Google will let enterprises store their Google Workspace encryption keys

As ubiquitous as Google Docs has become in the last year alone, a major criticism often overlooked by the countless workplaces who use it is that it isn’t end-to-end encrypted, allowing Google — or any requesting government agency — access to a company’s files. But Google is finally addressing that key complaint with a round of updates that will let customers shield their data by storing their own encryption keys.

Google Workspace, the company’s enterprise offering that includes Google Docs, Slides and Sheets, is adding client-side encryption so that a company’s data will be indecipherable to Google.

Companies using Google Workspace can store their encryption keys with one of four partners for now: Flowcrypt, Futurex, Thales, or Virtru, which are compatible with Google’s specifications. The move is largely aimed at regulated industries — like finance, healthcare, and defense — where intellectual property and sensitive data are subject to intense privacy and compliance rules.

(Image: Google / supplied)

The real magic lands later in the year when Google will publish details of an API that will let enterprise customers build their own in-house key service, allowing workplaces to retain direct control of their encryption keys. That means if the government wants that company’s data, they have to knock on their front door — and not sneak around the back by serving the key holder with a legal demand.

Google published technical details of how the client-side encryption feature works, and will roll out as a beta in the coming weeks.

Tech companies giving their corporate customers control of their own encryption keys has been a growing trend in recent years. Slack and cloud vendor Egnyte bucked the trend by allowing their enterprise users to store their own encryption keys, effectively cutting themselves out of the surveillance loop. But Google has dragged its feet on encryption for so long that startups are working to build alternatives that bake in encryption from the ground up.

Google said it’s also pushing out new trust rules for how files are shared in Google Drive to give administrators more granularity on how different levels of sensitive files can be shared, and new data classification labels to mark documents with a level of sensitivity such as “secret” or “internal”.

The company said it’s improving its malware protection efforts by now blocking phishing and malware shared from within organizations. The aim is to help cut down on employees mistakenly sharing malicious documents.

#api, #cloud-storage, #computing, #cryptography, #data-protection, #data-security, #egnyte, #encryption, #end-to-end-encryption, #finance, #google, #google-workspace, #google-drive, #healthcare, #privacy, #security, #technology, #thales

0

Apple’s iPadOS 15 breaks the app barrier

The announcement of new iPad software at this year’s WWDC conference had an abnormally large expectation hung on it. The iPad lineup, especially the larger iPad Pro, has kept up an impressively frantic pace of hardware innovation over the past few years. In that same time frame, the software of the iPad, especially its ability to allow users to use multiple apps at once and in its onramps for professional software makers, has come under scrutiny for an apparently slower pace. 

This year’s announcements about iOS 15 and iPadOS 15 seemed designed to counter that narrative with the introduction of a broad number of quality of life improvements to multitasking as well as a suite of system-wide features that nearly all come complete with their own developer-facing APIs to build on. I had the chance to speak to Bob Borchers, Apple’s VP of Worldwide Product Marketing, and Sebastien (Seb) Mariners-Mes, VP, Intelligent System Experience at Apple about the release of iPadOS 15 to discuss a variety of these improvements. 

Mariners-Mes works on the team of Apple software SVP Craig Federighi and was pivotal in the development of this new version.

iPad has a bunch of new core features including SharePlay, Live Text, Focuses, Universal Control, on-device Siri processing and a new edition of Swift Playgrounds designed to be a prototyping tool. Among the most hotly anticipated for iPad Pro users, however, are improvements to Apple’s multitasking system. 

If you’ve been following along, you’ll know that the gesture-focused multitasking interface of iPadOS has had its share of critics, including me. Though it can be useful in the right circumstances, the un-discoverable gesture system and confusing hierarchy of the different kinds of combinations of apps made it a sort of floppy affair to utilize correctly for an apt user much less a beginner. 

Since the iPad stands alone as pretty much the only successful tablet device on the market, Apple has a unique position in the industry to determine what kinds of paradigms are established as standard. It’s a very unique opportunity to say, hey, this is what working on a device like this feels like; looks like; should be.

 

So I ask Borchers and Mariners-Mes to talk a little bit about multitasking. Specifically Apple’s philosophy in the design of multitasking on iPadOS 15 and the update from the old version, which required a lot of acrobatics of the finger and a strong sense of spatial awareness of objects hovering out off the edges of the screen. 

“I think you’ve got it,” Borchers says when I mention the spatial gymnastics, “but the way that we think about this is that the step forward and multitasking makes it easier discover, easier to use even more powerful. And, while pros I think were the ones who were using multitasking in the past, we really want to take it more broadly because we think there’s applicability to many, many folks. And that’s why the, the discovery and the ease of use I think were critical.”

“You had a great point there when you talked about the spatial model and one of our goals was to actually make the spatial model more explicit in the experience,” says Mariners-Mes, “where, for example, if you’ve got a split view, and you’re replacing one of the windows, we kind of open the curtain and tuck the other app to the side, you can see it — it’s not a hidden hidden mental model, it’s one that’s very explicit.

Another great example of it is when you go into the app, switcher to reconfigure your windows, you’re actually doing drag and drop as you rearrange your new split views, or you dismiss apps and so on. So it’s not a hidden model, it’s one where we really try to reinforce a spatial model with an explicit one for the user through all of the animations and all of the kinds of affordances.”

Apple’s goal this time around, he says, was to add affordances for the user to understand that multitasking was even an option — like the small series of dots at the top of every app and window that now allows you to explicitly choose an available configuration, rather than the app-and-dock-juggling method of the past. He goes on to say that consistency was a key metric for them on this version of the OS. The appearance of Slide Over apps in the same switcher view as all other apps, for instance. Or the way that you can choose configurations of apps via the button, by drag and drop in the switcher and get the same results.

In the dashboard, Mariners-Mes says, “you get an at a glance view of all of the apps that you’re running and a full model of how you’re navigating that through the iPad’s interface.”

This ‘at a glance’ map of the system should be very welcome by advanced users. Even as a very aggressive Pro user myself, Slide Over apps became more of a nuisance than anything because I couldn’t keep track of how many were open and when to use them. The ability to combine them on the switcher itself is one of those things that Apple has wanted to get into the OS for years but is just now making its way onto iPads. Persistence of organization, really, was the critical problem to tackle.

“I think we believe strongly in building a mental model where people know where things are [on iPad],” says Mariners-Mes. “And I think you’re right when it comes persistence I think it also applies to, for example, home screen. People have a very strong mental model of where things are in the home screen as well as all of the apps that they’ve configured. And so we try to maintain a well maintained that mental model, and also allow people to reorganize again in the switcher.”

He goes on to explain the new ‘shelf’ feature that displays every instance or window that an app has open within itself. They implemented this as a per-app feature rather than a system-wide feature, he says, because the association of that shelf with a particular app fit the overall mental model that they’re trying to build. The value of this shelf may jump into higher relief when more professional apps that may have a dozen documents or windows open at once and active during a project ship later this year.

Another nod to advanced users in iPadOS 15 is the rich keyboard shortcut set offered across the system. The interface can be navigated by arrow keys now, many advanced commands are there and you can even move around on an iPad using a game controller. 

“One of the key goals this year was to make basically everything in the system navigable from the keyboard,” says Mariners-Mes, “so that if you don’t want to, you don’t have to take your hands off the keyboard. All of the new multitasking affordances and features, you can do through the keyboard shortcuts. You’ve got the new keyboard shortcut menu bar where you can see all the shortcuts that are available. It’s great for discoverability. You can search them and we even, you know, and this is a subtle point, but we even made a very conscious effort to rationalize the shortcuts across Mac and iPadOS. So that if you’re using universal control, for example, you’re going to go from one environment to the other seamlessly. You want to ensure that consistency as you go across.”

The gestures, however, are staying as a nod to consistency for existing users that may be used to those. 

To me, one of the more interesting and potentially powerful developments is the introduction of the Center Window and its accompanying API. A handful of Apple apps like Mail, Notes and Messages now allow items to pop out into an overlapping window.

“It was a very deliberate decision on our part,” says Mariners-Mes about adding this new element. “This really brings a new level of productivity where you can have, you know, this floating window. You can have content behind it. You can seamlessly cut and paste. And that’s something that’s just not possible with the traditional [iPadOS] model. And we also really strive to make it consistent with the rest of multitasking where that center window can also become one of the windows in your split view, or full size, and then go back to to being a center window. We think it’s a cool addition to the model and we look really look forward to 3rd parties embracing it.”

Early reception of the loop Apple gave at iPadOS 15 has an element of reservation about it still given that many of the most powerful creative apps are made by third parties that must adopt these technologies in order for them to be truly useful. But Apple, Borchers says, is working hard to make sure that pro apps adopt as many of these new paradigms and technologies as possible, so that come fall, the iPad will feel like a more hospitable host for the kinds of advanced work pros want to do there.

One of the nods to this multi-modal universe that the iPad exists in is Universal Control. This new feature uses Bluetooth beaconing, peer-to-peer WiFi and the iPad’s touchpad support to allow you to place your devices close to one another and — in a clever use of reading user intent — slide your mouse to the edge of a screen and onto your Mac or iPad seamlessly. 

CUPERTINO, CALIFORNIA – June 7, 2021: Apple’s senior vice president of Software Engineering Craig Federighi showcases the ease of Universal Control, as seen in this still image from the keynote video of AppleÕs Worldwide Developers Conference at Apple Park. (Photo Credit: Apple Inc.)Ê

“I think what we have seen and observed from our users, both pro and and otherwise, is that we have lots of people who have Macs and they have iPads, and they have other iPhones and and we believe in making these things work together in ways that are that are powerful,” says Borchers. “And it just felt like a natural place to be able to go and extend our Continuity model so that you could make use of this incredible platform that is iPadOS while working with your Mac, right next to it. And I think the big challenge was, how do you do that in kind of a magical, simple way. And that’s what Seb and his team and been able to accomplish.

“It really builds on the foundation we made with Continuity and Sidecar,” adds Mariners-Mes. “We really thought a lot about how do you make the experience — the set up experience — as seamless as possible. How do you discover that you’ve got devices side by side.?

The other thing we thought about was what are the workflows that people want to have and what capabilities that will be essential for that. That’s where thinks like the ability to seamlessly drag content across the platforms or cut and paste was we felt to be really, really important. Because I think that’s really what brings to the magic to the experience.”

Borchers adds that it makes all the continuity features that much more discoverable. Continuity’s shared clipboard, for instance, is an always on but invisible presence. Expanding that to visual and mouse-driven models made some natural sense.

“It’s just like, oh, of course, I can drag that all the way across all the way across here,” he says.

“Bob, you say, of course,” Mariners-Mes laughs. “And yet for those of us working in platforms for a long time, the ‘of course’, is technically very, very challenging. Totally non obvious.”

Another area where iPadOS 15 is showing some promising expansionary behavior is in system-wide activities that allow you to break out of the box of in-app thinking. These include embedded recommendations that seed themselves into various apps, Shareplay, which makes an appearance wherever video calls are found and Live Text, which turns all of your photos into indexed archives searchable with a keyboard. 

