FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Google and Walmart establish dominance in India’s mobile payments market as WhatsApp Pay struggles to launch

By Manish Singh

In India, it’s Google and Walmart-owned PhonePe that are racing neck-and-neck to be the top player in the mobile payments market, while Facebook remains mired in a regulatory maze for WhatsApp Pay’s rollout.

In May, more than 75 million users transacted on Google Pay app, ahead of PhonePe’s 60 million users, people familiar with the companies’ figures told TechCrunch. More than 10 million users transact on SoftBank -backed Paytm’s app everyday, according to internal data seen by TechCrunch.

Google still lags Paytm’s reach with merchants, but the Android -maker has maintained its overall lead in recent months despite every player losing momentum due to one of the most stringent lockdowns globally in place in India.

The company is facing an antitrust probe in India over allegations that it is abusing its market position to unfairly promote its mobile payments app in the country, Reuters reported last month.

Paytm, once the dominant player in India, has been struggling to sustain its user base for nearly two years. The company had about 60 million transacting users in January last year, said people familiar with the matter.

Paytm had over 50 million monthly active users on its app in May, a spokesperson told TechCrunch.

Data sets consider transacting users to be those who have made at least one payment through the app in a month. It’s a coveted metric and is different from the much more popular monthly active users (MAU), or daily active users (DAU) that various firms use to share their performance. A portion of those labeled as monthly active users do not make any transaction on the app.

India’s homegrown payment firm, Paytm, has struggled to grow in recent years in part because of a mandate by India’s central bank to mobile wallet firms — the middlemen between users and banks — to perform know-your-client (KYC) verification of users, which created confusion among many, some of the people said. These woes come despite the firm’s fundraising success, which amounts to more than $3 billion.

In a statement, a Paytm spokesperson said, “When it comes to mobile wallets one has to remember the fact that Paytm was the company that set up the infrastructure to do KYC and has been able to complete over 100 million KYCs by physically meeting customers.”

Paytm has long benefited from integration with popular services such as Uber, and food delivery startup Swiggy, but fewer than 10 million of Paytm’s monthly transacting users have relied on this feature in recent months.

Two executives, who like everyone else spoke on the condition of anonymity because of fear of retribution, also said that Paytm resisted the idea of adopting Unified Payments Interface. That’s the nearly two-year-old payments infrastructure built and backed by a collation of banks in India that enables money to be sent directly between accounts at different banks and eliminates the need for a separate mobile wallet.

Paytm’s delays in adopting the standard left room for Google and PhonePe, another early adopter of UPI, to seize the opportunity.

Paytm, which adopted UPI a year after Google and PhonePe, refuted the characterization that it resisted joining UPI ecosystem.

“We are the company that cherishes innovation and technology that can transform the lives of millions. We understand the importance of financial technology and for this very reason, we have always been the champion and supporter of UPI. We, however, launched it on Paytm later than our peers because it took a little longer for us to get the approval to start UPI based services,“ a spokesperson said.

A sign for Paytm online payment method, operated by One97 Communications Ltd., is displayed at a street stall selling accessories in Bengaluru, India, on Saturday, Feb. 4, 2017. Photographer: Dhiraj Singh/Bloomberg via Getty Images

Missing from the fray is Facebook, which counts India as its biggest market by user count. The company began talks with banks to enter India’s mobile payments market, estimated to reach $1 trillion by 2023 (according to Credit Suisse), through WhatsApp as early as 2017. WhatsApp is the most popular smartphone app in India with over 400 million users in the country.

Facebook launched WhatsApp Pay to a million users in the following year, but has been locked in a regulatory battle since to expand the payments service to the rest of its users. Facebook chief executive Mark Zuckerberg said WhatsApp Pay would roll out nationwide by end of last year, but the firm is yet to secure all approvals — and new challenges keep cropping up. The company, which invested $5.7 billion in the nation’s top telecom operator Reliance Jio Platforms in April, declined to comment.

PhonePe, which was conceived only a year before WhatsApp set eyes to India’s mobile payments, has consistently grown as it added several third-party services. These include leading food and grocery delivery services Swiggy and Grofers, ride-hailing giant Ola, ticketing and staying players Ixigo and Oyo Hotels, in a so-called super app strategy. In November, about 63 million users were active on PhonePe, 45 million of whom transacted through the app.

Karthik Raghupathy, the head of business at PhonePe, confirmed the company’s transacting users to TechCrunch.

Three factors contributed to the growth of PhonePe, he said in an interview. “The rise of smartphones and mobile data adoption in recent years; early adoption to UPI at a time when most mobile payments firms in India were betting on virtual mobile-wallet model; and taking an open-ecosystem approach,” he said.

“We opened our consumer base to all our merchant partners very early on. Our philosophy was that we would not enter categories such as online ticketing for movies and travel, and instead work with market leaders on those fronts,” he explained.

“We also went to the market with a completely open, interoperable QR code that enabled merchants and businesses to use just one QR code to accept payments from any app — not just ours. Prior to this, you would see a neighborhood store maintain several QR codes to support a number of payment apps. Over the years, our approach has become the industry norm,” he said, adding that PhonePe has been similarly open to other wallets and payments options as well.

But despite the growth and its open approach, PhonePe has still struggled to win the confidence of investors in recent quarters. Stoking investors’ fears is the lack of a clear business model for mobile payments firms in India.

PhonePe executives held talks to raise capital last year that would have valued it at $8 billion, but the negotiations fell apart. Similar talks early this year, which would have valued PhonePe at $3 billion, which hasn’t been previously reported, also fell apart, three people familiar with the matter said. Raghupathy and a PhonePe spokesperson declined to comment on the company’s fundraising plans.

For now, Walmart has agreed to continue to bankroll the payments app, which became part of the retail group with Flipkart acquisition in 2018.

As UPI gained inroads in the market, banks have done away with any promotional incentives to mobile payments players, one of their only revenue sources.

At an event in Bangalore late last year, Sajith Sivanandan, managing director and business head of Google Pay and Next Billion User Initiatives, said current local rules have forced Google Pay to operate without a clear business model in India.

Coronavirus takes its toll on payments companies

The coronavirus pandemic that prompted New Delhi to order a nationwide lockdown in late March preceded a significant, but predictable, drop in mobile payments usage in the following weeks. But while Paytm continues to struggle in bouncing back, PhonePe and Google Pay have fully recovered as India eased some restrictions.

About 120 million UPI transactions occurred on Paytm in the month of May, down from 127 million in April and 186 million in March, according to data compiled by NPCI, the body that oversees UPI, and obtained by TechCrunch. (Paytm maintains a mobile wallet business, which contributes to its overall transacting users.)

Google Pay, which only supports UPI payments, facilitated 540 million transactions in May, up from 434 million in April and 515 million in March. PhonePe’s 454 million March figure slid to 368 million in April, but it turned the corner, with 460 million transactions last month. An NPCI spokesperson did not respond to a request for comment.

PhonePe and Google Pay together accounted for about 83% of all UPI transactions in India last month. UPI itself has over 117 million users.

Industry executives working at rival firms said it would be a mistake to dismiss Paytm, the one-time leader of the mobile payments market in India.

Paytm has cut its marketing expenses and aggressively chased merchants in recent quarters. Earlier this year, it unveiled a range of gadgets, including a device that displays QR check-out codes that comes with a calculator and USB charger, a jukebox that provides voice confirmations of transactions and services to streamline inventory management for merchants.

Merchants who use these devices pay a recurring fee to Paytm, Vijay Shekhar Sharma, co-founder and chief executive of the firm told TechCrunch in an interview earlier this year. Paytm has also entered several businesses, such as movie and travel ticketing, lending, games and e-commerce, and set up a digital payments bank over the years.

“Everyone knows Paytm. Paytm is synonymous with digital payments in India. And outside, there’s a perceived notion that it’s truly the Alipay of India,” an executive at a rival firm said.

Is Zoom the next Android or the next BlackBerry?

By Walter Thompson
Gaurav Jain Contributor
Gaurav Jain is one of the founders of Afore Capital, a $47 million fund focused on pre-seed. He was also an early product manager for Android.

In business, there’s nothing so valuable as having the right product at the right time. Just ask Zoom, the hot cloud-based video conferencing platform experiencing explosive growth thanks to its sudden relevance in the age of sheltering in place.

