UK police arrest teenager suspected of Uber, GTA 6 hacks

Police in London have confirmed a 17-year-old teenager, who is suspected of involvement in high-profile breaches at ride hailing giant Uber and Rockstar Games, has been charged with multiple counts of computer misuse and breaches of bail.

The suspect, whose name was not released due to U.K. reporting restrictions on identifying non-adults, was arrested in Oxfordshire on September 22 as part of an investigation by the City of London Police, which primarily focuses on financial crimes, and supported by the U.K.’s National Crime Agency.

“The City of London Police arrested a 17-year-old in Oxfordshire [on September 22] on suspicion of hacking, as part of an investigation supported by the National Crime Agency’s (NCA) National Cyber Crime Unit (NCCU),” said Detective Inspector Michael O’Sullivan from the City of London Police’s Cyber Crime Unit. “He has been charged in connection with this investigation and remains in police custody.”

The police declined to say what incident the teenager’s arrest was in connection with.

Uber said last week that it believes a hacker affiliated with the Lapsus$ hacking group was responsible for its recent cyberattack, which forced the company to take several of its internal tools offline while it expelled the hacker from its network. The transportation giant said its breach may have been carried out by the same hacker that also hacked Rockstar Games, the video game publisher behind the upcoming Grand Theft Auto 6, which resulted in the release of dozens of videos containing unreleased footage and gameplay.

Several posts on GTAForums, an online fan forum for the Grand Theft Auto series, from a user who goes by the handle “teapotuberhacker,” claimed to be the same person responsible for Uber’s breach.

While the teenager’s identity remains unknown — and likely will for many months — the latest charges are believed to be linked to earlier arrests in March, which saw the City of London Police arrest seven people between the ages of 16 and 21 for suspected connections to the Lapsus$ hacking group. Lapsus$ was blamed for breaches at Okta, Microsoft, Nvidia and Samsung earlier this year.

Several of the arrested individuals were released on bail, subject to certain conditions.

At the time, Bloomberg reported that a then-16-year-old teenager based in Oxfordshire, U.K. was suspected of being the mastermind of the Lapsus$ hacking group. Four researchers investigating the gang’s recent hacks said they believed the teenager, who uses the online moniker “White” or “Breachbase,” was a leading figure in Lapsus$. Bloomberg tracked down the suspected hacker after his personal information was doxxed online, allegedly by rival hackers.

UK police arrest teenager suspected of Uber, GTA 6 hacks by Carly Page originally published on TechCrunch

4 employment law mistakes startups can stop making today

As the old saying goes, your people are your business’ most important assets. And that’s true for startups as well.

As we’ve seen over the past several years, attracting and retaining talented workers remains one of the biggest challenges startups face. Without enough employees, finding product-market fit and scaling a business can be extremely difficult, if not impossible.

While startups like to “move fast and break things,” when it comes to building a workforce, it’s important to slow down and ensure you’re complying with employment laws and putting in place sound employment practices.

In this article, we’ll run through four employment law mistakes that startups should avoid making. But first, let’s review the scope of laws that may affect your startup as well as some of the risks of non-compliance.

Which employment laws apply?

A poorly written employee handbook is often worse than no handbook at all.

All businesses have to figure out which employment laws apply to them. There are federal, state and local laws and regulations that may impose obligations on your startup, and these may be about everything from paid leaves to whether a non-compete agreement is enforceable.

The difficulty of figuring this out gets compounded when a business has different locations, because laws vary from state to state and city to city. Beyond jurisdictional distinctions, different laws and regulations will apply based on factors like the company’s size and number of employees. For many federal laws, 50 employees is an important threshold — for example, private employers with fewer than 50 employees are not covered by the Family and Medical Leave Act, but they may be covered by state family and medical leave laws.

The patchwork of various employment laws and regulations that may apply to your startup can be confusing. That’s why it’s important to focus on these issues and get help when necessary so your startup can understand and comply with its obligations.

4 employment law mistakes startups can stop making today by Ram Iyer originally published on TechCrunch

How do you fix a hack like Uber’s?

Ride hailing giant Uber says its services are operational following a “cybersecurity incident” last week that saw a hacker break into the company’s network and access systems that store vast troves of customer data.

Uber said little about the incident until Monday. Screenshots of inside Uber’s network posted to Twitter by security researchers in conversations with the hacker showed access to internal dashboards, the company’s Slack and its HackerOne accounts. Uber said in its Monday update that the hacker stole some internal information and Slack messages, but that no sensitive information — like credit card data and trip histories — was taken, leaving open the question if other personal user information was compromised.

The hacker, who claims to be an 18-year-old, told security researchers that they broke into Uber’s systems by stealing an employee’s password and also tricking the employee into approving the attacker’s push notification for Uber’s multi-factor authentication, or MFA.

Once they had that critical foothold on Uber’s network, the hacker claimed to find a network share containing high-privilege credentials that allowed them near-unfettered access to the rest of the company’s systems.

Uber said Monday that the hacker, who was affiliated with Lapsus$, a group that hacked Okta, Microsoft, Nvidia, Globant and Rockstar Games earlier this year, compromised an Uber contractor’s user account. Uber said it briefly took down some internal tools following the breach and that customer support operations were “minimally impacted and are now back to normal.”