Another is Quick Note, a system extension that lets you swipe from the bottom corner of your screen wherever you are in the system.

“There are, I think a few interesting things that we did with with Quick Note,” says Mariners-Mes. “One is this idea of linking. So, that if I’m working in Safari or Yelp or another app, I can quickly insert a link to whatever content I’m viewing. I don’t know about you, but it’s something that I certainly do a lot when I do research. 

“The old way was, like, cut and paste and maybe take a screenshot, create a note and jot down some notes. And now we’ve made that very, very seamless and fluid across the whole system. It even works the other way where, if I’m now in Safari and I have a note that refers to that page in Safari, you’ll see it revealed as a thumbnail at the bottom of the screen’s right hand side. So, we’ve really tried to bring the notes experience to be something that just permeates the system and is easily accessible from, from everywhere.” 

Many of the system-wide capabilities that Apple is introducing in iPadOS 15 and iOS 15 have an API that developers can tap into. That is not always the case with Apple’s newest toys, which in years past have often been left to linger in the private section of its list of frameworks rather than be offered to developers as a way to enhance their apps. Borchers says that this is an intentional move that offers a ‘broader foundation of intelligence’ across the entire system. 

This broader intelligence includes Siri moving a ton of commands to its local scope. This involved having to move a big chunk of Apple’s speech recognition to an on-device configuration in the new OS as well. The results, says Borchers, are a vastly improved day-to-day Siri experience, with many common commands executing immediately upon request — something that was a bit of a dice roll in days of Siri past. The removal of the reputational hit that Siri was taking from commands that went up to the cloud never to return could be the beginning of a turnaround for the public perception of Siri’s usefulness.

The on-device weaving of the intelligence provided by the Apple Neural Engine (ANE) also includes the indexing of text across photos in the entire system, past, present and in-the-moment.

“We could have done live text only in camera and photos, but we wanted it to apply to anywhere we’ve got images, whether it be in in Safari or quick look or wherever,” says Mariners-Mes. “One of my favorite demos of live text is actually when you’ve got that long complicated field for a password for a Wi-Fi network. You can just actually bring it up within the keyboard and take a picture of it, get the text in it and copy and paste it into into the field. It’s one of those things that’s just kind of magical.”

On the developer service front of iPadOS 15, I ask specifically about Swift Playgrounds, which add the ability to write, compile and ship apps on the App Store for the first time completely on iPad. It’s not the native Xcode some developers were hoping for, but, Borchers says, Playgrounds has moved beyond just ‘teaching people how to code’ and into a real part of many developer pipelines.

“ think one of the big insights here was that we also saw a number of kind of pro developers using it as a prototyping platform, and a way to be able to be on the bus, or in the park, or wherever if you wanted to get in and give something a try, this was super accessible and easy way to get there and could be a nice adjunct to hey, I want to learn to code.”

“If you’re a developer,” adds Mariners-Mes, “it’s actually more productive to be able to run that app on the device that you’re working on because you really get great fidelity. And with the open project format, you can go back and forth between Xcode and Playgrounds. So, as Bob said, we can really envision people using this for a lot of rapid prototyping on the go without having to bring along the rest of their development environment so we think it’s a really, really powerful addition to our development development tools this year.”

Way back in 2018 I profiled a new team at Apple that was building out a testing apparatus that would help them to make sure they were addressing real-world use cases for flows of process that included machines like the (at the time un-revealed) new Mac Pro, iMacs, MacBooks and iPads. One of the demos that stood out at the time was a deep integration with music apps like Logic that would allow the input models of iPad to complement the core app. Tapping out a rhythm on a pad, brightening or adjusting sound more intuitively with the touch interface. More of Apple’s work these days seems to be aimed at allowing users to move seamlessly back and forth between its various computing platforms, taking advantage of the strengths of each (raw power, portability, touch, etc) to complement a workflow. A lot of iPadOS 15 appears to be geared this way.

Whether it will be enough to turn the corner on the perception of iPad as a work device that is being held back by software, I’ll reserve judgement until it ships later this year. But, in the near term, I am cautiously optimistic that this set of enhancements that break out of the ‘app box’, the clearer affordances for multitasking both in and out of single apps and the dedication to API support are pointing towards an expansionist mentality on the iPad software team. A good sign in general.

#api, #app-store, #apple-inc, #california, #computing, #craig-federighi, #cupertino, #game-controller, #ios, #ios-11, #ipad, #ipados, #ipads, #peer-to-peer, #portable-media-players, #safari, #sidecar, #siri, #speech-recognition, #tablet-computers, #tc, #touchscreens, #wi-fi

0

Apple’s StoreKit 2 simplifies App Store subscriptions and refunds by making them accessible inside apps

If you’ve ever bought a subscription inside an iOS app and later decided you wanted to cancel, upgrade or downgrade, or ask for a refund, you may have had trouble figuring out how to go about making that request or change. Some people today still believe that they can stop their subscription charges simply by deleting an app from their iPhone. Others may dig around unsuccessfully inside their iPhone’s Settings or on the App Store to try to find out how to ask for a refund. With the updates Apple announced in StoreKit 2 during its Worldwide Developers Conference this week, things may start to get a little easier for app customers.

StoreKit is Apple’s developer framework for managing in-app purchases — an area that’s become more complex in recent years, as apps have transitioned from offering one-time purchases to ongoing subscriptions with different tiers, lengths, and feature sets.

Image Credits: Apple

Currently, users who want to manage or cancel subscriptions can do so from the App Store or their iPhone Settings. But some don’t realize the path to this section from Settings starts by tapping on your Apple ID (your name and profile photo at the top of the screen). They may also get frustrated if they’re not familiar with how to navigate their Settings or the App Store.

Meanwhile, there are a variety of ways users can request refunds on their in-app subscriptions. They can dig in their inbox for their receipt from Apple, then click the “Report a Problem” link it includes to request a refund when something went wrong. This could be useful in scenarios where you’ve bought a subscription by mistake (or your kid has!), or where the promised features didn’t work as intended.

Apple also provides a dedicated website where users can directly request refunds for apps or content. (When you Google for something like “request a refund apple” or similar queries, a page that explains the process typically comes up at the top of the search results.)

Still, many users aren’t technically savvy. For them, the easiest way to manage subscriptions or ask for refunds would be to do so from within the app itself. For this reason, many conscientious app developers tend to include links to point customers to Apple’s pages for subscription management or refunds inside their apps.

But StoreKit 2 is introducing new tools that will allow developers to implement these sort of features more easily.

One new tool is a Manage subscriptions API, which lets an app developer display the manage subscriptions page for their customer directly inside their app — without redirecting the customer to the App Store. Optionally, developers can choose to display a “Save Offer” screen to present the customer with a discount of some kind to keep them from cancelling, or it could display an exit survey so you can ask the customer why they decided to end their subscription.

When implemented, the customer will be able to view a screen inside the app that looks just like the one they’d visit in the App Store to cancel or change a subscription. After cancelling, they’ll be shown a confirmation screen with the cancellation details and the service expiration date.

If the customer wants to request a refund, a new Refund request API will allow the customer to begin their refund request directly in the app itself — again, without being redirected to the App Store or other website. On the screen that displays, the customer can select which item they want refund and check the reason why they’re making the request. Apple handles the refund process and will send either an approval or refund declined notification back to the developer’s server.

However, some developers argue that the changes don’t go far enough. They want to be in charge of managing customer subscriptions and handling refunds themselves, through programmatic means. Plus, Apple can take up to 48 hours for the customer to receive an update on their refund request, which can be confusing.

“They’ve made the process a bit smoother, but developers still can’t initiate refunds or cancellations themselves,” notes RevenueCat CEO Jacob Eiting, whose company provides tools to app developers to manage their in-app purchases. “It’s a step in the right direction, but could actually lead to more confusion between developers and consumers about who is responsible for issuing refunds.”

In other words, because the forms are now going to be more accessible from inside the app, the customer may believe the developer is handling the refund process when, really, Apple continues to do so.

Some developers pointed out that there are other scenarios this process doesn’t address. For example, if the customer has already uninstalled the app or no longer has the device in question, they’ll still need to be directed to other means of asking for refunds, just as before.

For consumers, though, subscription management tools like this mean more developers may begin to put buttons to manage subscriptions and ask for refunds directly inside their app, which is a better experience. In time, as customers learn they can more easily use the app and manage subscriptions, app developers may see better customer retention, higher engagement, and better App Store reviews, notes Apple.

The StoreKit 2 changes weren’t limited to APIs for managing subscriptions and refunds.

Developers will also gain access to a new Invoice Lookup API that allows them to look up the in-app purchases for the customer, validate their invoice and identify any problems with the purchase — for example, if there were any refunds already provided by the App Store.

A new Refunded Purchases API will allow developers to look up all the refunds for the customer.

And a new Renewal Extension API will allow developers to extend the renewal data for paid, active subscriptions in the case of an outage — like when dealing with customer support issues when a streaming service went down, for example. This API lets developers extend the subscription up to twice per calendar year, each up to 90 days in the future.

Another change will help customers when they reinstall apps or download them on new devices. Before, users would have to manually “restore purchases” to sync the status of the completed transactions back to that newly downloaded or reinstalled app. Now, that information will be automatically fetched by StoreKit 2 so the apps are immediately up-to-date with whatever it is the user paid for.

While, overall, the changes make for a significant update to the StoreKit framework, Apple’s hesitancy to allow developers more control over their own subscription-based customers speaks, in part, to how much it wants to control in-app purchases. This is perhaps because it got burned in the past when it tried allowing developers to manage their own refunds.

As The Verge noted last month while the Epic Games-Apple antitrust trial was underway, Apple had once provided Hulu will access to a subscription API, then discovered Hulu had been offering a way to automatically cancel subscriptions made through the App Store when customers wanted to upgrade to higher-priced subscription plans. Apple realized it needed to take action to protect against this misuse of the API, and Hulu later lost access. It has not since made that API more broadly available.

On the flip side, having Apple, not the developers, in charge of subscription management and refunds means Apple takes on the responsibilities around preventing fraud — including fraud perpetrated by both customers and developers alike. Customers may also prefer that there’s one single place to go for managing their subscription billing: Apple. They may not want to have to deal with each developer individually, as their experience would end up being inconsistent.

These changes matter because subscription revenue contributes to a sizable amount of Apple’s lucrative App Store business. Ahead of WWDC 21, Apple reported the sale of digital goods and services on the App Store grew to $86 billion in 2020, up 40% over the the year prior. Earlier this year, Apple said it paid out more than $200 billion to developers since the App Store launched in 2008.

read more about Apple's WWDC 2021 on TechCrunch

#api, #app-stores, #app-store, #apple, #apple-id, #apple-inc, #apps, #customer-service, #developers, #ios, #iphone, #mobile, #refunds, #revenuecat, #smartphones, #subscriptions, #wwdc-2021

0

Apple’s new ShazamKit brings audio recognition to apps, including those on Android

Apple in 2018 closed its $400 million acquisition of music recognition app Shazam. Now, it’s bringing Shazam’s audio recognition capabilities to app developers in the form of the new ShazamKit. The new framework will allow app developers — including those on both Apple platforms and Android — to build apps that can identify music from Shazam’s huge database of songs, or even from their own custom catalog of pre-recorded audio.