Having worked at BlackBerry in its heyday in the early 2000s, I see a lot of parallels to what Zoom is going through right now. As Zooming into a video meeting or a classroom is today, so too was pulling out your BlackBerry to fire off an email or check your stocks circa 2002. Like Zoom, the company then known as Research in Motion had the right product for enterprise users that increasingly wanted to do business on the go.

Of course, BlackBerry’s story didn’t have a happy ending.

From 1999 to 2007, BlackBerry seemed totally unstoppable. But then Steve Jobs announced the iPhone, Google launched Android and all of the chinks in the BlackBerry armor started coming undone, one by one. How can Zoom avoid the same fate?

As someone who was at both BlackBerry and Android during their heydays, my biggest takeaway is that product experience trumps everything else. It’s more important than security (an issue Zoom is getting blasted about right now), what CIOs want, your user install base and the larger brand identity.

When the iPhone was released, many people within BlackBerry rightly pointed out that we had a technical leg up on Apple in many areas important to business and enterprise users (not to mention the physical keyboard for quickly cranking out emails)… but how much did that advantage matter in the end? If there is serious market pull, the rest eventually gets figured out… a lesson I learned from my time at BlackBerry that I was lucky enough to be able to immediately apply when I joined Google to work on Android.

Apple has just patched the recent iOS 13.5 jailbreak

By Zack Whittaker

Well that didn’t last long.

Apple has patched a security vulnerability that allowed hackers to build a jailbreak tool allowing deep access to the iPhone software.

In a security advisory, Apple acknowledged that it had fixed the vulnerability in iOS 13.5.1, posted Monday. The technology giant credited the unc0ver team, which released the jailbreak just last week, for finding the vulnerability.

Although details of the vulnerability are not yet public, Apple typically works quickly to patch vulnerabilities that allow jailbreaks, fearing that the same vulnerability could also be abused by malicious hackers.

In a tweet, one of the lead jailbreakers confirmed that updating to iOS 13.5.1 will close the vulnerability and render the jailbreak useless.

I can confirm the new *OS updates have patched the kernel vulnerability used by the #unc0ver jailbreak.

If you are on iOS 13.5, stay and save blobs.

If you are not on iOS 13.5, update to it with the IPSW using a computer while it is still being signed and save blobs.

— @Pwn20wnd (@Pwn20wnd) June 1, 2020

Jailbreaking is a popular way to allow users to break free from Apple’s “jail” — hence the term — that prevents deep access to an iPhone’s operating system. Apple has does this to improve device security and to reduce the surface area in which hackers can attack the software. But jailbreakers say breaking through those restrictions allows them greater customization over their iPhones in a way that most Android users are already used to.

Security experts typically advise against jailbreaking as it can expose a device owner to a greater range of attacks, while advising users to install their devices and software as soon as update become available.

Apple said iOS 13.5.1 also comes with new Memoji stickers and other bug fixes and improvements.

Update today. If security isn’t your thing, at least do it for the Memoji stickers.

Android update delivers new ‘Bedtime’ features focused on improving sleep

By Sarah Perez

At Google’s 2018 I/O developer conference, the company debuted a new suite of “digital well-being” aimed at helping Android users better manage their screen time. At its 2019 event, it expanded its tools’ capabilities and improved the related parental controls. Although Google I/O isn’t taking place this year due to the COVID-19 pandemic, the company is once again refreshing its well-being toolset. This year, the focus is a timely one as Google will roll out new bedtime tools to help people get better sleep.

Google reports seeing a rise in sleep-related search queries like “insomnia” and “can’t sleep” in April and May, as the coronavirus crisis led to increased stress and anxiety, which can disrupt sleep.

Android’s “Bedtime” mode, previously known as “Wind Down,” uses Do Not Disturb to silence calls, texts, and notifications, while grayscale fades the colors on your phone to black and white, to reduce the draw to your screen. With the updates to this feature, Google is making it easier to customize when and how Bedtime mode is enabled.

Based on your bedtime schedule, you can now opt to have it automatically turn on after your phone is plugged into its charger. You can also add Bedtime mode to your Android phone’s Quick Settings, to instantly turn it on or off with a single tap. And if you need a few more minutes, you can choose to pause Bedtime mode without needing to adjust your schedule.

The update to Digital Wellbeing, which included the ability to automatically enable Bedtime mode when the phone is charging and add it to Quick Settings, actually rolled out earlier in May. But Google is announcing the features today as part of its other Bedtime mode changes.

The Clock app on Android is also being updated with a new Bedtime tab.

Here, you can set daily sleep and wake times. In the app, you’ll be able to see a preview of your calendar for the next day, and then tally the total number of hours of sleep you’d get. This way, you can adjust your bedtime if needed to sync up with tomorrow’s schedule — even if that means diverting from your typical bedtime schedule.

 

In addition, users will receive a reminder before bedtime and have the option to play calming sounds from Calm, Spotify, YouTube Music, and other sources. If they have Digital Wellbeing installed, they can pair with Bedtime mode to limit the interruptions during sleep.

The app will also display how much time you’re spending and which apps you’ve used after your set bedtime.

Google additionally suggested users looking for better sleep can try the “Sunrise Alarm” option that gradually brightens your screen to help you wake up more gently. This visual alarm system will begin 15 minutes prior to your audio alarm. Users can also set their favorite songs as an alarm to make the alarm less jarring, Google recommends.

The sunrise alarm was first introduced with the Pixel 3 and Pixel Stand in 2018. But with the update, you will no longer need the stand to use the feature — it’s a part of the new Bedtime tab in the Clock app.

Related to today’s launch of new bedtime features, Google noted it recently added new YouTube bedtime reminders. It also supports a daily bedtime schedule in Andoird’s parental controls feature, Family Link.

The updated Bedtime experience is launching first on Pixel devices starting today, and will roll out to the Clock app and on other Android devices later this summer.

This Week in Apps: Facebook launches trio of app experiments, TikTok gets spammed, plus coronavirus impacts on app economy

By Sarah Perez

Welcome back to This Week in Apps, the Extra Crunch series that recaps the latest OS news, the applications they support and the money that flows through it all.

The app industry is as hot as ever, with a record 204 billion downloads and $120 billion in consumer spending in 2019. People are now spending three hours and 40 minutes per day using apps, rivaling TV. Apps aren’t just a way to pass idle hours — they’re a big business. In 2019, mobile-first companies had a combined $544 billion valuation, 6.5x higher than those without a mobile focus.

In this Extra Crunch series, we help you keep up with the latest news from the world of apps, delivered on a weekly basis.

This week we’re continuing to look at how the coronavirus outbreak is impacting the world of mobile applications, with fresh data from App Annie about trends playing out across app categories benefiting from the pandemic, lockdowns and societal changes. We’re also keeping up with the COVID-19 contact-tracing apps making headlines, and delving into the week’s other news.

We saw a few notable new apps launch this week, including HBO’s new streaming service HBO Max, plus three new app experiments from Facebook’s R&D group. Android Studio 4.0 also launched this week. Instagram is getting better AR tools and IGTV is getting ads. TikTok got spammed in India.

Meanwhile, what is going on with app review? A shady app rises to the top of the iPhone App Store. Google cracks down on conspiracy theory-spreading apps. And a TikTok clone uses a pyramid scheme-powered invite system to rise up the charts.

