the layoffs, Salama told me that the company (which raised a $2 million round led by Zelkova Ventures back in 2013) created its own team for pickup and delivery because “when we started FlyCleaners six years ago, the last mile logistics industry was simply not where we needed it to be in order to effectively service our customers.” More recently, however, the company has been testing out partnerships with other logistics companies as a way to “supplement” its own team.

“Recently, it became clear to us that the cost of our internal team was just too large to bear and it was starting to hamper our ability to execute strategically and to sustain and grow our business,” Salama continued. “And so, that [led] to the painful decision to lay off a large number of employees and to proceed as a more asset light organization.”

He added, “We don’t anticipate that this change will materially decrease the service we offer our customers. If anything, by partnering with larger scale logistics providers, our service should be more efficient and resilient than it currently is.”

But if partners are handling pickups, delivery and the laundry, what does FlyCleaners bring to the table? When I asked what the company will focus on moving forward, Salama said, “I prefer to be discreet about it[,] but I’m comfortable saying that our plan is to leverage our technology to create the best customer experience possible.”

He also said that the startup is working with its logistics partners to find new positions for laid-off employees.

Facebook collected device data on 187,000 users using banned snooping app

Facebook obtained personal and sensitive device data on about 187,000 users of its now-defunct Research app, which Apple banned earlier this year after the app violated its rules.

The social media giant said in a letter to lawmakers — which TechCrunch obtained — that it collected data on 31,000 users in the U.S., including 4,300 teenagers. The rest of the collected data came from users in India.

Earlier this year, a TechCrunch investigation found both Facebook and Google were abusing their Apple-issued enterprise developer certificates, designed to only allow employees to run iPhone and iPad apps used only inside the company. The investigation found the companies were building and providing apps for consumers outside Apple’s App Store, in violation of Apple’s rules. The apps paid users in return for collecting data on how participants used their devices and understand app habits by gaining access to all of the network data in and out of their device.

Apple banned the apps by revoking Facebook’s enterprise developer certificate — and later Google’s enterprise certificate. In doing so, the revocation knocked both companies’ fleet of internal iPhone or iPad app offline that relied on the same certificates.

But in response to lawmakers’ questions, Apple said it didn’t know how many devices installed Facebook’s rule-violating app.

“We know that the provisioning profile for the Facebook Research app was created on April 19, 2017, but this does not necessarily correlate to the date that Facebook distributed the provisioning profile to end users,” said Timothy Powderly, Apple’s director of federal affairs, in his letter.

Facebook said the app dated back to 2016.

TechCrunch also obtained the letters sent by Apple and Google to lawmakers in early March, but were never made public.

These “research” apps relied on willing participants to download the app from outside the app store and use the Apple-issued developer certificates to install the apps. Then, the apps would install a root network certificate, allowing the app to collect all the data out of the device — like web browsing histories, encrypted messages, and mobile app activity — potentially also including data from their friends — for competitive analysis.

A response by Facebook about the number of users involved in Project Atlas. (Image: TechCrunch)

In Facebook’s case, the research app — dubbed Project Atlas — was a repackaged version of its Onavo VPN app, which Facebook was forced to remove from Apple’s App Store last year for gathering too much device data.

Just this week, Facebook relaunched its research app as Study, only available on Google Play and for users who have been approved through Facebook’s research partner, Applause. Facebook said it would be more transparent about how it collects user data.

Facebook’s vice-president of public policy Kevin Martin defended the company’s use of enterprise certificates, saying it “was a relatively well-known industry practice.” When asked, a Facebook spokesperson didn’t quantify this further. Later, TechCrunch found dozens of apps that used enterprise certificates to evade the app store.

Facebook previously said it “specifically ignores information shared via financial or health apps.” In its letter to lawmakers, Facebook stuck to its guns, saying its data collection was focused on “analytics,” but confirmed “in some isolated circumstances the app received some limited non-targeted content.”

“We did not review all of the data to determine whether it contained health or financial data,” said a Facebook spokesperson. “We have deleted all user-level market insights data that was collected from the Facebook Research app, which would include any health or financial data that may have existed.”

But Facebook didn’t say what kind of data, only that the app didn’t decrypt “the vast majority” of data sent by a device.

Facebook describing the type of data it collected — including “limited, non-targeted content.” (Image: TechCrunch)

Google’s letter, penned by public policy vice-president Karan Bhatia, did not provide a number of devices or users, saying only that its app was a “small scale” program. When reached, a Google spokesperson did not comment by our deadline.

Google also said it found “no other apps that were distributed to consumer end users,” but confirmed several other apps used by the company’s partners and contractors, which no longer rely on enterprise certificates.

Google explaining which of its apps were improperly using Apple-issued enterprise certificates. (Image: TechCrunch)

Apple told TechCrunch that both Facebook and Google “are in compliance” with its rules as of the time of publication. At its annual developer conference last week, the company said it now “reserves the right to review and approve or reject any internal use application.”

Facebook’s willingness to collect this data from teenagers — despite constant scrutiny from press and regulators — demonstrates how valuable the company sees market research on its competitors. With its restarted paid research program but with greater transparency, the company continues to leverage its data collection to keep ahead of its rivals.