Many consumers are already familiar with the mobile app Shazam, which lets you push a button to identify what song you’re hearing, and then take other actions — like viewing the lyrics, adding the song to a playlist, exploring music trends, and more. Having first launched in 2008, Shazam was already one of the oldest apps on the App Store when Apple snatched it up.

Now the company is putting Shazam to better use than being just a music identification utility. With the new ShazamKit, developers will now be able to leverage Shazam’s audio recognition capabilities to create their own app experiences.

There are three parts to the new framework: Shazam catalog recognition, which lets developers add song recognition to their apps; custom catalog recognition, which performs on-device matching against arbitrary audio; and library management.

Shazam catalog recognition is what you probably think of when you think of the Shazam experience today. The technology can recognize the song that’s playing in the environment and then fetch the song’s metadata, like the title and artist. The ShazamKit API will also be able to return other metadata like genre or album art, for example. And it can identify where in the audio the match occurred.

When matching music, Shazam doesn’t actually match the audio itself, to be clear. Instead, it creates a lossy representation of it, called a signature, and matches against that. This method greatly reduces the amount of data that needs to be sent over the network. Signatures also cannot be used to reconstruct the original audio, which protects user privacy.

The Shazam catalog comprises millions of songs and is hosted in cloud and maintained by Apple. It’s regularly updated with new tracks as they become available.

When a customer uses a developer’s third-party app for music recognition via ShazamKit, they may want to save the song in their Shazam library. This is found in the Shazam app, if the user has it installed, or it can be accessed by long pressing on the music recognition Control Center module. The library is also synced across devices.

Apple suggests that apps make their users aware that recognized songs will be saved to this library, as there’s no special permission required to write to the library.

Image Credits: Apple

ShazamKit’s custom catalog recognition feature, meanwhile, could be used to create synced activities or other second-screen experiences in apps by recognizing the developer’s audio, not that from the Shazam music catalog.

This could allow for educational apps where students follow along with a video lesson, where some portion of the lesson’s audio could prompt an activity to begin in the student’s companion app. It could also be used to enable mobile shopping experiences that popped up as you watched a favorite TV show.

ShazamKit is current in beta on iOS 15.0+, macOS 12.0+, Mac Catalyst 15.0+, tvOS 15.0+, and watchOS 8.0+. On Android, ShazamKit comes in the form of an Android Archive (AAR) file and supports music and custom audio, as well.

read more about Apple's WWDC 2021 on TechCrunch

#android, #api, #app-store, #apple, #apple-inc, #apps, #artist, #control-center, #ios, #media, #mobile, #music, #shazam, #watchos, #wwdc-2021

0

Apple finally launches a Screen Time API for app developers

Just after the release of iOS 12 in 2018, Apple introduced its own built-in screen time tracking tools and controls. In then began cracking down on third-party apps that had implemented their own screen time systems, saying they had done so through via technologies that risked user privacy. What wasn’t available at the time? A Screen Time API that would have allowed developers to tap into Apple’s own Screen Time system and build their own experiences that augmented its capabilities. That’s now changed.

At Apple’s Worldwide Developer Conference on Monday, it introduced a new Screen Time API that offers developer access to frameworks that will allow parental control experience that also maintains user privacy.

The company added three new Swift frameworks to the iOS SDK that will allow developers to create apps that help parents manage what a child can do across their devices and ensure those restrictions stay in place.

The apps that use this API will be able to set restrictions like locking accounts in place, preventing password changes, filtering web traffic, and limiting access to applications. These sorts of changes are already available through Apple’s Screen Time system, but developers can now build their own experiences where these features are offered under their own branding and where they can then expand on the functionality provided by Apple’s system.

 

Developers’ apps that take advantage of the API can also be locked in place so it can only be removed from the device with a parent’s approval.

The apps can authenticate the parents and ensure the device they’re managing belongs to a child in the family. Plus, Apple said the way the system will work lets parents choose the apps and websites they want to limit, without compromising user privacy. (The system returns only opaque tokens instead of identifiers for the apps and website URLs, Apple told developers, so the third-parties aren’t gaining access to private user data like app usage and web browsing details. This would prevent a shady company from building a Screen Time app only to collect troves of user data about app usage, for instance.)

The third-party apps can also create unique time windows for different apps or types of activities, and warn the child when time is nearly up. When it registers the time’s up, the app lock down access to websites and apps and perhaps remind the child it’s time to their homework — or whatever other experience the developer has in mind.

And on the flip side, the apps could create incentives for the child to gain screen time access after they complete some other task, like doing homework, reading or chores, or anything else.

Developers could use these features to design new experiences that Apple’s own Screen Time system doesn’t allow for today, by layering their own ideas on top of Apple’s basic set of controls. Parents would likely fork over their cash to make using Screen Time controls easier and more customized to their needs.

Other apps could tie into Screen Time too, outside of the “family” context — like those aimed at mental health and wellbeing, for example.

Of course, developers have been asking for a Screen Time API since the launch of Screen Time itself, but Apple didn’t seem to prioritize its development until the matter of Apple’s removal of rival screen time apps was brought up in an antitrust hearing last year. At the time, Apple CEO Tim Cook defended the company’s decision by explaining that apps had been using MDM (mobile device management) technology, which was designed for managing employee devices in the enterprise, not home use. This, he said, was a privacy risk.

Apple has a session during WWDC that will detail how the new API works, so we expect we’ll learn more soon as the developer info becomes more public.

read more about Apple's WWDC 2021 on TechCrunch

#api, #app-store, #apple, #apple-inc, #apps, #ceo, #computing, #ios, #mach, #mobile-device, #mobile-device-management, #operating-systems, #screen-time, #technology, #tim-cook, #web-traffic, #wwdc-2021

0

Apple introduces SharePlay for co-watching, streaming, and screen sharing over FaceTime

As part of its FaceTime update in iOS 15, Apple introduced a new set of features designed for shared experiences — like co-watching TV shows or TikTok videos, listening to music together, screen sharing and more — while on a FaceTime call. The feature, called SharePlay, enables real-time connections with family and friends while you’re hanging out on FaceTime, Apple explained, by integrating access to apps from within the call itself.

Image Credits: Apple

Apple demonstrated the new feature during its Worldwide Developer Conference keynote this afternoon, showing how friends could press play in Apple Music to listen together, as the music streams to everyone on the call. Shared playback controls also let anyone on the call play, pause or jump to the next track.

The company also showed off watching video from its Apple TV+ streaming service, where the video was synced in real-time between call participants. This was a popular trend during the pandemic, as people looked to virtually watch movies and TV with family and friends, prompting services like Hulu and Amazon Prime Video to add native co-watching features.

But Apple’s SharePlay goes much further than streaming music and video from just Apple’s own services.

The company announced a set of launch partners for SharePlay including Disney+, Hulu, HBO Max, NBA, Twitch, TikTok, MasterClass, ESPN+, Paramount+, and Pluto TV. It’s also making an API available to developers so they can integrate their own apps with SharePlay.

Image Credits: Apple

Users can screen share via SharePlay, too, so you can do things like browse Zillow listings together or show off a mobile gameplay, Apple suggested.

“Screen sharing is also a simple and super effective way to help someone out and answer questions right in the moment, and it works across Apple devices,” noted Apple SVP of Software Engineering, Craig Federighi.

The feature will roll out with iOS 15.

read more about Apple's WWDC 2021 on TechCrunch

#amazon-prime-video, #api, #apple-inc, #apple-music, #apple-tv, #apps, #computing, #craig-federighi, #disney, #espn, #facetime, #hbo, #hulu, #ios, #itunes, #mobile-applications, #national-basketball-association, #nba, #software, #technology, #tiktok, #twitch, #wwdc-2021, #zillow

0

99 minutos, Mexico’s last mile delivery startup, raises a $40M Series B

In 2014 Alexis Patjane was at a local hookah bar in Mexico City with some friends and the bar ran out of tobacco. They thought maybe they could buy some online and have it delivered to the bar in real-time, but it turns out that service didn’t exist.

At the time, Patjane was running a food truck-making business, which was responsible for about 80% of all the food trucks in Mexico, so he had experience doing business in the region.

A couple of weeks later, to solve the instant delivery problem he had faced at the hookah bar, Patjane launched 99 minutos, a website that sold products and delivered them within 99 minutes, hence the name.

Today, 99 minutos announced a $40 million Series B from Prosus and Kaszek Ventures which it plans to use to grow its business in Latin America. 

The company currently operates within 40 major markets across Mexico, Chile, Colombia, and Peru and offers four services: less than 99 minutes delivery, same-day delivery, next-day delivery, and CO2-free delivery. 

What started as an e-commerce company with fast delivery quickly became a last-mile delivery service for other e-commerce companies.

“We started to build the API connections and plug-ins, and any e-commerce could add our delivery service to their business,” Patjane told TechCrunch.

99 minutos makes money by charging the customer a flat fee for delivery and then offering the driver a flat rate as well, but today, the volume is so large on each route, that it’s become very lucrative.

“We ship about 60-80 packages per route,” Patjane said, and from the consumer’s perspective, the delivery app works similarly to Waze. “You can pause the delivery, you can change the address. You can say, “Oh, I’m not at home, I’m at the Starbucks on the corner, can you drop it off there?”’ he added.

Patjane said that initially, the company offered delivery only within Mexico City, but it quickly grew to offer its services between cities and now operates between 21 cities in Mexico.

“E-commerce is growing quickly in Latin America, but it is still [the] early days. E-commerce penetration in Latin America is at 6%, while China is reaching 30% and the U.S. is at 20%,” the company said in a statement.

“When we hear big e-commerce players saying that 99 minutos is ‘their most reliable partner’ and that they are ‘the provider with the most potential,’ it tells us that the team is executing extremely well and is on a path to disrupt e-commerce delivery in Latin America,” said Banafsheh Fathieh, Head of Americas Investments at Prosus Ventures.

Part of the funds will also be to speed up their city-to-city deliveries. “We’ll be doing same day [delivery] from city to city and will be using small aircraft to connect the cities,” Patjane said.

#api, #business, #chile, #colombia, #delivery, #distribution, #driver, #e-commerce, #ecommerce, #economy, #food-trucks, #funding, #kaszek-ventures, #latin-america, #logistics, #mexico, #mexico-city, #prosus-ventures, #tc, #united-states

0

Tezlab CEO Ben Schippers to discuss the Tesla effect and the next wave of EV startups at TC Sessions: Mobility 2021

As Tesla sales have risen, interest in the company has exploded, prompting investment and interest in the automotive industry, as well as the startup world.

Tezlab, a free app that’s like a Fitbit for a Tesla vehicle, is just one example of the numerous startups that have sprung up in the past few years as electric vehicles have started to make the tiniest of dents in global sales. Now, as Ford, GM, Volvo, Hyundai along with newcomers Rivian, Fisker and others launch electric vehicles into the marketplace, more startups are sure to follow.