COVID-19 contact-tracing apps in the news 

  • Latvia: Reuters this week reported that Latvia aims to become one of the first countries to launch a smartphone app, Stop Covid, using the new toolkit created by Apple and Alphabet’s Google to help trace coronavirus infections.
  • Australia: The role of the country’s Covidsafe app in the recovery appears to be marginal, The Guardian reports. In the month since its launch, only one person has been reported to have been identified using data from it. A survey even found that Australians were more supportive of using telecommunications metadata to track close contacts (79%) than they were of downloading an app (69.8%). In a second survey, their support for the app dropped to 64%. The app has been maligned by the public debate over it and technical issues.
  • France: The country’s data protection watchdog, CNIL, reviewed its contact-tracing app StopCovid, finding there were no major issues with the technical implementation and legal framework around StopCovid, with some caveats. France isn’t using Google and Apple’s contact-tracing API, but instead uses a controversial centralized contact-tracing protocol called ROBERT. This relies on a central server to assign a permanent ID and generate ephemeral IDs attached to this permanent ID. CNIL says the app will eventually be open-sourced and it will create a bug bounty. On Wednesday, the app passed its first vote in favor of its release.
  • Qatar: Serious security vulnerabilities in Qatar’s mandatory contact-tracing app were uncovered by Amnesty International. An investigation by Amnesty’s Security Lab discovered a critical weakness in the configuration of Qatar’s EHTERAZ contact-tracing app. Now fixed, the vulnerability would have allowed cyberattackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users.
  • India: India’s contact-tracing app, Aarogya Setu, is going open-source, according to Ministry of Electronics and Information Technology Secretary Ajay Prakash Sawhney on Tuesday. The code is being published on GitHub. Nearly 98% of the app’s more than 114 million users are on Android. The government will also offer a cash bounty of $1,325 to security experts who find bugs or vulnerabilities.
  • Switzerland: Several thousand people are now testing a pilot version of Switzerland’s contact-tracing app, SwissCovid. Like Lativia, the app is one of the first to use Apple and Google’s contact-tracing API. Employees at EPFL, ETH Zurich, the Army and select hospitals and government agencies will be the first to test the Swiss app before its public launch planned for mid-June.
  • China: China’s health-tracking QR codes, embedded in popular WeChat and Alipay smartphone apps, are raising privacy concerns, Reuters reports. To walk around freely, people must have a green rating. They also now have to present their health QR codes to gain entry into restaurants, parks and other venues. These efforts have been met with little resistance. But the eastern city of Hangzhou has since proposed that users are given a color-coded health badge based on their medical records and lifestyle habits, including how much they exercised, their eating and drinking habits, whether they smoked and how much they slept the night before. This suggestion set off a storm of criticism on China’s Weibo, a Twitter-like platform.

Google makes sharing Plus Codes easier in a push to simplify addressing system globally

By Manish Singh

Two years ago, Google open-sourced Plus Codes, a digital addressing system to help billions of people navigate to places that don’t have clear addresses. The company said today it is making it easier for anyone with an Android device to share its rendition of an address — a six-digit alphanumeric code.

Google Maps users on Android can now tap the blue dot that represents their current location to view and share their unique six-digit coordinate with friends. Anyone with the code can look it up on Google Maps or Google Search to get the precise location of the destination.

The codes look like this: G6G4+CJ Delhi, India. Google says it divides the geographical surface of the world into tiled areas and attributes a unique six-letter code and the name of the city and country to each of them.

More than 2 billion people on the planet either don’t have an address or have an address that isn’t easy to locate. This challenge is more prevalent in developed markets such as India where a street address could often be as long as a paragraph, and where people often rely on nearby landmarks to navigate their way.

Google is not the only firm that is attempting to simplify the addressing system. London-based what3words has broken the world in 57 trillion squares and assigned each of those blocks with three randomly combined words such as toddler.geologist.animated that are easier to decipher and share. The company told TechCrunch earlier that it had partnered with a number of firms including several carmakers to expand its reach.

But what3words and five-year-old project Plus Codes have both struggled to gain wider traction. When Google announced this project in India, its executives told this correspondent that they were exploring ways to work with logistics firms and government agencies such as the postal department to get wider adoption — though none of it has materialized yet. At the time, the company had also tested Plus Codes at some concerts in India, the executives said.

To get wider adoption, Google open sourced Plus Codes in 2018 so that developers and businesses could find their own use cases. “If you’ve ever been in an emergency, you know that being able to share your location for help to easily find you is critical. Yet in many places in the world, organizations struggle with this challenge on a daily basis,” the company said today.

India’s contact-tracing app is going open-source

By Manish Singh

India said it will publicly release the source code of its contact-tracing app, Aarogya Setu, to the relief of privacy and security experts who have been advocating for this ever since the app launched in early April.

Ministry of Electronics and Information Technology Secretary Ajay Prakash Sawhney made the announcement on Tuesday, dubbing the move “opening the heart” of the Aarogya Setu app to allow engineers to inspect and tinker with the code. The app has amassed over 114 million users in less than two months  — an unprecedented scale globally.

The source code of Aarogya Setu’s Android app will be published on GitHub at midnight Tuesday (local time). Nearly 98% of the app’s users are on the Android platform. Sawhney said the government will also offer cash prizes of up to $1,325 to security experts for identifying and reporting bugs and vulnerabilities

Several privacy and security advocates, as well as India’s opposition party, had urged the government to release the code of the app for public auditing after some alleged lapses in the app were found — which New Delhi dismissed as app features at the time.

Sawhney said today’s move should allay people’s concerns with the app. Earlier this month, Sawhney said the government was not open-sourcing Aarogya Setu, as it worried that it would overburden the team, mostly comprising volunteers, that is tasked to develop and maintain it.

The ministry said today that two-thirds of Aarogya Setu users had taken the self-assessment test to evaluate their risk of exposure. More than half a million Indians have been alerted to have made contact with someone who is likely ill with the disease, it said.

The app, which uses both Bluetooth and location data to function, has advised more than 900,000 users to quarantine themselves or get tested for the disease. Almost 24% of them have confirmed to be positive with COVID-19, the ministry said.

“Opening the source code to the developer community signifies our continuing commitment to the principles of transparency and collaboration,” the Ministry of Electronics and Information Technology said in a statement. “Aarogya Setu’s development has been a remarkable example of collaboration between government, industry, academia and citizens.”

Aarogya Setu, unlike the contact-tracing technology developed by smartphone vendors Apple and Google, stores certain data in a centralized server. Privacy experts, including researcher Baptiste Robert, had argued that this approach would result in leakage of sensitive details of several Indians if that server was ever compromised.

“Open-sourcing Aarogya Setu is a unique feat for India. No other government product anywhere in the world has been open-sourced at this scale,” said Amitabh Kant, chief executive of government-run think-tank NITI Aayog, in a press conference today.

New Delhi-based digital advocacy group Software Law and Freedom Centre (SFLC) said it welcomes India’s move to open- source the app. “We are happy that the government has at last agreed to do what we have been asking all long,” it said.

More than 145,300 coronavirus infections (with about 4,100 resultant deaths) have been reported in India to date.

A new Android bug, Strandhogg 2.0, lets malware pose as real apps and steal user data

By Zack Whittaker

Security researchers have found a major vulnerability in almost every version of Android, which lets malware imitate legitimate apps to steal app passwords and other sensitive data.

The vulnerability, dubbed Strandhogg 2.0 (named after the Norse term for a hostile takeover) affects all devices running Android 9.0 and earlier. It’s the “evil twin” to an earlier bug of the same name, according to Norwegian security firm Promon, which discovered both vulnerabilities six months apart. Strandhogg 2.0 works by tricking a victim into thinking they’re entering their passwords on a legitimate app while instead interacting with a malicious overlay. Strandhogg 2.0 can also hijack other app permissions to siphon off sensitive user data, like contacts, photos, and track a victim’s real-time location.

The bug is said to be more dangerous than its predecessor because it’s “nearly undetectable,” Tom Lysemose Hansen, founder and chief technology officer at Promon, told TechCrunch.

The good news is that Promon said it has no evidence that hackers have used the bug in active hacking campaigns. The caveat is that there are “no good ways” to detect an attack. Fearing the bug could still be abused by hackers, Promon delayed releasing details of the bug until Google could fix the “critical”-rated vulnerability.

A spokesperson for Google told TechCrunch that the company also saw no evidence of active exploitation. “We appreciate the work of the researchers, and have released a fix for the issue they identified.” The spokesperson said Google Play Protect, an app screening service built-in to Android devices, blocks apps that exploit the Strandhogg 2.0 vulnerability.

Standhogg 2.0 works by abusing Android’s multitasking system, which keeps tabs on every recently opened app so that the user can quickly switch back and forth. A victim would have to download a malicious app — disguised as a normal app — that can exploit the Strandhogg 2.0 vulnerability. Once installed and when a victim opens a legitimate app, the malicious app quickly hijacks the app and injects malicious content in its place, such as a fake login window.

When a victim enters their password on the fake overlay, their passwords are siphoned off to the hacker’s servers. The real app then appears as though the login was real.

Strandhogg 2.0 doesn’t need any Android permissions to run, but it can also hijack the permissions of other apps that have access to a victim’s contacts, photos, and messages by triggering a permissions request.