Facebook and Google came off worse in the enterprise app abuse scandal, but critics said in revoking enterprise certificates Apple retains too much control over what content customers have on their devices.

The Justice Department and the Federal Trade Commission are said to be examining the big four tech giants — Apple, Amazon, Facebook, and Google-owner Alphabet — for potentially falling foul of U.S. antitrust laws.

Krisp’s smart noise-cancelling gets official release and pricing

Background noise on calls could be a thing of the past if Krisp has anything to do with it. The app, now available on Windows and Macs after a long beta, uses machine learning to silence the bustle of a home, shared office, or coffee shop so your voice and the voices of others comes through clearly.

I first encountered Krisp in prototype form when we were visiting UC Berkeley’s Skydeck accelerator, which ended up plugging $500,000 into the startup alongside $1.5M round from Sierra Ventures and Shanda Group.

Like so many apps and services these days, Krisp uses machine learning. But unlike many of them, it uses the technology in a fairly straightforward, easily understandable way.

The machine learning model the company has created is trained to recognize the voice of a person talking into a microphone. By definition pretty much everything else is just noise — so the model just sort of subtracts it from the waveform, leaving your audio clean even if there’s a middle school soccer team invading the cafe where you’re running the call from.

It can also mute sound coming the other direction — that is, the noise on your friend’s side. So if they’re in a noisy street and you’re safe at home, you can apply the smart noise reduction to them as well.

Because it changes the audio signal before it gets to any apps or services, it’s compatible with pretty much everything: Skype, Messenger, Slack, whatever. You could even use it to record podcasts when there’s a leaf blower outside. A mobile version is on the way for release later this year.

It works — I’ve tested it, as have thousands of other users during the beta. But now comes the moment of truth: will anyone pay for it?

The new, official release of the app will let you mute the noise you hear on the line — that is, the noise coming from the microphones of people you talk to — for free, forever. But clearing the noise on your own line, like the baby crying next to you, after a two week trial period, will cost you $5 per month or $50 per year. You can collect free time by referring people to the app, but eventually you’ll probably have to shell out.

Not that there’s anything wrong with that: a straightforward pay-as-you-go business model is refreshing in an age of intrusive data collection, pushy “freemium” platforms, and services that lack any way to make money whatsoever.

Helium launches $51M-funded “LongFi” IoT alternative to cellular

With 200X the range of WiFi at 1/1000th of the cost of a cellular modem, Helium’s “LongFi” wireless network debuts today. Its transmitters can help track stolen scooters, find missing dogs via IoT collars, and collect data from infrastructure sensors. The catch is that Helium’s tiny, extremely low-power, low-data transmission chips rely on connecting to P2P Helium Hotspots people can now buy for $495. Operating those hotspots earns owners a cryptocurrency token Helium promises will be valuable in the future…

The potential of a new wireless standard has allowed Helium to raise $51 million over the past few years from GV, Khosla Ventures, and Marc Benioff including a new $15 million round led by Union Square Ventures. That’s in part because one of Helium’s co-founders is Napster inventer Shawn Fanning. Investors are betting that he can change the tech world again, this time with a wireless protocol that like WiFi and Bluetooth before it could unlock unique business opportunities.

Helium already has some big partners lined up including Lime, which will test it for tracking its lost and stolen scooters and bikes when they’re brought indoors obscuring other connectivity or their battery is pulled out deactivating GPS. “It’s an ultra low-cost version of a LoJack” Helium CEO Amir Haleem says.

InvisiLeash will partner with it to build more trackable pet collars. Agulus will pull data from irrigation valves and pumps for its agriculture tech business, Nestle will track when its time to refill water in its ReadyRefresh coolers at offices, and Stay Alfred will use it to track occupancy status and air quality in buildings. Haleem also imagines the tech being useful for tracking wildfires or radiation.

Haleem teamed up with Fanning and Sproutling baby monitor (sold to Mattel) founder Chris Bruce in 2013 to start work on Helium. They foresaw a version of Tile’s trackers that could function anywhere while replacing expensive cell connections for devices that don’t need high-bandwith. Helium will compete with SigFox, another lower-power IoT protocol, though Haleem claims its more centralized infrastructure costs are prohibitive. Lucky for Helium, on-demand rental bikes and scooters that are perfect for its network have reached mainstream popularity just as Helium launches six years after its start.

Helium says its already pre-sold 80% of its Helium Hotspots for its first market in Austin, Texas. People connect them to their Wifi and put in their window so thee devices can pull in data from Helium’s IoT sensors over its open-source LongFi protocol. The hotspots then encrypt and send the data to the company’s cloud that clients can plug into to track and collect info from their devices. The Helium Hotspots only require as much energy as a 12-watt LED lightbulb to run, but that $495 price tag is steep. The lack of a concrete return on investment could deter later adopters from buying the expensive device.

Only 150-200 hotspots are necessary to blanket a city in connectivity, Haleem tells me. But since they need to be distributed across the landscape so a client can’t just fill their warehouse with the hotspots and the upfront price is expensive for individuals, Helium might need to sign up some retail chains as partners for deployment.

Without enough Helium Hotspots, the Helium network won’t function. That means this startup will have to simultaneously win at telecom technology, enterprise sales, and cryptocurrency for the network to pan out.