Ben Schippers, the co-founder and CEO of Tezlab, is one of two early-stage founders who will join us at TC Sessions: Mobility 2021 to talk about their startups and the opportunities cropping up in this emerging age of EVs. The six-person team behind TezLab was born out of HappyFunCorp, a software engineering shop that builds apps for mobile, web, wearables and Internet of Things devices for clients that include Amazon, Facebook and Twitter, as well as an array of startups.

HFC’s engineers, including Schippers, who also co-founded HFC, were attracted to Tesla  because of its techcentric approach and one important detail: the Tesla API endpoints are accessible to outsiders. The Tesla API is technically private. But it exists allowing the Tesla’s app to communicate with the cars to do things like read battery charge status and lock doors. When reverse-engineered, it’s possible for a third-party app to communicate directly with the API.

Schippers’ experience extends beyond scaling up Tezlab. Schippers consults and works with companies focused on technology and human interaction, with a sub-focus in EV.

The list of speakers at our 2021 event is growing by the day and includes Motional’s president and CEO Karl Iagnemma and Aurora co-founder and CEO Chris Urmson, who will discuss the past, present and future of AVs. On the electric front is Mate Rimac, the founder of Rimac Automobili, who will talk about scaling his startup from a one-man enterprise in a garage to more than 1,000 people and contracts with major automakers.

We also recently announced a panel dedicated to China’s robotaxi industry, featuring three female leaders from Chinese AV startups: AutoX’s COO Jewel Li, Huan Sun, general manager of Momenta Europe with Momenta, and WeRide’s VP of Finance Jennifer Li.

Other guests include, GM’s VP of Global Innovation Pam Fletcher, Scale AI CEO Alexandr Wang, Joby Aviation founder and CEO JoeBen Bevirt, investor and LinkedIn founder Reid Hoffman (whose special purpose acquisition company just merged with Joby), investors Clara Brenner of Urban Innovation Fund, Quin Garcia of Autotech Ventures and Rachel Holt of Construct Capital, and Zoox co-founder and CTO Jesse Levinson.

And we may even have one more surprise — a classic TechCrunch stealth company reveal to close the show.

Don’t wait to book your tickets to TC Sessions: Mobility as prices go up at our virtual door.

#alexandr-wang, #amazon, #api, #articles, #aurora, #automation, #autotech-ventures, #autox, #av, #ben-schippers, #ceo, #china, #chris-urmson, #clara-brenner, #construct-capital, #coo, #facebook, #fitbit, #founder, #happyfuncorp, #hyundai, #jesse-levinson, #jewel-li, #joby, #joby-aviation, #joeben-bevirt, #karl-iagnemma, #linkedin, #major, #mate-rimac, #momenta, #motional, #pam-fletcher, #quin-garcia, #rachel-holt, #reid-hoffman, #rimac-automobili, #rivian, #robotaxi, #robotics, #scale-ai, #science-and-technology, #self-driving-cars, #startup-company, #tc, #technology, #tesla, #tezlab, #urban-innovation-fund, #volvo, #weride, #zoox

0

This one email explains Apple

An email has been going around the internet as a part of a release of documents related to Apple’s App Store based suit brought by Epic Games. I love this email for a lot of reasons, not the least of which is that you can extrapolate from it the very reasons Apple has remained such a vital force in the industry for the past decade. 

The gist of it is that SVP of Software Engineering, Bertrand Serlet, sent an email in October of 2007, just three months after the iPhone was launched. In the email, Serlet outlines essentially every core feature of Apple’s App Store — a business that brought in an estimated $64B in 2020. And that, more importantly, allowed the launch of countless titanic internet startups and businesses built on and taking advantage of native apps on iPhone.

Forty five minutes after the email, Steve Jobs replies to Serlet and iPhone lead Scott Forstall, from his iPhone, “Sure, as long as we can roll it all out at Macworld on Jan 15, 2008.”

Apple University should have a course dedicated to this email. 

Here it is, shared by an account I enjoy, Internal Tech Emails, on Twitter. If you run the account let me know, happy to credit you further here if you wish:

First, we have Serlet’s outline. It’s seven sentences that outline the key tenets of the App Store. User protection, network protection, an owned developer platform and a sustainable API approach. There is a direct ask for resources — whoever we need in software engineering — to get it shipped ASAP. 

It also has a clear ask at the bottom, ‘do you agree with these goals?’

Enough detail is included in the parentheticals to allow an informed reader to infer scope and work hours. And at no point during this email does Serlet include an ounce of justification for these choices. These are the obvious and necessary framework, in his mind, for accomplishing the rollout of an SDK for iPhone developers. 

There is no extensive rationale provided for each item, something that is often unnecessary in an informed context and can often act as psychic baggage that telegraphs one of two things:

  1. You don’t believe the leader you’re outlining the project to knows what the hell they’re talking about.
  2. You don’t believe it and you’re still trying to convince yourself. 

Neither one of those is the wisest way to provide an initial scope of work. There is plenty of time down the line to flesh out rationale to those who have less command of the larger context. 

If you’re a historian of iPhone software development, you’ll know that developer Nullriver had released Installer, a third-party installer that allowed apps to be natively loaded onto iPhone, in the summer of 2007. Early September, I believe. It was followed in 2008 by the eventually far more popular Cydia. And there were developers that August and September already experimenting with this completely unofficial way of getting apps on the store, like the venerable Twitterific by Craig Hockenberry and Lights Off by Lucas Newman and Adam Betts.

Though there has been plenty of established documentation of Steve being reluctant about allowing third-party apps on iPhone, this email establishes an official timeline for when the decision was not only made but essentially fully formed. And it’s much earlier than the apocryphal discussion about when the call was made. This is just weeks after the first hacky third-party attempts had made their way to iPhone and just under two months since the first iPhone jailbreak toolchain appeared. 

There is no need or desire shown here for Steve to ‘make sure’ that his touch is felt on this framework. All too often I see leaders that are obsessed with making sure that they give feedback and input at every turn. Why did you hire those people in the first place? Was it for their skill and acumen? Their attention to detail? Their obsessive desire to get things right?

Then let them do their job. 

Serlet’s email is well written and has the exact right scope, yes. But the response is just as important. A demand of what is likely too short a timeline (the App Store was eventually announced in March of 2008 and shipped in July of that year) sets the bar high — matching the urgency of the request for all teams to work together on this project. This is not a side alley, it’s the foundation of a main thoroughfare. It must get built before anything goes on top. 

This efficacy is at the core of what makes Apple good when it is good. It’s not always good, but nothing ever is 100% of the time and the hit record is incredibly strong across a decade’s worth of shipped software and hardware. Crisp, lean communication that does not coddle or equivocate, coupled with a leader that is confident in their own ability and the ability of those that they hired means that there is no need to bog down the process in order to establish a record of involvement. 

One cannot exist without the other. A clear, well argued RFP or project outline that is sent up to insecure or ineffective management just becomes fodder for territorial games or endless rounds of requests for clarification. And no matter how effective leadership is and how talented their employees, if they do not establish an environment in which clarity of thought is welcomed and rewarded then they will never get the kind of bold, declarative product development that they wish. 

All in all, this exchange is a wildly important bit of ephemera that underpins the entire app ecosystem era and an explosive growth phase for Internet technology. And it’s also an encapsulation of the kind of environment that has made Apple an effective and brutally efficient company for so many years. 

Can it be learned from and emulated? Probably, but only if all involved are willing to create the environment necessary to foster the necessary elements above. Nine times out of ten you get moribund management, an environment that discourages blunt position taking and a muddy route to the exit. The tenth time, though, you get magic.

And, hey, maybe we can take this opportunity to make that next meeting an email?

#api, #app-store, #apple, #apple-inc, #apple-university, #bertrand-serlet, #crisp, #epic-games, #ios, #iphone, #mobile-app, #mobile-phones, #science-and-technology, #scott-forstall, #software-development, #software-engineering, #steve-jobs, #svp, #tc, #technology

0

Facebook’s Spark AR platform expands to video calling with Multipeer API

At today’s F8 developer conference, Facebook announced new capabilities for Spark AR, its flagship AR creation software. Since Spark AR was announced at F8 2017, more than 600,000 creators from 190 countries have published over 2 million AR effects on Facebook and Instagram, making it the largest mobile AR platform, according to Facebook. If you’ve ever posted a selfie on your Instagram story with an effect that gave you green hair, or let you control a dog’s facial expression by moving your own face, then you’ve used Spark AR

Soon, these AR effects will be available for video calling on Messenger, Instagram, and Portal with the introduction of a Multipeer API. Creators can develop effects that bring call participants together by using a shared AR effect. As an example, Spark AR shared a promo video of a birthday party held over a video call, in which an AR party hat appears on each of the participants’ heads. 

Creators can also develop games for users to play during their video calls. This already exists on Facebook video calls – think of the game where you compete to see who can catch the most flying AR hamburgers in their mouth in a minute. But when the ability to make new, lightweight games opens to developers, we’ll see some new games to challenge our friends with on video calls. 

These video call effects and multipeer AR games will be bolstered by Spark’s platform exclusive multi-class segmentation capability. This lets developers augment multiple segments of a user’s body (like hair or skin) at once within a single effect. 

Facebook also discussed its ongoing ambition to build AR glasses. Chris Barber, Director of Partnerships for Spark AR, said that this goal is still “years away” – but, Barber did tease some potential features for the innovative, wearable tech. 

“Imagine being able to teleport to a friend’s sofa to watch a show together, or being able to share a photo of something awesome you see on a hike,” Barber said. Maybe this won’t sound so dystopian by the time the product launches, years down the road. 

Last October, Spark AR launched the AR Partner Network, a program for the platform’s most advanced creators, and this year, Spark launched an AR curriculum through Facebook’s BluePrint Platform to help creators learn how to improve their AR effects. Applications for the Spark Partner Network will open again this summer. For now, creators and developers can apply to start building effects for video calling through the Spark AR Video Calling Beta

#api, #apps, #ar, #augmented-reality, #facebook, #instagram, #messenger, #mobile-software, #operating-systems, #social, #social-media, #software, #spark, #spark-ar

0

Synctera raises $33M Series A to pair fintechs with banks

Synctera, which aims to serve as a matchmaker for community banks and fintechs, has raised $33 million in a Series A round of funding led by Fin VC.

The raise comes just under six months after the fintech raised $12.4 million in a seed round of funding.

New investors Mastercard and Gaingels also participated in the latest round, which included follow-on investments from Lightspeed Venture Partners, Diagram Ventures, SciFi Ventures and Scribble Ventures. Several angel investors put money in the Series A including Omri Dahan, Marqeta’s Chief Revenue Officer, Feedzai Chairman and CEO Nuno Sebastiao and Greenlight co-founder and CEO Tim Sheehan. 