“If the permission is granted, then the malware now has this dangerous permission,” said Hansen.

Once that permission is granted, the malicious app can upload data from a user’s phone. The malware can upload entire text message conversations, said Hansen, allowing the hackers to defeat two-factor authentication protections.

The risk to users is likely low, but not zero. Promon said updating Android devices with the latest security updates — out now — will fix the vulnerability. Users are advised to update their Android devices as soon as possible.

This Week in Apps: Facebook takes on Shopify, Tinder considers its future, contact-tracing tech goes live

By Sarah Perez

Welcome back to This Week in Apps, the Extra Crunch series that recaps the latest OS news, the applications they support and the money that flows through it all.

The app industry is as hot as ever, with a record 204 billion downloads and $120 billion in consumer spending in 2019. People are now spending three hours and 40 minutes per day using apps, rivaling TV. Apps aren’t just a way to pass idle hours — they’re a big business. In 2019, mobile-first companies had a combined $544 billion valuation, 6.5x higher than those without a mobile focus.

In this Extra Crunch series, we help you keep up with the latest news from the world of apps, delivered on a weekly basis.

This week we’re continuing to look at how the coronavirus outbreak is impacting the world of mobile applications. Notably, we saw the launch of the Apple/Google exposure-notification API with the latest version of iOS out this week. The pandemic is also inspiring other new apps and features, including upcoming additions to Apple’s Schoolwork, which focus on distance learning, as well as Facebook’s new Shops feature designed to help small business shift their operations online in the wake of physical retail closures.

Tinder, meanwhile, seems to be toying with the idea of pivoting to a global friend finder and online hangout in the wake of social distancing, with its test of a feature that allows users to match with others worldwide — meaning, with no intention of in-person dating.

Headlines

COVID-19 apps in the news

  • Fitbit app: The fitness tracker app launched a COVID-19 early detection study aimed at determining whether wearables can help detect COVID-19 or the flu. The study will ask volunteers questions about their health, including whether they had COVID-19, then pair that with activity data to see if there are any clues that could be used to build an early warning algorithm of sorts.
  • U.K. contact-tracing app: The app won’t be ready in mid-May as promised, as the government mulls the use of the Apple/Google API. In testing, the existing app drains the phone battery too quickly. In addition, researchers have recently identified seven security flaws in the app, which is currently being trialed on the Isle of Wight.

Apple launches iOS/iPadOS 13.5 with Face ID tweak and contact-tracing API

Apple this week released the latest version of iOS/iPadOS with two new features related to the pandemic. The first is an update to Face ID which will now be able to tell when the user is wearing a mask. In those cases, Face ID will instead switch to the Passcode field so you can type in your code to unlock your phone, or authenticate with apps like the App Store, Apple Books, Apple Pay, iTunes and others.

Technology can help health officials rapidly tell someone they may have been exposed to COVID-19. Today the Exposure Notification API we created with @Google is available to help public health agencies make their COVID-19 apps effective while protecting user privacy.

— Tim Cook (@tim_cook) May 20, 2020

The other new feature is the launch of the exposure-notification API jointly developed by Apple and Google. The API allows for the development of apps from public health organizations and governments that can help determine if someone has been exposed by COVID-19. The apps that support the API have yet to launch, but some 22 countries have requested API access.

COVID-19 exposure notification settings begin to go live for iOS users with new update

By Darrell Etherington

Apple has released iOS 13.5, which includes support for the Exposure Notification API that it co-created with Google to support public health authorities in their contact-tracing efforts to combat COVID-19. The API requires third-party apps developed by public health authorities for use, and none have yet been released, but iOS device users already have access to COVID-19 Exposure Logging global settings.

As previewed in the beta release, you can access the Exposure Logging settings under the Settings app, then navigate to the Privacy subsection. From there, you can select the Health submenu and find the COVID-19 Exposure Logging setting, which will be off be default. It can’t be turned on at all until you actually get an authorized app to enable them, at which point you’ll receive a pop-up asking you to authorize Exposure Notifications access. Once you do, you can return here to toggle notifications off, and also manually delete your device’s exposure log should you choose to opt out.

Apple and Google both have emphasized that they want as much user control and visibility into the Exposure Notification API as possible. They’re using randomized, temporary identifiers that are not centrally stored to do the exposure notification, and are also forbidding the simultaneous use of geolocation services and the Exposure Notification API within the same app. This manual control is another step to ensure that users have full control over what info they share to participate in the system, and when.

Contact tracing is a time-tested strategy for combating the spread of infectious disease, and has traditionally worked by attempting to trace potential exposure by interviewing infected individuals and learning as much as possible about their movements during their infectious period. Modern connected devices mean that we can potentially make this far more efficient and accurate, but Google and Apple have worked with privacy experts to try to determine a way to make this happen without exposing users to privacy risks. Matching also happens locally on a user’s device, not in any centralized database.

Apple and Google are currently working with public health authorities who are building apps based on this API, and the companies also have noted that this is a temporary measure that has been designed from the beginning to be disabled once the threat of COVID-19 has passed.

Apple and Google launch exposure notification API, enabling public health authorities to release apps

By Darrell Etherington

Apple and Google today made available the first public version of their exposure notification API, which was originally debuted as a joint-contact tracing software tool. The partners later renamed it the Exposure Notification system to more accurately reflect its functionality, which is designed to notify individuals of potential exposure to others who have confirmed cases of COVID-19, while preserving privacy around identifying info and location data.

The launch today means that public health agencies can now use the API in apps released to the general public. To date, Apple and Google have only released beta versions of the API to help developed with the development process.

To be clear, this launch means that developers working on behalf of public health agencies can now issue apps that make use of it – Apple and Google themselves are not creating an exposure notification or contact tracing app. The companies say that many U.S. states and 22 countries across five continents have already asked for, and been provided access to the API to support their development efforts, and they anticipate more being added going forward. So far, Apple and Google say they have conducted over 24 briefings and tech talks for public health officials, epidemiologists, and app developers working on their behalf.

The exposure notification API works using a decentralized identifier system that uses randomly generated temporary keys created on a user’s device (but not tied to their specific identify or info). Apple and Google’s API allows public health agencies to define what constitutes potential exposure in terms of exposed time and distance, and they can tweak transmission risk and other factors according to their own standards.

Further, Apple and Google will allow apps to make use of a combination of the API and voluntarily submitted user data that they provide through individual apps to enable public health authorities to contact exposure users directly to make them aware of what steps they should take.

During the course of the API’s development, Apple and Google have made various improvements to ensure that privacy is an utmost consideration, including encrypting all Bluetooth metadata (like signal strength and specific transmitting power) since that could potentially be used to determine what type of device was used, which offers a slim possibility of associating an individual with a specific device and using that as one vector for identification.

The companies have also explicitly barred use of the API in any apps that also seek geolocation information permission from users – which means some apps being developed by public health authorities for contact tracing that use geolocation data won’t be able to access the exposure notification API. That has prompted some to reconsider their existing approach.

Apple and Google provided the following joint statement about the API and how it will support contact tracing efforts undertaken by public health officials and agencies:

One of the most effective techniques that public health officials have used during outbreaks is called contact tracing. Through this approach, public health officials contact, test, treat and advise people who may have been exposed to an affected person. One new element of contact tracing is Exposure Notifications: using privacy-preserving digital technology to tell someone they may have been exposed to the virus. Exposure Notification has the specific goal of rapid notification, which is especially important to slowing the spread of the disease with a virus that can be spread asymptomatically.

To help, Apple and Google cooperated to build Exposure Notifications technology that will enable apps created by public health agencies to work more accurately, reliably and effectively across both Android phones and iPhones. Over the last several weeks, our two companies have worked together, reaching out to public health officials scientists, privacy groups and government leaders all over the world to get their input and guidance.

Starting today, our Exposure Notifications technology is available to public health agencies on both iOS and Android. What we’ve built is not an app — rather public health agencies will incorporate the API into their own apps that people install. Our technology is designed to make these apps work better. Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app. User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps.

Today, this technology is in the hands of public health agencies across the world who will take the lead and we will continue to support their efforts.