Alongside the Series A, Synctera is also announcing its commitment to the new Cap Table Coalition – which includes funding from Gaingels, Neythri Futures Fund, Plexo Capital and over 20 angels – alongside other startups by allocating 10% of all funding rounds to “traditionally marginalized,” or underrepresented, investors via an SPV. (Fellow fintech Finix led the initiative earlier this year before forming this coalition but more on that later).

“This has exposed us to find great folks who we otherwise might not have known,” said Synctera’s co-founder and CEO Peter Hazlehurst. “That’s why we pledge to reserve 10% of this round and all future rounds to diverse investors.”

In a nutshell, San Francisco-based Synctera has developed a platform designed to help facilitate partnership banking. It was founded on the premise that some community banks and credit unions are actually turning down deals with young fintechs because the relationships can be too complicated or time-consuming to manage. Synctera’s goal is to connect community banks and fintechs to streamline the process with its “Banking-as-a-Service” (BaaS) platform.

TechCrunch recently caught up with Hazlehurst, who most recently served as former head of Uber Money and previously also led development of Google Wallet and products related to its payments system.

Put simply, Synctera wants to make it easier for community banks and fintechs to partner with each other. It examines banks’ needs and then sets them up with a fintech that is best suited to meet those needs. It claims to “do the work for both parties,” managing the partnership from its back-end platform, while dealing with issues like regulatory compliance, which can be a deterrent for some companies. The process of managing, reconciling and billing banks can result in “a lot of operational overhead and complexity,” according to the company.

The company says it’s built a “diverse” marketplace of banks and fintech companies so that it can apply a “personalized touch to each match” and make sure that the parties “align on geography, brand ethos, and desired business goals.”

So far, Synctera has signed three banks with plans to sign on three more this month. The startup has already paired Coastal Community Bank – a local bank serving the greater Puget Sound community – with One, a new digital banking platform, and Ellevest, a new fintech. 

By using Synctera’s platform, the company claims, banks can more freely allow their fintech counterparts to offer FDIC-insured mobile checking, debit cards, savings accounts or innovations in payments to their prospective customers, the company claims. They can also make more money doing so, Hazlehurst said, by bringing in more revenue beyond interchange fees.

“Like most small businesses, community banks have been hit hard by COVID-19,” he added. “We hope to further diversify community banks’ revenue streams.”

Banks can also more easily manage multiple relationships with various fintechs as the companies agree to adopt Synctera’s tech stack, the company claims.

“We build a single dashboard for a bank, so there’s a consolidated position across all fintechs,” Hazlehurst told me at the time of the company’s last raise. “It’s all about visibility for the bank.”

Currently Synctera has about 50 employees, including about two dozen engineers, most of whom are located in Canada, Hazlehurst said. The company plans to ramp up to 160 employees by year’s end with a focus on engineering, sales, marketing and customer success staff.

Looking ahead, Hazlehurst predicts that the fourth quarter will be “all about support for small business fintechs.”

“We want to create a neobank for gig economy workers, and want to add lending as a service,” he said. “But our next big phase is to onboard a lot of fintechs, and learn from them.”

Logan Allin, managing general partner and founder at Fin VC, believes that Banking-as-a-Service in general will transform legacy national and regional banks, credit unions, fintecs, corporate tech and retailers alike “as these players either seek to vertically integrate financial services or accelerate their digitization process.”

Synctera, he adds, has taken an approach with its tech stack that allows for integration with legacy community banks and their respective cores. This, Allin believes, will help ensure a “cloud native and scalable model” and made it an attractive investment. (Fin VC has also backed the likes of other fintechs such as Pipe and SoFi).

“Synctera’s peers are simply abstracting bank cores and serving as ‘API wrappers’ in a kludgy short-term approach and having come from the legacy bank and modern fintech worlds, we recognized that these players had not built sufficiently strong bridges across the ecosystem,” Allin told TechCrunch.

For his part, Finix Founder Richie Serna is thrilled that other startups are following his lead in the pledge to make their cap tables more diverse.

“After Finix announced our special purpose vehicle for Black and Latinx investors, the response was overwhelmingly positive,” he told TechCrunch. “Startups in every sector and at every stage have asked us how to recreate our SPV. In response, we started the Cap Table Coalition to make it as easy as possible for more high-growth startups, like Synctera, to take control over their cap tables,” said Richie Serna, CEO and co-founder of Finix. “We see this as an inflection point that will completely upend how the VC world functions.”

Meanwhile, Synctera is not the only player trying to help banks and fintechs forge partnerships. Last week, TechCrunch reported on Visa said it has expanded its Visa Fintech Partner Connect program, which is designed to help financial institutions quickly connect with a “vetted and curated” set of technology providers. 

#api, #articles, #bank, #banking-as-a-service, #canada, #diversity, #economy, #fdic, #finance, #financial-services, #financial-technology, #finix, #fintech, #founder, #funding, #fundings-exits, #google, #greenlight, #head, #lightspeed-venture-partners, #marqeta, #mastercard, #peter-hazlehurst, #player, #plexo-capital, #recent-funding, #richie-serna, #san-francisco, #startup, #startups, #uber, #venture-capital

0

Goldman Sachs leads $202M investment in project44, doubling its valuation to $1.2B in a matter of months

The COVID-19 pandemic disrupted a lot in the world, and supply chains are no exception. 

A number of applications that aim to solve workflow challenges across the supply chain exist. But getting real-time access to information from transportation providers has remained somewhat elusive for shippers and logistics companies alike. 

Enter Project44. The 7-year-old Chicago-based company has built an API-based platform that it  says acts as “the connective tissue” between transportation providers, third-party logistics companies, shippers and the systems. Using predictive analytics, the platform provides crucial real-time information such as estimated time of arrivals (ETAs).

“Supply chains have undergone an incredible amount of change – there has never been a greater need for agility, resiliency, and the ability to rapidly respond to changes across the supply chain,” said Jason Duboe, the company’s Chief Growth Officer.

And now, project44 announced it has raised $202 million in a Series E funding round led by Goldman Sachs Asset Management and Emergence Capital. Girteka and Lineage Logistics also participated in the financing, which gives project44 a post-money valuation of $1.2 billion. That doubles the company’s valuation at the time of its Insight Partners-led $100 million Series D in December.

The raise is quite possibly the largest investment in the supply chain visibility space to date.

Project44 is one of those refreshingly transparent private companies that gives insight into its financials. This month, the company says it crossed $50 million in annual recurring revenue (ARR), which is up 100% year over year. It has more than 600 customers including some of the world’s largest brands such as Amazon, Walmart, Nestle, Starbucks, Unilever, Lenovo and P&G. Customers hail from a variety of industries including CPG, retail, e-commerce, manufacturing, pharma, and chemical.

Over the last year, the pandemic created a number of supply chain disruptions, underscoring the importance of technologies that help provide visibility into supply chain operations. Project44 said it worked hard to help customers to mitigate “relentless volatility, bottlenecks, and logistics breakdowns,” including during the Suez Canal incident where a cargo ship got stuck for days.

Looking ahead, Project44 plans to use its new capital in part to continue its global expansion. Project44 recently announced its expansion into China and has plans to grow in the Asia-Pacific, Australia/New Zealand and Latin American markets, according to Duboe.

We are also going to continue to invest heavily in our carrier products to enable more participation and engagement from the transportation community that desires a stronger digital experience to improve efficiency and experience for their customers,” he told TechCrunch. The company also aims to expand its artificial intelligence (AI) and data science capabilities and broaden sales and marketing reach globally.

Last week, project44 announced its acquisition of ClearMetal, a San Francisco-based supply chain planning software company that focuses on international freight visibility, predictive planning and overall customer experience. WIth the buy, Duboe said  project44 will now have two contracts with Amazon: road and ocean. 

“Project44 will power what they are chasing,” he added.

And in March, the company also acquired Ocean Insights to expand its ocean offerings.

Will Chen, a managing director of Goldman Sachs Asset Management, believes that project44 is unique in its scope of network coverage across geographies and modes of transport.  

“Most competitors predominantly focus on over-the-road visibility and primarily serve one region, whereas project44 is a truly global business that provides end-to-end visibility across their customers’ entire supply chain,” he said.

Goldman Sachs Asset Management, noted project44 CEO and founder Jett McCandless, will help the company grow not only by providing capital but through its network and resources.

#amazon, #api, #articles, #artificial-intelligence, #asia-pacific, #australia, #business, #chicago, #chief, #china, #clearmetal, #companies, #e-commerce, #emergence-capital, #funding, #fundings-exits, #goldman-sachs, #insight-partners, #lenovo, #logistics, #manufacturing, #nestle, #new-zealand, #officer, #pg, #recent-funding, #san-francisco, #starbucks, #startup, #startups, #supply-chain, #supply-chain-management, #transportation, #unilever, #venture-capital, #walmart

0

Belvo, LatAm’s answer to Plaid, raises $43M to scale its API for financial services

Belvo, a Latin American startup which has built an open finance API platform, announced today it has raised $43 million in a Series A round of funding.

A mix of Silicon Valley and Latin American-based VC firms and angels participated in the financing including Future Positive, Kibo Ventures, FJ Labs, Kaszek, MAYA Capital, Venture Friends, Rappi co-founder and president Sebastián Mejía (Rappi), Harsh Sinha, CTO of Wise (formerly Transferwise) and Nubank CEO and founder David Vélez.

Citing Crunchbase data, Belvo believes the round represents the largest series A ever raised by a Latin American fintech. In May 2020, Belvo raised a $10 million seed round co-led by Silicon Valley’s Founders Fund and Argentina’s Kaszek.

Belvo aims to work with leading fintechs in Latin America, spanning across verticals like the neobanks, credit providers and personal finance products Latin Americans use every day.

The startup’s goal with its developer-first API platform that can be used to access and interpret end-user financial data is to build better, more efficient and more inclusive financial products in Latin America. Developers of popular neobank apps, credit providers and personal finance tools use Belvo’s API to connect bank accounts to their apps to unlock the power of open banking.

As TechCrunch Senior Editor Alex Wilhelm explained in this piece last year, Belvo might be considered similar to U.S.-based Plaid, but more attuned to the Latin American market so it can take in a more diverse set of data to better meet the needs of the various markets it serves. 

So while Belvo’s goals are “similar to the overarching goal[s] of Plaid,” co-founder and co-CEO Pablo Viguera told TechCrunch that Belvo is not merely building a banking API business hoping to connect apps to financial accounts. Instead, Belvo wants to build a finance API, which takes in more information than is normally collected by such systems. Latin America is massively underbanked and unbanked so the more data from more sources, the better.

“In essence, we’re pushing for similar outcomes [as Plaid] in terms of when you think about open banking or open finance,” Viguera said. “We’re working to democratize access to financial data and empower end users to port that data, and share that data with whoever they want.”

The company operates under the premise that just because a significant number of the region’s population is underbanked doesn’t mean that they aren’t still financially active. Belvo’s goal is to link all sorts of accounts together. For example, Viguera told TechCrunch that some gig-economy companies in Latin America are issuing their own cards that allow workers to cash out at small local shops. In time, all those transactions are data that could be linked up using Belvo, casting a far wider net than what we’re used to domestically.