The companies previously announced plans to make Exposure Notification a system-level feature in a later update to both their respective mobile operating systems, to be released sometime later this year. That ‘Phase two’ portion of the strategy might be under revision, however, as Google and Apple said they continue to be in conversation with public health authorities about what system-level features will be useful to them in development of their COVID-19 mitigation strategies.

Xiaomi releases MIUI 12 global update with more privacy controls, revamped user interface

By Manish Singh

Xiaomi on Tuesday unveiled the global version of MIUI 12, the latest update to its Android -based operating system, for hundreds of millions of smartphones as the Chinese electronics giant pushes to broaden its services ecosystem.

The world’s fourth largest smartphone firm said it is delivering a range of new features to its overseas users with MIUI 12 including a revamped user interface, the ability to cast the phone screen without the need to connect it to a computer, improvement to multitasking support and battery life, and more privacy controls to users.

Chief among the new changes is how the software looks. A company executive said animation renders slightly differently after installing MIUI 12, stretching more naturally across the screen — especially on smartphones with rounded corners — as a user taps on an app.

Xiaomi has been able to deliver this graphical improvement thanks to what it calls “kernel-level innovation” that includes a new rendering engine, she said.

“With our rendering, we have enabled color blending and Gaussian blur. You can see various degrees of blurring happening in real time as light penetrates different materials,” explained Louisa Jia, head of marketing and operations of Global MIUI, at an event today.

MIUI 12, which is built atop Android 9 and Android 10 (depending on the device it will be rolled out on), also changes how storage, memory, and power consumption usage are displayed on the phone, making it easier for users to quickly understand the state of their device at a glance.

As part of the new coat of paint, Xiaomi is also deploying dark mode across all third-party apps, including those that have not introduced support for this feature yet.

Support for multitasking is also getting an improvement, popping any additional app on a floating screen that users can move around to any part of the screen and engage quickly without having to switch from the game or other app that they were focusing on. The company said it is also introducing “ultra battery saver” feature that kicks in when the level of phone charge hits 5%. The new feature shuts off every non-essential service to deliver an additional five hours of battery life.

Privacy

Another interesting feature the company is introducing grants more privacy control to users. MIUI 12 will allow users to easily monitor and restrict apps from using the camera, microphone, location, contacts, storage, call history, and calendar.

Whenever an app uses any of these, a persistent icon appears in the notification bar, tapping which will allow users to see which app is using this data and easily shut that access. Additionally, like with newer versions of Android and iOS, MIUI 12 gives users the ability to determine how often an app can access sensitive personal information.

Xiaomi said with MIUI 12, it is also providing users with the ability to strip off sensitive information such as location data from a photo before they share it with their friends. By default, the new operating system will strip off such data from photos — a feature that privacy advocates have long desired, and business communication app Slack recently introduced to its service.

MIUI 12 will roll out to select smartphones — Mi 9, Mi 9T, Mi 9T Pro, Redmi K20, and Redmi K20 Pro — at the end of June, and dozens of smartphone models including Poco F1 and Redmi 6 that were launched in 2018, “soon afterward,” said Jia. The company said it will make a beta version of MIUI 12 available to users next week for those who don’t want to wait for too long.

More than 300 million smartphones ran MIUI software at the end of last year, Xiaomi revealed in its most recent earnings call in late March. The company has previously stated that it is banking on MIUI to expand its services ecosystem as it looks to cut its financial reliance on sales of gadgets.

Huawei admits uncertainty following new US chip curbs

By Rita Liao

Following the U.S. government’s announcement that would further thwart Huawei’s chip-making capability, the Chinese telecoms equipment giant condemned the new ruling for being “arbitrary and pernicious.”

“Huawei categorically opposes the amendments made by the U.S. Department of Commerce to its foreign direct product rule that target Huawei specifically,” said Huawei Monday at its annual analyst summit in Shenzhen.

The new curbs, which dropped on Friday, would ban Huawei from using U.S. software and hardware in certain strategic semiconductor processes. This will affect all foundries using U.S. technologies, including those located abroad, some of which are Huawei’s key suppliers.

Earlier on Monday, the Nikkei Asian Review reported citing sources that Taiwanese Semiconductor Manufacturing Co., the world’s largest contract semiconductor that powers many of Huawei’s high-end phones, has stopped taking new orders from Huawei, one of its largest clients. Huawei declined to comment while TSMC said the report was “purely market rumor”.

Decisions from TSMC point to its attempt to strengthen bonds with the U.S. though, as it’s planning a new $12 billion advanced chip factory in Arizona with support from the state and the U.S. federal government.

At the Monday conference, Huawei’s rotating chairman Guo Ping admitted that while the firm is able to design some semiconductor parts such as integrated circuits (IC), it remains “incapable of doing a lot of other things.”

“Survival is the keyword for us at present,” he said.

Huawei stated the latest U.S. ban would not only affect its own business in over 170 countries, where it has spent “hundreds of billions of dollars,” but also the wider ecosystem around the world.

“In the long run, [the U.S. ban] will damage the trust and collaboration within the global semiconductor industry which many industries depend on, increasing conflict and loss within these industries.”

Huawei has announced a raft of contingency measures ever since the Trump administration began slapping technology sanctions on it, including one that had cut it off certain Android services from Google.

Huawei said at the summit that it had doubled down on investment in overseas developers in an effort to lure them to its operating system. Some 1.4 million developers have signed up for Huawei Mobile Services or HMS, a 150% jump from 2019. In its search to identify alternatives to Google’s app suite in Europe, it has partnered up with navigation services TomTom and Here, search engine Qwant and news app News UK. 

Google delays Android 11 by a month

By Frederic Lardinois

Google today announced that it is extending the preview period of Android 11 by about a month. So instead of launching a beta this month, as it had previously planned, it’ll release a fourth developer preview today instead. The first beta will officially launch on June 3, during an Android-centric online event it’ll hold in lieu of its I/O developer conference.

“When we started planning Android 11, we didn’t expect the kinds of changes that would find their way to all of us, across nearly every region in the world,” Google’s Android team writes today. “These have challenged us to stay flexible and find new ways to work together, especially with our developer community. To help us meet those challenges we’re announcing an update to our release timeline.”

Google notes that it wants to meet the needs of the Android ecosystem, which has obviously started work on early app testing for Android 11 based on the company’s guidance, with the current environment during the Coronavirus pandemic and the other priorities that come with that. Delaying the release by a month seems like a reasonable approach in this context.

Google says developers should target the Beta 1 release date of June 3 for releasing a compatible app to gather feedback from the larger group of Android Beta users. And that group will be larger because like with previous releases, Google will make over-the-air updates available to users who opt in to the beta and have a compatible device. The list of compatible devices for the beta remains to be seen, but it’ll likely include all recent Pixel phones, starting with the Pixel 2.

Discover is Facebook’s new effort to help people access websites for free — but with limits

By Manish Singh

Facebook has a new connectivity app called Discover to help those who can’t afford to get online access information on the web.

The service, available through mobile web and Android app, allows users to visit any website in text format (no video, images, audio and other elements that eat up large amounts of data) and consume a few megabytes of internet data.

For Discover, which is part of the company’s Free Basics initiative, Facebook is working with mobile operators in Bitel, Claro, Entel, and Movistar. Discover is currently available in Peru, where it is in the initial testing phase.

In Peru, Discover is offering 10MB of free data to users each day. A Facebook spokesperson told TechCrunch that the partner mobile operator determines the daily data allowance, and it anticipates operators in other countries where Discover would be tested to offer up to 20MB each day.

But nothing is set in stone. “We’ll be assessing how people are using Discover and the amount of daily data more during the trials and may work with our operator partners on adjustments going forward,” the spokesperson said, adding that mobile operators will also determine whether support for photos could be added to Discover.

Eliminating support for videos and images means that Discover users would be able to load dozens of websites in a day without running out of their data allowance.

Discover is the latest of a handful of internet connectivity efforts that Facebook has rolled out in recent years. The company maintains Internet.org, which offers unfettered access to dozens of websites in dozens of markets; and Express WiFi, which allows neighbourhood stores to sell small sachet of internet plans to users, in India. Facebook has partnered with more than 10,000 merchants and stores in the country to sell these data plans.

On the Internet .org website, the company also lists Connectivity Lab, another effort that is part of Free Basics initiative through which it is “exploring a variety of technologies, including high-altitude long-endurance planes, satellites and lasers” to bring more people online. At least one of those tests has been discontinued.