The company’s work to connect banks and non-banks together is key to the company’s goal of allowing “any fintech or any developer to access and interpret user financial data,” according to Viguera.

Viguera and co-CEO Oriol Tintoré founded in May of 2019, and was part of Y Combinator’s Winter 2020 batch. Since launching its platform last year, the company says it has built a customer base of over 60 companies across Mexico, Brazil and Colombia, handling millions of monthly API calls. 

This is important because as Alex noted last year, similar to other players in the API-space, Belvo charges for each API call that its customers use (in this sense, it has a model similar to Twilio’s). 

Image Credits: Co-founders and co-CEOs Oriol Tintore and Pablo Viguera / Belvo

Also, over the past year, Belvo says it expanded its API coverage to over 40 financial institutions, which gives companies the ability to connect to over 90% of personal and business bank accounts in LatAm, as well as to tax authorities (such as the SAT in Mexico) and gig economy platforms.

“Essentially we take unstructured financial data , which an individual might have outside of a bank such as integrations we have with gig economy platforms such as Uber and Rappi. We can take a driver’s information from their Uber app, which is kind of built like a bank app and turn it into meaningful bank-like info which third parties can leverage to make assessments as if it’s data coming from a bank,” Viguera explained.

The startup plans to use its new capital to scale its product offering, continue expanding its geographic footprint and double its current headcount of 70. Specifically, Belvo plans to hire more than 50 engineers in Mexico and Brazil by year’s end. It currently has offices in Mexico City, São Paulo, and Barcelona. The company also aims to  launch its bank-to-bank payment initiation offering in Mexico and Brazil.

Belvo currently operates in Mexico, Colombia and Brazil. 

But it’s seeing “a lot of opportunity” in other markets in Latin America, especially in Chile, Peru and Argentina, Viguera told TechCrunch. “In due course, we will look to pursue expansion there.” 

Fred Blackford, founding partner of Future Positive, believes Belvo represents a “truly transformational opportunity for the region’s financial sector.”

Nicolás Szekasy, co-founder and managing partner of Kaszek, noted that demand for financial services in Latin America is growing at an exponential rate .

“Belvo is developing the infrastructure that will enable both the larger institutions and the emerging generation of younger players to successfully deploy their solutions,” he said. “ Oriol, Pablo, and the Belvo team have been leading the development of a sophisticated platform that resolves very complex technical challenges, and the company’s exponential growth reflects how it is delivering a product that fits perfectly with the requirements of the market.” 

#alex-wilhelm, #api, #argentina, #bank, #banking, #barcelona, #belvo, #brazil, #ceo, #chile, #co-ceo, #colombia, #cto, #david-velez, #driver, #editor, #finance, #financial-services, #fj-labs, #founders-fund, #funding, #fundings-exits, #kaszek, #kibo-ventures, #latin-america, #mexico, #mexico-city, #nubank, #online-food-ordering, #open-banking, #open-finance, #peru, #rappi, #recent-funding, #sao-paulo, #startup, #startups, #tc, #technology, #twilio, #uber, #vc, #venture-capital, #wise, #y-combinator

0

Peloton and Echelon profile photos exposed riders’ real-world locations

Security researchers say at-home exercise giant Peloton and its closest rival Echelon were not stripping user-uploaded profile photos of their metadata, in some cases exposing users’ real-world location data.

Almost every file, photo or document contains metadata, which is data about the file itself, such as how big it is, when it was created, and by whom. Photos and video will often also include the location from where they were taken. That location data helps online services tag your photos or videos that you were at this restaurant or that other landmark.

But those online services — especially social platforms, where you see people’s profile photos — are supposed to remove location data from the file’s metadata so other users can’t snoop on where you’ve been, since location data can reveal where you live, work, where you go, and who you see.

Jan Masters, a security researcher at Pen Test Partners, found the metadata exposure as part of a wider look at Peloton’s leaky API. TechCrunch verified the bug by uploading a profile photo with GPS coordinates of our New York office, and checking the metadata of the file while it was on the server.

The bugs were privately reported to both Peloton and Echelon.

Peloton fixed its API issues earlier this month but said it needed more time to fix the metadata bug and to strip existing profile photos of any location data. A Peloton spokesperson confirmed the bugs were fixed last week. Echelon fixed its version of the bug earlier this month. But TechCrunch held this report until we had confirmation that both companies had fixed the bug and that metadata had been stripped from old profile photos.

It’s not known how long the bug existed or if anyone maliciously exploited it to scrape users’ personal information. Any copies, whether cached or scraped, could represent a significant privacy risk to users whose location identifies their home address, workplace, or other private location.

Parler infamously didn’t scrub metadata from user-uploaded photos, which exposed the locations of millions of users when archivists exploited weaknesses on the platform’s API to download its entire contents. Others have been slow to adopt metadata stripping, like Slack, even if it got there in the end.

Read more:

#api, #computing, #data, #data-management, #gps, #health, #information, #peloton, #pen-test-partners, #privacy, #security, #social-networks

0

Salt Security lands $70M for tech to protect APIs from malicious abuse

APIs make the world go round in tech, but that also makes them a very key target for bad actors: as doorways into huge data troves and services, malicious hackers spent a lot of time looking for ways to pick their locks or just force them open when they’re closed, in order to access that information. And a lot of recent security breaches stemming from API vulnerabilities (see here, here, and here for just a few) show just how real and current the problem is.

Today, a company that’s building a network of services to help those using and producing APIs to identify and eradicate those risks is announcing a round of funding to meet a growing demand for its services. Salt Security, which provides AI-based technology to identify issues and stop attacks across the whole of your API library, has closed $70 million in funding, money that it will be using both to meet current demand but also continue building out its technology for a wider set of services and use cases for API management.

The funding is being led by Advent International, by way of Advent Tech, with Alkeon Capital, DFJ Growth and previous backers Sequoia Capital, Tenaya Capital, S Capital VC, and Y Combinator all also participating.

Salt, founded in Israel and now active globally, is not disclosing valuation but I understand from a reliable source it that it is in the region of $600-700 million.

As with many of the funding rounds that seem to be getting announced these days, this one is coming on the heels of both another recent round, as well as strong growth. Salt has raised $131 million since 2016, but nearly all of that — $120 million, to be exact — has been raised in the last year.

Part of the reason for that is Salt’s performance: in the last 12 months, it’s seen revenue grow 400% — with customers including a range of Fortune 500 and other large businesses in the financial services, retail and SaaS sectors like Equinix, Finastra, TripActions, Armis, and DeinDeal; headcount grow 160%; and, perhaps most importantly, API traffic on its network grow 380%.

That growth in API traffic underscores the issue that Salt is tackling. Companies these days use a variety of APIs — some private, some public — in their tech stack as a way to interface with other businesses and run their services. APIs are a huge part of how the Internet and digital services operate, with Akamai estimating that as much as 83% of all IP traffic is API traffic.

The problem, Roey Eliyahu, CEO and co-founder of Salt Security told me, is that this usage has outpaced how well many manage those APIs.

“How APIs have evolved is very different to how developers used APIs years ago,” he said. “Before, there were very few, and you could say they were more manageable, and they contained less sensitive data, and there were very few changes and updates made to them,” he said. “Today with the pace of development, not only are they always getting updated, but you have thousands of them now touching crown jewels of the company.”

This has made them a prime target for malicious hackers. Eliyahu notes Gartner stats that predict that by 2022, APIs will make up the largest attack vector in cybercrime.

Salt’s approach starts with taking stock of a whole network and doing a kind of spring clean to find all the APIs that might be used or abused.

“Companies don’t know how many APIs they even have,” Eliyahu said, noting that there some 40%-80% of the APIs in existence for a typical company’s data are not even in active operation, lying there as “shadow APIs” for someone to pick up and misuse.

It then looks at what vulnerabilities might inadvertently be contained in this mix and makes suggestions for how to alter them to fix that. After this, it also monitors how they are used in order to stop attacks as they happen. The third of these also involves remediation “insights”, but carrying out the remediation is done by third parties at the moment, Eliyahu said. All of this is done through Salt’s automated, AI-based, flagship Salt Security API Protection Platform.

There are a number of competitors in the same space as Salt, including Ping, and newer players like Imvision and 42Crunch (which raised funding earlier this month), and the list is likely to grow as not just other API management companies get deeper into this huge space, but cyber security companies do, too.

“The rapid proliferation of APIs has dramatically altered the attack surface of applications, creating a major challenge for large enterprises since existing security mechanisms cannot protect against this new threat,” said Bryan Taylor, managing partner and head of Advent’s technology team, in a statement. “We continue to see API security incidents make the news headlines and cause significant reputational risk for companies. As we investigated the API security market, Salt stood out for its multi-year technical lead, significant customer traction and references, and talented team. We look forward to drawing on our deep experience in this sector to partner with Salt in this exciting new chapter.”

#api, #api-security, #apis, #cybercrime, #cybersecurity, #developer, #enterprise, #salt-security, #security, #tc

0

Microsoft launches new tools for Teams developers

At its (virtual) Build conference today, Microsoft launched a number of new features, tools and services for developers who want to integrate their services with Teams, the company’s Slack competitor. It’s no secret that Microsoft basically looks at Teams, which now has about 145 million daily active users, as the new hub for employees to get work done, so it’s no surprise that it wants third-party developers to bring their services right to Teams as well. And to do so, it’s now offering a set of new tools that will make this easier and enable developers to build new user experiences in Teams.

There’s a lot going on here, but maybe the most important news is the launch of the enhanced Microsoft Teams Toolkit for Visual Studio and Visual Studio Code.

“This essentially enables developers to build apps easier and faster — and to build very powerful apps tapping into the rich Microsoft stack,” Microsoft group program manager Archana Saseetharan explained. “With the updated toolkit […], we enable flexibility for developers. We want to meet developers where they are.”

Image Credits: Microsoft

The toolkit offers support for tools and frameworks like React, SharePoint and .NET. Some of the updates the team enabled with this release are integration with Aure Functions, the SharePoint Framework integration and a single-line integration with the Microsoft Graph. Microsoft is also making it easier for developers to integrate an authorization workflow into their Teams apps. “Login is the first kind of experience of any user with an app — and most of the drop-offs happen there,” Saseetharan said. “So [single-sign on] is something we completely are pushing hard on.”

The team also launched a new Developer Portal for Microsoft Teams that makes it easier for developers to register and configure their apps from a single tool. ISVs will also be able to use the new portal to offer their apps for in-Teams purchases.

Other new Teams features for developers include ways for developers to build real-time multi-user experiences like whiteboards and project boards, for example, as well as a new meeting event API to build meeting-related workflows for when a meeting starts and ends, for example, as well as new features for the Teams Together mode that will let developers design their own Together experiences.

There are a few other new features here as well, but what it all comes down to is that Microsoft wants developers to consider Teams as a viable platform for their services — and with 145 million daily active users, that’s potentially a lucrative way for software firms to get their services in front of a new audience.