“During the coronavirus public health crisis, we believe it is particularly important to explore ways to help people stay connected and to increase access to health information and other resources on the internet. As part of our ongoing work to connect people to accurate health information, coronavirus health resources will be highlighted on the Discover homepage,” said Yoav Zeevi, a product manager at Facebook.

Facebook’s Free Basics initiative, which has helped tens of millions of people access internet, has also received scrutiny for its approach and some unintended consequences. Internet.org was banned in India after the local authority in the world’s second largest internet market found that the program violated net neutrality principles.

Zeevi said the company has heard the feedback and responded by allowing people to browse all websites. “Our work on Discover has been informed by our broader efforts — including our participation in the Contract for the Web — to expand connectivity and access to the open web while continuing to protect privacy,” he said. Tim Berners-Lee’s Contract for the Web has welcomed the launch of Discover.

Critics have argued that programs such as Internet.org, which has been discontinued in some additional markets, have also fuelled violence in real life.

As Facebook expands its connectivity efforts, some other companies have scaled down their initiatives. Earlier this year, Google discontinued its free Wi-Fi program called Station that offered internet access in more than 400 railway stations in India, and was available at public places in handful of other markets.

In 2018, Wikimedia shut down Wikipedia Zero, a program that allowed more than 800 million people to access the online encyclopaedia in 72 countries for free.

NHS COVID-19: The UK’s coronavirus contacts-tracing app explained

By Natasha Lomas

The UK has this week started testing a coronavirus contacts-tracing app which NHSX, a digital arm of the country’s National Health Service, has been planning and developing since early March. The test is taking place in the Isle of Wight, a 380km2 island off the south coast of England, with a population of around 140,000.

The NHS COVID-19 app uses Bluetooth Low Energy handshakes to register proximity events (aka ‘contacts’) between smartphone users, with factors such as the duration of the ‘contact event’ and the distance between the devices feeding an NHS clinical algorithm that’s being designed to estimate infection risk and trigger notifications if a user subsequently experiences COVID-19 symptoms.

The government is promoting the app as an essential component of its response to fighting the coronavirus — the health minister’s new mantra being: ‘Protect the NHS, stay home, download the app’ — and the NHSX has said it expects the app to be “technically” ready to deploy two to three weeks after this week’s trial.

However there are major questions over how effective the tool will prove to be, especially given the government’s decision to ‘go it alone’ on the design of its digital contacts-tracing system — which raises some specific technical challenges linked to how modern smartphone platforms operate, as well as around international interoperability with other national apps targeting the same purpose.

In addition, the UK app allows users to self report symptoms of COVID-19 — which could lead to many false alerts being generated. That in turn might trigger notification fatigue and/or encourage users to ignore alerts if the ratio of false alarms exceeds genuine alerts.

Keep calm and download the app?

How users will generally respond to this technology is a major unknown. Yet mainstream adoption will be needed to maximize utility; not just one-time downloads. Dealing with the coronavirus will be a marathon not a sprint — which means sustaining usage will be vital to the app functioning as intended. And that will require users to trust that the app is both useful for the claimed public health purpose, by being effective at shrinking infection risk, and also that using it will not create any kind of disadvantages for them personally or for their friends and family.

The NHSX has said it will publish the code for the app, the DPIA (data protection impact assessment) and the privacy and security models — all of which sounds great, though we’re still waiting to see those key details. Publishing all that before the app launches would clearly be a boon to user trust.

A separate consideration is whether there should be a dedicated legislation wrapper put around the app to ensure clear and firm legal bounds on its use (and to prevent abuse and data misuse).

As it stands the NHS COVID-19 app is being accelerated towards release without this — relying on existing legislative frameworks (with some potential conflicts); and with no specific oversight body to handle any complaints. That too could impact user trust.

The overarching idea behind digital contacts tracing is to leverage uptake of smartphone technology to automate some contacts tracing, with the advantage that such a tool might be able to register fleeting contacts, such as between strangers on the street or public transport, that may more difficult for manual contacts-tracing methods to identify. Though whether these sorts of fleeting contacts create a significant risk of infection with the SARS-CoV-2 virus has not yet been quantified.

All experts are crystal clear on one thing: Digital contacts tracing is only going to be — at very best — a supplement to manual contact tracing. People who do not own or carry smartphones or who do not or cannot use the app obviously won’t register in any captured data. Technical issues may also create barriers and data gaps. It’s certainly not a magic bullet — and may, in the end, turn out to be ill-suited for this use case (we’ve written a general primer on digital contacts tracing here).

One major component of the UK approach is that it’s opted to create a so-called ‘centralized’ system for coronavirus contacts tracing — which leads to a number of specific challenges.

While the NHS COVID-19 app stores contacts events on the user’s device initially, at the point when (or if) a user chooses to report themselves having coronavirus symptoms then all their contacts events data is uploaded to a central server. This means it’s not just a user’s own identifier but a list of any identifiers they have encountered over the past 28 days — so, essentially, a graph of their recent social interactions.

This data cannot be deleted after the fact, according to the NHSX, which has also said it may be used for “research” purposes related to public health — raising further questions around privacy and trust.

Questions around the legal bases for this centralized approach also remain to be answered in detail by the government. UK and EU data protection law emphasize data minimization as a key principle; and while there’s flexibility built into these frameworks for a public health emergency there is still a requirement on the government to detail and justify key data processing decisions.

The UK’s decision to centralize contacts data has another obvious and immediate consequence: It means the NHS COVID-19 app will not be able to plug into an API that’s being jointly developed by Apple and Google to provide technical support for Bluetooth-based national contacts-tracing apps — and due to be release this month.

The tech giants have elected to support decentralized app architectures for these apps — which, conversely, do not centralize social graph data. Instead, infection risk calculations are performed locally on the device.

By design, these approaches avoid providing a central authority with information on who infected whom.

In the decentralized scenario, an infected user consents to their ephemeral identifier being shared with other users so apps can do matching locally, on the end-user device — meaning exposure notifications are generated without a central authority needing to be in the loop. (It’s also worth noting there are ways for decentralized protocols to feed aggregated contact data back to a central authority for epidemiological research, though the design is intended to prevent users’ social graph being exposed. A system of ‘exposure notification’, as Apple and Google are now branding it, has no need for such data, is their key argument. The NHSX counters that by suggesting social graph data could provide useful epidemiological insights — such as around how the virus is being spread.)

At the point a user of the NHS COVID-19 app experiences symptoms or gets a formal coronavirus diagnosis — and chooses to inform the authorities — the app will upload their recent contacts to a central server where infection risk calculations are performed.

The system will then send exposure notifications to other devices — in instances where the software deems there may be at risk of infection. Users might, for example, be asked to self isolate to see if they develop symptoms after coming into contact with an infected person, or told to seek a test to determine if they have COVID-19 or not.

A key detail here is that users of the NHS COVID-19 app are assigned a fixed identifier — basically a large, random number — which the government calls an “installation ID”. It claims this identifier is ‘anonymous’. However this is where political spin in service of encouraging public uptake of the app is being allowed to obscure a very different legal reality: A fixed identifier linked to a device is in fact pseudonymous data, which remains personal data under UK and EU law. Because, while the user’s identity has been ‘obscured’, there’s still a clear risk of re-identification.

Truly ‘anonymous’ data is a very high bar to achieve when you’re dealing with large data-sets. In the NHS COVID-19 app case there’s no reason beyond spin for the government to claim the data is “anonymous”; given the system design involves a device-linked fixed identifier that’s uploaded to a central authority alongside at least some geographical data (a partial postcode: which the app also asks users to input — so “the NHS can plan your local NHS response”, per the official explainer).

The NHSX has also said future versions of the app may ask users to share even more personal data, including their location. (And location data-sets are notoriously difficult to defend against re-identification.)

Nonetheless the government has maintained that individual users of the app will not be identified. But under such a system architecture this assertion sums to ‘trust us with your data’; the technology itself has not been designed to remove the need for individual users to trust a central authority, as is the case with bona fide decentralized protocols.

This is why Apple and Google are opting to support the latter approach — it cuts the internationally thorny issue of ‘government trust’ out of their equation.

However it also means governments that do want to centralize data face a technical headache to get their apps to function smoothly on the only two smartphone platforms that matter.