“Teams is enabling a new class of apps called collaborative apps,” said Karan Nigam, Microsoft’s director of product marketing for Teams. “We are uniquely positioned to bring the richness to the collaboration space — a ton of innovation to the extensibility side to make apps richer, making it easier with the toolkit update, and then have a single-stop shop with the developer portal where the entire lifecycle can be managed. Ultimately, for a developer, they don’t have to go to multiple places, it’s one single flow from the business perspective for them as well.”

read

#api, #cloud, #computing, #developer, #enterprise, #microsoft, #microsoft-build-2021, #microsoft-visual-studio, #smartphones, #software, #technology, #universal-windows-platform, #visual-studio, #xamarin

0

Microsoft brings more of its Azure services to any Kubernetes cluster

At its Build developer conference today, Microsoft announced a new set of Azure services (in preview) that businesses can now run on virtually any CNCF-conformant Kubernetes cluster with the help of its Azure Arc multi-cloud service.

Azure Arc, similar to tools like Google’s Anthos or AWS’s upcoming EKS Anywhere, provides businesses with a single tool to manage their container clusters across clouds and on-premises data centers. Since its launch back in late 2019, Arc enabled some of the core Azure services to run directly in these clusters as well, though the early focus was on a small set of data services, with the team also later adding some machine learning tools to Arc as well. With today’s update, the company is greatly expanding this set of containerized Azure services that work with Arc.

These new services include Azure App Service for building and managing web apps and APIs, Azure Functions for event-driven programming, Azure Logic Apps for building automated workflows, Azure Event Grid for event routing, and Azure API Management for… you guessed it… managing internal and external APIs.

“The app services are now Azure Arc-enabled, which means customers can deploy Web Apps, Functions, API gateways, Logic Apps and Event Grid services on pre-provisioned Kubernetes clusters,” Microsoft explained in its annual “Book of News” for this year’s Build. “This takes advantage of features including deployment slots for A/B testing, storage queue triggers and out-of-box connectors from the app services, regardless of run location. With these portable turnkey services, customers can save time building apps, then manage them consistently across hybrid and multicloud environments using Azure Arc.”

read

#api, #aws, #azure, #azure-arc, #cloud-computing, #cloud-infrastructure, #computing, #google-cloud-platform, #kubernetes, #machine-learning, #microsoft, #microsoft-build-2021, #microsoft-azure, #tc, #web-apps

0

Snap emphasizes commerce in updates to its camera and AR platforms

At Snap’s Partner Summit, the company announced a number of updates to the company’s developer tools and AR-focused Lens Studio including several focused on bringing shopping deeper into the Snapchat experience.

One of the cooler updates involved the company’s computer vision Scan product which analyzes content in a user’s camera feed to quickly bring up relevant information. Snap says the feature is used by around 170 million users per month. Scan which has now been given more prominent placement inside the camera section of the app has been upgraded with commerce capabilities with a feature called Screenshop.

Users can now use their Snap Camera to scan a friend’s outfit after which they’ll quickly be served up shopping recommendations from hundreds of brands. The company is using the same technology for another upcoming feature that will allow users to snap pictures of ingredients in their kitchen and get served recipes from Allrecipes that integrate them.

The features are part of a broader effort to intelligently suggest lenses to users based on what their camera is currently focused on.

Business will now be able to establish public profiles inside Snapchat where users can see all of their different offerings, including Lenses, Highlights, Stories and items for sale through Shop functionality.

On the augmented reality side, Snap is continuing to emphasize business solutions with API integrations that make lenses smarter. Retailers will be able to use the Business Manager to integrate their product catalogs so that users can only access try-on lenses for products that are currently in stock.

Partnerships with luxury fashion platform Farfetch and Prada will tap into further updates to the AR platform including technical 3D mesh advances that make trying on clothing virtually appear more realistic. Users will also be able to use voice commands and visual gestures to cycle between items they’re trying on in the new experiences.

“We’re excited about the power of our camera platform to bring Snapchatters together with the businesses they care about in meaningful ways,” said Snap’s global AR product lead Carolina Arguelles Navas. “And, now more than ever, our community is eager to experience and try on, engage with, and learn about new products, from home.”

#allrecipes, #api, #augmented-reality, #farfetch, #instant-messaging, #lens-studio, #marketing, #mobile-applications, #playstation-home, #prada, #snap-inc, #snapchat, #software, #technology, #vertical-video

0

Privacy.com rebrands to Lithic, raises $43M for virtual payment cards

When Privacy.com was founded in 2014, the company’s focus was to let anyone generate virtual and disposable payment card numbers for free.

The goal was to allow those users to keep users’ actual credit card numbers safe while allowing the option to cut off companies from their bank accounts. In an age of near-constant data breaches and credit card skimmers targeting unsuspecting websites, Privacy.com has made it harder for hackers to get anyone’s real credit card details.

The concept has appealed to many. At the time of its $10.2 million Series A last July, Privacy.com said it had issued 5 million virtual card numbers. Today, that number has more than doubled, to over 10 million, according to CEO and co-founder Bo Jiang.

“We set out to create the safest and fastest way to pay online. Our mobile app and web browser extension lets you generate a virtual card for every purchase you want to make online,” Jiang explained. “That can be especially convenient for things like managing subscriptions or making sure your kid doesn’t spend $1,000 on Fortnite skins.”

Over the years, the New York-based company realized the value in the technology it had developed to issue the virtual and disposable payment cards. So after beta testing for a year, Privacy.com launched its new Card Issuing API in 2020 to give corporate customers the ability to create payment cards for their customers, optimize back-office operations or simplify disbursements.

The early growth of the new card issuing platform, dubbed Lithic, has prompted the startup to shift its business strategy — and rebrand.

In the process of building out its consumer product, Privacy.com ended up building a lot of infrastructure around programmatically creating cards.

“If you think about the anatomy of credit/debit card transactions there’s a number of modern processors such as Stripe, Adyen, Braintree and Checkout,” Jiang told TechCrunch. “On the flip side, we’re focused on card creation and issuing, and the APIs for actually creating cards. That side has lagged the card acquiring side by five to seven years…We’ve built a lot to support card creation for ourselves, and realized tons of other developers need this to create cards.”

As part of its new strategy, Privacy.com announced today that it has changed its name to Lithic and raised $43 million in Series B funding led by Bessemer Venture Partners to double down on its card issuing platform and new B2B focus. Index Ventures, Tusk Venture Partners, Rainfall Ventures, Teamworthy Ventures and Walkabout Ventures also participated in the financing, which brings Lithic’s total raised to date to $61 million.

Image Credits: Lithic CEO and co-founder Bo Jiang / Lithic

Privacy.com, the company’s consumer product, will continue to operate as a separate brand powered by the Lithic card issuing platform.

Put simply, Lithic was designed to make it simple for developers to programmatically create virtual and physical payment cards. Jiang is encouraged by the platform’s early success, noting that enterprise issuing volumes tripled in the last four months. It competes with the likes of larger fintech players such as Marqeta and Galileo, although Jiang notes that Lithic’s target customer is more of an early-stage startup than a large, established company.

“Marqeta, for example, goes after enterprise and is less focused on developers and making their infrastructure accessible. And, Galileo too,” he told TechCrunch. “When you compare us to them, because we’re a younger company, we have the benefit of building a much more modern infrastructure. That allows us to bring costs down but also to be more nimble to the needs of startups.”

The benefits touted by Lithic’s “self-serve” platform include being able to “instantly” issue a card and “accessible building blocks,” or what the company describes as focused functionality so developers can include only the features they want.

Another benefit? An opportunity for a new revenue stream. Developers earn back a percentage of interchange revenue generated by the merchant, according to Lithic. “What we’ve noticed is a lot of folks have really big ambitions to build more of a stack in-house. We offer a path for folks by bringing more of a payments piece of the world that they can build for scale,” he said. “As a result of all these things, we end up not competing head to head with Marqeta, for example, on a ton of deals.”

The company charges a fee per card for Lithic API customers (it’s free for Privacy.com). And it makes money on interchange fees with both offerings.

For Charles Birnbaum, partner at Bessemer Venture Partners, the shift from B2C to B2B is a smart strategy. He believes Lithic is building a critical piece of the embedded fintech and payments infrastructure stack.

“We have been big fans of the Privacy.com team and product since the beginning, but once we started to see such strong organic growth across the fintech landscape for their new card processing developer platform the past year, we just had to find a way to partner with the team for this next phase of growth,” he said.

Index Ventures partner Mark Goldberg notes that as every business becomes a fintech, there’s been an “explosion” in demand for online payments and card issuance.

“Lithic has stood out to us as being the developer-friendly solution here — it’s fast, powerful and insanely easy to get up-and-running,” he said. “We’ve heard from customers that Lithic can power a launch in the same amount of time it takes an incumbent issuer to return a phone call.”

Lithic plans to use its new capital to expand the tools and tech it offers to developers to issue and manage virtual cards as well as enhance its Privacy.com offering.

#adyen, #api, #bessemer-venture-partners, #charles-birnbaum, #credit-card, #debit-card, #finance, #financial-services, #fintech, #funding, #index-ventures, #mark-goldberg, #marqeta, #money, #new-york, #online-payments, #payment-card, #payments, #payments-infrastructure, #privacy-com, #recent-funding, #smart-card, #startup, #startups, #stripe, #tc, #teamworthy-ventures, #tusk-venture-partners

0

API security startup 42Crunch raises $17M Series A led by Energy Impact Partners

With security top of mind in many companies these days, especially given how many staff work at home, there is one area that remains chronically ignored: that of the world of APIs which power all of the platforms we all use every day.

Now, a significant player in the cybersecurity of APIs is super-charging its offering. 42Crunch, an API security startup, has raised $17 million in a Series A round led by Energy Impact Partners. Adara Ventures also participated.

42Crunch has a ‘micro firewall’ for APIs which aims to protect against attacks listed in the OWASP Top 10 for API Security. It is used by companies such as Mulesoft, Ford Motors, and Qualys.

CEO and Co-Founder of 42Crunch, Jacques Declas said: “What do the recent data breaches at Tesla, Facebook, and Clubhouse have in common? They all came about due to API vulnerabilities. 83% of internet traffic now comes from APIs but traditional firewall approaches are not adapted to cope with the specific threats that APIs create.”

The three French co-founders came up with the idea after being the number of APIs used by customers proliferate.

The normal approach to firewalls – relying on patterns and signatures to detect potential incursions – does not work when it comes to API traffic. 42Crunch claims its platform can individually protect each API, and prevent common cyber-attacks such as injections but also API-specific attacks.

Isabelle Mauny, Co-founder and CTO of 42Crunch, said: “Protecting APIs from threats at runtime is only part of the story. APIs will only be truly secured when security becomes part of the developer’s flow, rather than an afterthought.”

Nazo Moosa, Co-Managing Partner, Energy Impact Partners added: “42Crunch’s ‘shift-left approach’ to the creation of secure-by-design APIs fits strongly with EIP’s vision of protecting global critical infrastructure. The company’s six-digit customer wins last year were catalytic to our decision to lead the round.”