Technical and geopolitical headaches

The specific technical issue here relates to how these mainstream platforms manage background access to Bluetooth.

Using Bluetooth as a proxy for measuring coronavirus infection risk is of course a very new and novel technology. Singapore was reported to be the first country to attempt this. Its TraceTogether app, which launched in March, reportedly gained only limited (<20%) uptake — with technical issues on iOS being at least partly blamed for the low uptake.

The problem that the TraceTogether app faced initially is the software needed to be actively running and the iPhone open (not locked) for the tracing function to work. That obviously interferes with the normal multitasking of the average iPhone user — discouraging usage of the app.

It’s worth emphasizing that the UK is doing things a bit differently vs Singapore, though, in that it’s using Bluetooth handshakes rather than a Bluetooth advertising channel to power the contacts logging.

The NHS COVID-19 app has been designed to listen passively for other Bluetooth devices and then wake up in order to perform the handshake. This is intended as a workaround for these platform limits on background Bluetooth access. However it is still a workaround — and there are ongoing questions over how robustly it will perform in practice. 

An analysis by The Register suggests the app will face a fresh set of issues in that iPhones specifically will fail to wake each other up to perform the handshakes — unless there’s also an Android device in the vicinity. If correct, it could result in big gaps in the tracing data (around 40% of UK smartphones run iOS vs 60% running Android).

Battery drain may also resurface as an issue with the UK system, though the NHSX has claimed its workaround solves this. (Though it’s not clear if they’ve tested what happens if an iPhone user switches on a battery saving mode which limits background app activity, for example.)

Other Bluetooth-based contract-tracing apps that have tried to workaround platforms limits have also faced issues with interference related to other Bluetooth devices — such as Australia’s recently launched app. So there are a number of potential issues that could trouble performance.

Being outside the Apple-Google API also certainly means the UK app is at the mercy of future platform updates which could derail the specific workaround. Best laid plans that don’t involve using an official interface as your plug are inevitably operating on shaky ground.

Finally, there’s a huge and complex issue that’s essentially being glossed over by government right now: Interoperability with other national apps.

How will the UK app work across borders? What happens when Brits start travelling again? With no obvious route for centralized vs decentralized systems to interface and play nice with each other there’s a major question mark over what happens when UK citizens want to travel to countries with decentralized systems (or indeed vice versa). Mandatory quarantines because the government picked a less interoperable app architecture? Let’s hope not.

Notably, the Republic of Ireland has opted for a decentralized approach for its national app, whereas Northern Ireland, which is part of the UK but shares a land border with the Republic, will — baring any NHSX flip — be saddled with a centralized and thus opposing choice. It’s the Brexit schism all over again in app form.

Earlier this week the NHSX was asked about this cross-border issue by a UK parliamentary committee — and admitted it creates a challenge “we’ll have to work through”, though it did not suggest how it proposes to do that.

And while that’s a very pressing backyard challenge, the same interoperability gremlins arise across the English Channel — where a number of European countries are opting for decentralized apps, including Estonia, Germany and Switzerland. While Apple and Google’s choice at the platform level means future US apps may also be encouraged down a decentralized route. (The two US tech giants are demonstrably flexing their market power to press on and influence governments’ app design choices internationally.)

So countries that fix on a ‘DIY’ approach for the digital component of their domestic pandemic response may find it leads to some unwelcome isolation for their citizens at the international level.

India’s Glance tops 100M daily active users in 21 months

By Manish Singh

Glance, which serves media content, news, and casual games on the lock screen of Android -powered smartphones, has amassed 100 million daily active users, it said today.

The subsidiary of ad-firm InMobi Group reached the milestone in 21 months in what appears to be the shortest duration for any popular internet service to gain their first 100 million daily active users, said Naveen Tewari, founder and chief executive of InMobi Group, in an interview with TechCrunch.

Glance uses AI to offer personalized experience to its users. The service replaces the otherwise empty lock screen with locally relevant news, stories, and casual games. Late last year, InMobi acquired Roposo, a Gurgaon-headquartered startup, that has enabled it to introduce short-form videos on the platform.

“Introducing short-form videos and games on Glance has helped us increase the engagement level. About 25% of our users actively play games on Glance,” said Tewari. The firm is now working to make these short-form videos available in many local languages. (You can also try the service on your mobile web browser or through its preview app on Google Play Store.)

Glance ships pre-installed on several smartphone models. The subsidiary maintains tie-ups with nearly every top Android smartphone vendor including Xiaomi, the top player in India, and Samsung.

But users can easily disable the service, said Tewari, adding that the 100 million users the firm is reporting today are those who consciously engage with content on Glance. Users spend about 25 minutes consuming content on Glance each day, he said.

Sitting on the lock screen, perhaps the most coveted real estate on a smartphone to reach a user, has allowed Glance to deliver any information to a very large number of users in a short time. Tewari said more than 50 million users reacted to Glance informing them about India’s Prime Minister Narendra Modi’s speech last month surrounding the lockdown in the country, for instance.

“We are not just a short-form video platform. We are not just a gaming platform nor one that serves just news. Given where we sit, we cater to nearly everything that is out there across the world. So everyone has something to consume,” he said.

The service is currently available in India, its biggest market with more than 80 million users, Indonesia, Malaysia, Thailand, and the Philippines. Tewari said the firm plans to roll out Glance across the globe in the next two years.

Glance, which raised $45 million last year, is currently not monetizing its users. Tewari said he has experimented with a few ideas, but won’t make any push on this front for another one to two quarters.

Apple and Google release sample code, UI and detailed policies for COVID-19 exposure-notification apps

By Darrell Etherington

Apple and Google are providing additional resources for developers working with the first version of their Exposure Notification API, the development tools the companies have created and are working on in order to provide a cross-platform way for public health agencies to notify individuals of a potential exposure to a person with a confirmed case of COVID-19.

The first version of the Exposure Notification API, which Apple and Google renamed from the “Contact Tracing API” to more accurately reflect its actual use and purpose, was released to developers last week along with beta updates of iOS and Xcode. Today, Apple and Google are providing new sample resources for developers, including example UI assets, and sample code for both iOS and Android. These are designed as starting points that developers working on behalf of public health agencies can use to jumpstart their app development process.

The two companies have also released new policies that any developers working with the API must adhere to in order to get their apps approved for use. These include the following requirements:

  • They must be made by or for the use of an official government public health authority, and they can only be used for the purpose of responding to COVID-19.
  • They need to ask consent of a user to actually employ the API before it can actually be used.
  • They require a user’s consent to share a positive test result before broadcasting any such info with the public health authority operating the app.
  • They should only gather the minimum amount of info necessary for the purposes of exposure notification, and should use that only for the sake of COVID-19 response. In other words, these apps are explicitly forbidden from using your info for advertising or other purposes.
  • They can’t access or even seek permission to access a device’s Location Services, which provides specific geolocation data. Google and Apple note that apps already available from public health authorities that make use of location data will continue to be offered, but that no apps that make use of that info will also have access to the new Exposure Notification API.
  • There can only be one app per country, which is designed to avoid fragmentation and therefor encourage efficacy, though Apple and Google say that if a country is relying on a regional or state-based approach, they’re willing to work with authorities to support them in the best way possible. That basically means if a country notifies Apple that it’s going state-by-state with different apps, it’ll unlock the ability for multiple apps to appear in that country’s store, and that it can work with them flexibility in terms of whether the exposure notification mechanics within each state work across one another.

The companies say that they’re also going to continue the pace of updates released for their software and software development kits in advance of shipping the public version of the API to consumers starting later this month. Apple and Google had both targeted “mid-May” for the consumer-facing release of the API, with an eventual plan to release exposure notification as a system-level feature by sometime later this year.

You can take a look at the sample UI resources for both platforms below, which provide an idea of what notifications, settings screens and more will look like within the apps once they’re available. Of course, the individual apps will still vary depending on which public health authority (or developer working on their behalf) is creating the software.

[gallery ids="1983325,1983326,1983327,1983328,1983329,1983330,1983331,1983332"]

Apple and Google embarked on this unprecedented joint effort in response to outreach by a number of public health authorities who were embarking on developing their own contact-tracing app, and wanted access to specific aspects of iOS and Android to make those work. The companies decided to collaborate on a standard based on use of Bluetooth identifiers, not geolocation data, as a way to protect user identity, and also ensure the system can work in a variety of environments, including indoors where geolocation satellite services are unavailable.

Health authorities can also require that users input a unique code tied to the test they took, which can help them ensure that positive results are actually coming from verified, authorized tests rather than possibly just self-reported, or reported based on taking a test that hasn’t actually been approved by a health authority for COVID-19 diagnosis.

It’s important to note that the sample reference applications provided by both Google and Apple are not actually ever going to be available to users; they’re strictly for developers, but the companies are making them available in their entirety, including with their full source code, to developers in order to help them with their own efforts to build apps to respond to COVID-19 in a timely manner.

This Week in Apps: Zoom gets busted, TikTok’s new record, contact tracing API launches

By Sarah Perez

Welcome back to This Week in Apps, the Extra Crunch series that recaps the latest OS news, the applications they support and the money that flows through it all.

The app industry is as hot as ever, with a record 204 billion downloads and $120 billion in consumer spending in 2019, according to App Annie’s “State of Mobile” annual report. People are now spending 3 hours and 40 minutes per day using apps, rivaling TV. Apps aren’t just a way to pass idle hours — they’re a big business. In 2019, mobile-first companies had a combined $544 billion valuation, 6.5x higher than those without a mobile focus.

In this Extra Crunch series, we help you keep up with the latest news from the world of apps, delivered on a weekly basis.

This week we’re continuing to look at how the coronavirus outbreak is impacting the world of mobile applications, including the latest on the U.S. and other international efforts to develop contact-tracing apps, plus the use of live-streaming apps as fundraising tools, the impact of quarantine on iPad apps and more. We’re also tracking news related to Zoom’s latest backtrack, WhatsApp’s plans to enter the credit market, the Instagram pods discovery, TikTok best quarter (better than any app… ever), Facebook’s plan for virtual dating and more.

Headlines

Apple News hits 125M monthly active users

The COVID-19 pandemic has driven a significant increase in how many people are using Apple’s News app on their mobile devices, tablets and Macs. During Apple’s earnings call this week, the company revealed Apple News now sees over 125 million monthly active users in the U.S., Canada, the U.K. and Australia, up from 100 million in January. Apple, however, did not note how many were subscribed to its $9.99/month premium news service, Apple News+.

Apple & Google release first version of the exposure notification API

Germany ditches centralized approach to app for COVID-19 contacts tracing

By Natasha Lomas

Germany has U-turned on building a centralized COVID-19 contacts tracing app — and will instead adopt a decentralized architecture, Reuters reported Sunday, citing a joint statement by chancellery minister Helge Braun and health minister Jens Spahn.

In Europe in recent weeks, a battle has raged between different groups backing centralized vs decentralized infrastructure for apps being fast-tracked by governments which will use Bluetooth-based smartphone proximity as a proxy for infection risk — in the hopes of supporting the public health response to the coronavirus by automating some contacts tracing.

Centralized approaches that have been proposed in the region would see pseudonymized proximity data stored and processed on a server controlled by a national authority, such as a healthcare service. However concerns have been raised about allowing authorities to scoop up citizens’ social graph, with privacy experts warning of the risk of function creep and even state surveillance.

Decentralized contacts tracing infrastructure, by contrast, means ephemeral IDs are stored locally on device — and only uploaded with a user’s permission after a confirmed COVID-19 diagnosis. A relay server is used to broadcast infected IDs — enabling devices to locally compute if there’s a risk that requires notification. So social graph data is not centralized.

The change of tack by the German government marks a major blow to a homegrown standardization effort, called PEPP-PT, that had been aggressively backing centralization — while claiming to ‘preserve privacy’ on account of not tracking location data. It quickly scrambled to propose a centralized architecture for tracking coronavirus contacts, led by Germany’s Fraunhofer Institute, and claiming the German government as a major early backer, despite PEPP-PT later saying it would support decentralized protocols too.

As we reported earlier, the effort faced strident criticism from European privacy experts — including a group of academics developing a decentralized protocol called DP-3T — who argue p2p architecture is truly privacy preserving. Concerns were also raised about a lack of transparency around who is behind PEPP-PT and the protocols they claimed to support, with no code published for review.

The European Commission, meanwhile, also recommended the use of decentralization technologies to help boost trust in such apps in order to encourage wider adoption.

EU parliamentarians have also warned regional governments against trying to centralize proximity data during the coronavirus crisis.

But it was Apple and Google jumping into the fray earlier this month by announcing joint support for decentralized contacts tracing that was the bigger blow — with no prospect of platform-level technical restrictions being lifted. iOS limits background access to Bluetooth for privacy and security reasons, so national apps that do not meet this decentralized standard won’t benefit from API support — and will likely be far less usable, draining battery and functioning only if actively running.

Nonetheless PEPP-PT told journalists just over a week ago that it was engaged in fruitful discussions with Apple and Google about making changes to their approach to accommodate centralized protocols.

Notably, the tech giants never confirmed that claim. They have only since doubled down on the principle of decentralization for the cross-platform API for public health apps — and system-wide contacts tracing which is due to launch next month.

At the time of writing PEPP-PT’s spokesman, Hans-Christian Boos, had not responded to a request for comment on the German government withdrawing support.

Boos previously claimed PEPP-PT had around 40 governments lining up to join the standard. However in recent days the momentum in Europe has been going in the other direction. A number of academic institutions that had initially backed PEPP-PT have also withdrawn support.

In a statement emailed to TechCrunch, the DP-3T project welcomed Germany’s U-turn.

“DP-3T is very happy to see that Germany is adopting a decentralized approach to contact tracing and we look forward to its next steps implementing such a technique in a privacy preserving manner,” the group told us.

Berlin’s withdrawal leaves France and the UK the two main regional backers of centralized apps for coronavirus contacts tracing. And while the German U-turn is certainly a hammer blow for the centralized camp in Europe the French government appears solid in its support — at least for now.

France has been developing a centralized coronavirus contacts tracing protocol, called ROBERT, working with Germany’s Fraunhofer Institute and others.

In an opinion issued Sunday, France’s data protection watchdog, the CNIL, did not take active issue with centralizing pseudonymized proximity IDs — saying EU law does not in principle forbid such a system — although the watchdog emphasized the need to minimize the risk of individuals being re-identified.

It’s notable that France’s digital minister, Cédric O, has been applying high profile public pressure to Apple over Bluetooth restrictions — telling Bloomberg last week that Apple’s policy is a blocker to the virus tracker.

Yesterday O was also tweeting to defend the utility of the planned ‘Stop Covid’ app.

« Oui l'application #StopCovid est utile ». Volontaire, anonyme, transparente et temporaire, elle apporte les garanties de protection des libertés individuelles. À la disposition des acteurs sanitaires, elle les aidera dans la lutte contre le #COVID19 https://t.co/12xYG5Z8ZC

— Cédric O (@cedric_o) April 26, 2020

We reached out to France’s digital ministry for comment on Germany’s decision to switch to a decentralized approach but at the time of writing the department had not responded.

In a press release today the government highlights the CNIL view that its approach is compliant with data protection rules, and commits to publishing a data protection impact assessment ahead of launching the app.

If France presses ahead it’s not clear how the country will avoid its app being ignored or abandoned by smartphone users who find it irritating to use. (Although it’s worth noting that Google’s Android platform has a substantial marketshare in the market, with circa 80% vs 20% for iOS, per Kantar.)

A debate in the French parliament tomorrow is due to include discussion of contacts tracing apps.

We’ve also reached out to the UK’s NHSX — which has been developing a COVID-19 contacts tracing app for the UK market — and will update this report with any response.

In a blog post Friday the UK public healthcare unit’s digital transformation division said it’s “working with Apple and Google on their welcome support for tracing apps around the world”, a PR line that entirely sidesteps the controversy around centralized vs decentralized app infrastructures.

The UK has previously been reported to be planning to centralize proximity data — raising questions about the efficacy of its planned app too, given iOS restrictions on background access to Bluetooth.

“As part of our commitment to transparency, we will be publishing the key security and privacy designs alongside the source code so privacy experts can ‘look under the bonnet’ and help us ensure the security is absolutely world class,” the NHSX’s Matthew Gould and Dr Geraint Lewis added in the statement.

❌