#adara-ventures, #api, #apis, #computing, #energy-impact-partners, #europe, #facebook, #firewall, #ford-motors, #internet-traffic, #mulesoft, #player, #qualys, #software-engineering, #tc, #technology

0

Merge raises $4.5M to help B2B companies build customer-facing integrations

Merge, a startup that helps its users build customer-facing integrations with third-party tools, today announced that it has raised a $4.5 million seed round led by NEA. Additional angel investors include former MuleSoft CEO Greg Schott, Cloudflare CEO Matthew Prince, Expanse co-founders Tim Junio and Matt Kraning, and Jumpstart CEO Ben Herman.

Launched in 2020, the core focus of Merge is to give B2B companies a unified API to access data from what is currently about 40 HR, payroll, recruiting and accounting platforms, with plans for expanding to additional areas soon. But Merge co-founders Shensi Ding and Gil Feig, who have been lifelong friends and previously worked at companies like Expanse and Jumpstart, stress that the service isn’t aiming to replace workflow tools Workato or Zapier.

Image Credits: Merge

“What we built is more similar to Plaid than MuleSoft or other things,” Feig said. “We built a unified API, so we’re fully embedded in a customer’s product and they build one integration with us and can automatically offer all these integrations to their customers. On top of that, we offer what we call integrations management, which is a suite of tools to automatically detect issues where the customer would have to get involved — automatically detect that stuff and handle it without ever having to involve engineering again.”

When Merge’s systems detect issues with an integration, maybe because a data schema in an API response has changed without notice (which happens with some regularity), Merge’s engineers can fix that within minutes, in part because the teams also built an internal no-code tool for building and managing these integrations.

Image Credits: Merge

As Ding also noted, B2B buyers today also simply expect their tools to feature integrations with the service they use. “Companies, when they purchase a vendor, they expect that vendor to have integrations with all the other vendors that they own,” she said. “They don’t want to have to purchase a vendor and then purchase a workflow product and then connect those products.”

And while Merge’s focus right now is squarely on a few verticals, the plan is to expand this to far more areas shortly, likely starting with CRM. “Salesforce has a pretty large market share, so we thought that it wasn’t going to be as interesting of a market,” Ding said. “But it turns out that their API is so complex that customers would still prefer to integrate with us instead if we simplify it for them.”

Ding and Feig tell me the company, which came out of stealth about two months ago, already has about 100 organizations on its platform, varying from seed-stage companies to publicly listed enterprises. The team credits its focus on security and reliability (and its SOC II compliance) with being able to bring on some of these larger companies despite being a seed-stage company itself.

To monetize the service, Merge offers a free tier (up to 10,000 API requests per month) and charges $0.01 per API request for additional usage. Unsurprisingly, the company also offers customized enterprise plans for its larger customers.

“The time and expense associated with building and maintaining myriad API integrations is a pain point we hear about consistently from our portfolio companies across all industries,” said NEA managing general partner Scott Sandell, who will join the company’s board. “Merge is tackling this ubiquitous problem head-on via their easy-to-use, unified API platform. Their platform has broad applicability and is a massive upgrade for any software company that needs to build, manage, and maintain multiple API integrations.”

#api, #cloud-applications, #cloudflare, #computing, #developer, #ding, #enterprise, #expanse, #jumpstart, #matt-kraning, #matthew, #matthew-prince, #merge, #mulesoft, #nea, #recent-funding, #salesforce-com, #software, #startups, #tim-junio

0

Echelon exposed riders’ account data, thanks to a leaky API

Image Credits: Echelon (stock image)

Peloton wasn’t the only at-home workout giant exposing private account data. Rival exercise giant Echelon also had a leaky API that let virtually anyone access riders’ account information.

Fitness technology company Echelon, like Peloton, offers a range of workout hardware — bikes, rowers, and a treadmill — as a cheaper alternative for members to exercise at home. Its app also lets members join virtual classes without the need for workout equipment.

But Jan Masters, a security researcher at Pen Test Partners, found that Echelon’s API allowed him to access the account data — including name, city, age, sex, phone number, weight, birthday, and workout statistics and history — of any other member in a live or pre-recorded class. The API also disclosed some information about members’ workout equipment, such as its serial number.

Masters, if you recall, found a similar bug with Peloton’s API, which let him make unauthenticated requests and pull private user account data directly from Peloton’s servers without the server ever checking to make sure he (or anyone else) was allowed to request it.

Echelon’s API allows its members’ devices and apps to talk with Echelon’s servers over the internet. The API was supposed to check if the member’s device was authorized to pull user data by checking for an authorization token. But Masters said the token wasn’t needed to request data.

Masters also found another bug that allowed members to pull data on any other member because of weak access controls on the API. Masters said this bug made it easy to enumerate user account IDs and scrape account data from Echelon’s servers. Facebook, LinkedIn, Peloton and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms.

Ken Munro, founder of Pen Test Partners, disclosed the vulnerabilities to Echelon on January 20 in a Twitter direct message, since the company doesn’t have a public-facing vulnerability disclosure process (which it says is now “under review”). But the researchers did not hear back during the 90 days after the report was submitted, the standard amount of time security researchers give companies to fix flaws before their details are made public.

TechCrunch asked Echelon for comment, and was told that the security flaws identified by Masters — which he wrote up in a blog post — were fixed in January.

“We hired an outside service to perform a penetration test of systems and identify vulnerabilities. We have taken appropriate actions to correct these, most of which were implemented by January 21, 2021. However, Echelon’s position is that the User ID is not PII [personally identifiable information,” said Chris Martin, Echelon’s chief information security officer, in an email.

Echelon did not name the outside security company but said while the company said it keeps detailed logs, it did not say if it had found any evidence of malicious exploitation.

But Munro disputed the company’s claim of when it fixed the vulnerabilities, and provided TechCrunch with evidence that one of the vulnerabilities was not fixed until at least mid-April, and another vulnerability could still be exploited as recently as this week.

When asked for clarity, Echelon did not address the discrepancies. “[The security flaws] have been remediated,” Martin reiterated.

Echelon also confirmed it fixed a bug that allowed users under the age of 13 to sign up. Many companies block access to children under the age of 13 to avoid complying with the Children’s Online Privacy Protection Act, or COPPA, a U.S. law that puts strict rules on what data companies can collect on children. TechCrunch was able to create an Echelon account this week with an age less than 13, despite the page saying: “Minimum age of use is 13 years old.”

#api, #chief-information-security-officer, #computer-security, #computing, #cyberwarfare, #echelon, #facebook, #founder, #health, #peloton, #pen-test-partners, #security, #software, #software-testing, #technology, #united-states, #vulnerability

0

Pomelo raises $9M to build a payments infrastructure for LatAm fintechs

Pomelo, a startup building a fintech-as-a-service platform for Latin America, has raised $9 million in a seed round of funding.

The Buenos Aires-based startup’s new infrastructure aims to allow fintechs and embedded finance players to launch virtual accounts and issue prepaid and credit cards via “compliant” onboarding processes.

The COVID-19 pandemic has accelerated the adoption of digital payments all over the world, and Latin America is no exception. While the majority of transactions are still done in cash, there are still over a billion cards in the region.

Cards have an estimated payments volume of $900 billion per year, and yet 95% of these transactions are being processed by local incumbents, asserts Pomelo. This is a problem the company’s founders experienced firsthand in previous roles, and are eager to solve by creating a new payments infrastructure.

“We know from previous experiences…that building a fintech, and particularly issuing cards, in Latin America is a real nightmare,” said Pomelo co-founder and CEO Gaston Irigoyen. “It takes anywhere from 12 to 18 months to launch a simple prepaid card, and unfortunately companies have to go through the painful experience of repeating the process in every market where they operate.”

Pomelo’s goal is to solve the problem by creating a new generation of financial services infrastructure that allows companies to build a fintech business and launch cards “much faster” throughout Latin America. For now, the three-month-old company is in its infancy — the pre-product phase, which makes it even more notable that the company managed to raise such a large seed round.

This round caught our eye for a few other reasons. For one, the three co-founders of the Buenos Aires-based startup were former executives at Mastercard, Google LatAm, Mercado Pago and Naranja X. CEO Irigoyen was an early employee at Google LatAm. He is also a third-time founder with two exits (one to TripAdvisor) and former CEO of Naranja X, Argentina’s largest neobank, with millions of customers. Juan Fantoni was the former director of fintech at Mastercard, where he signed issuing deals with a number of large companies. And Hernan Corral was the CPO of Naranja X and previously head of digital accounts & cards at Mercado Pago.

Next, the caliber of Pomelo’s investors. U.S.-based Index Ventures and Brazil’s monashees co-led the funding round, which also included participation from QED’s Fontes, Max Levchin’s SciFi, Latitud, Biz Stone’s Future Positive, 20VC, Addition, FJ Labs and a16z’s Angela Strange, as well as the founders of Marqeta, Rappi, Auth0, Kavak, Loft and RecargaPay.

If you’re looking for comparisons to U.S.-based fintechs, Irigoyen said it’s got a little bit of Galileo, Marqeta and Stripe in what it’s building out.

Caio Bolognesi, partner at monashees, said his firm has been very bullish on the financial infrastructure space as a whole. They were drawn to Pomelo in part because its founders had been senior tech executives at leading fintech companies in the region and because many of its portfolio companies had already manifested the need for a better solution in this space.

Index Ventures’ Mark Fiorentino agrees that the company’s founder-market fit was crucial in his firm’s decision to invest.

“They have the DNA of the most well-known payments companies within the LATAM fintech ecosystem… and have lived through the pain points and keyed in on this opportunity through firsthand experience,” he said.

In general, Fiorentino believes that while the need for embedded financial products is becoming increasingly ubiquitous in the Latin American market, it’s important to note that the region “is far from a carbon copy” of the U.S. market with different dynamics.

For one, he said, existing solutions in the Latin American market are either “outdated” offerings from legacy financial institutions or “subpar” iterations from U.S. incumbents.

“It takes over 12 months for a business to spin up a plastic or digital card for itself. And because most legacy processors are owned by banks or large financial institutions that have been around for decades, pricing is inflexible and expensive,” Fiorentino told TechCrunch. “And if that wasn’t enough of a headache, stable reliability has been a huge pain point with these issuer processors. Pomelo is building the dev-first, self-serve API solution to address this clear market need.”

Looking ahead, Pomelo plans to use its new capital in part to open offices in São Paulo, Brazil and Mexico City, and hire dozens of people in those cities as well as in its home base of Argentina. The company currently has about 15 employees, 11 of which are engineers. It of course plans to continue building out its offering.

#api, #argentina, #biz-stone, #brazil, #buenos-aires, #finance, #financial-technology, #fintech, #fintech-infrastructure, #fj-labs, #google, #index-ventures, #latin-america, #marqeta, #mastercard, #max-levchin, #mexico-city, #monashees, #money, #online-payments, #payments, #payments-infrastructure, #paypal, #pomelo, #recent-funding, #sao-paulo, #startup, #startups, #stone, #tc, #tripadvisor, #united-states

0