Uber’s final incident post-mortem may not be known for some time, but security experts are already dissecting how the hacker got access to Uber’s systems to begin with — by defeating the company’s MFA security with apparent ease.

Not all MFA options — that extra step you have to complete after entering your username and password to verify that it’s really you logging in and not an attacker — are created equal; some are stronger than others. Codes sent by text messages, which can be intercepted or stolen, have largely been fazed out in favor of mobile authenticator apps that churn out constantly rotating random codes or send out push notifications that are near-impossible to intercept. But as attacks are getting smarter, some of the strongest MFA protections are being defeated by exploiting vulnerabilities in human behavior.

If one of the world’s biggest companies can be breached this way, how do you protect against another Uber hack?

How did the hacker defeat MFA?

According to researchers, the employee’s credentials may have been stolen by password-stealing malware like RedLine installed on an employee’s computer. Lapsus$ is also known to use Redline to steal employee passwords. Uber said the hacker may have bought the stolen passwords from a marketplaces on the dark web.

Once stolen, the hacker had to defeat Uber’s multi-factor authentication, which adds an additional barrier to prevent attackers from using stolen credentials to break into a company’s network.

In a conversation posted to Twitter, the hacker confirmed they socially engineered their way into Uber’s network by using the stolen credentials to send repeated push notifications to the employee for over an hour, then “contacted him on WhatsApp and claimed to be from Uber IT, told him if he wants it to stop he must accept it,” the hacker said. “And well, he accepted and I added my device,” the hacker wrote.

This is what some call MFA fatigue, where hackers take advantage of employees having to repeatedly log in and re-authenticate their access throughout the work day by flooding the employee with push notifications, often outside working hours, in the hopes that eventually the employee accepts a login request out of exasperation.

Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, said MFA fatigue attacks are one of the “easiest ways” to get past MFA to hack an organization.

“Yes, sometimes MFA fatigue looks like repeat requests while the victim is sleeping until they accept, but oftentimes it’s as simple as sending the request 10 times in a row at the beginning of the workday or just obnoxiously spamming requests during a meeting until the victim accepts,” Tobac told TechCrunch.

After tricking the employee into accepting the push notification, the hacker could then send MFA push notifications as if they were the employee, granting them persistent access to Uber’s network.

What’s the fix?

Security experts universally agree that any level of MFA is better than none, but MFA is not a panacea on its own. Uber is not the only company to have used multi-factor authentication and still have its network compromised.

In 2020, hackers broke into Twitter’s network by tricking an employee into entering their credentials into a phishing page they had set up, which the hackers used to generate a push notification sent to the employee’s devices. The employee accepted a prompt, allowing the attackers in, according to an investigation by New York’s state government. More recently, SMS messaging giant Twilio was compromised by using a similar phishing attack, and Mailchimp was also hacked by a social engineering attack that tricked an employee into handing over their credentials.

All of these attacks exploit weaknesses in multi-factor authentication, often by directly targeting the individuals involved, rather than looking for security flaws in these highly audited systems.

Cloudflare is the only company targeted in a recent spate of cyberattacks that blocked a network compromise because it uses hardware security keys, which cannot be phished. In a blog post, Cloudflare admitted that while some employees “did fall for the phishing messages,” its use of hardware security keys, which require employees to physically plug in a USB device to their computers after entering their credentials, stopped the attackers from breaking into its network. Cloudflare said the attack targeted employees and systems in such a way “that we believe most organizations would be likely to be breached.”

Security keys are seen as the gold standard of MFA security but they are not without their own challenges, not least the costs of the keys and their upkeep. “We spend our time arguing about the necessity of hardware security keys for all, but in the field some organizations are still fighting for mandatory SMS two-factor authentication or MFA prompts for internal access,” said Tobac.

While MFA by randomly generated code or push notification are by no means perfect, as evidenced by Uber’s breach, “we can’t let perfect be the enemy of the good,” Tobac says. “Small improvements over time make a big difference.”

“The biggest questions I’m getting from organizations right now are about how to configure already existing MFA tools to limit the attack methods we are seeing in the Uber, Twilio and Twitter hacks,” Tobac said. “It’s a lot of helping organizations think through small improvements that can be made quickly so they don’t get stuck debating updates for months (or even years) internally.”

One important improvement making the rounds is MFA number matching, which makes social engineering attacks far more difficult by displaying a code on the screen of the person logging in and having to enter that code into an app on the person’s verified device. The idea is that the attacker would need both the target’s credentials and their verified device, similar to that of a security key.

Microsoft, Okta and Duo offer MFA number matching. But as noted by security researcher Kevin Beaumont, Microsoft’s solution is still in preview and Okta’s number matching offering is bundled in an expensive licensing tier. Uber relies on Duo for MFA, but reportedly was not using number matching at the time of its breach.

“In other news you are seeing a bunch of teens reinvent the cybersecurity industry in real time,” Beaumont tweeted.

Network defenders can also set up alerts and limits for how many push notifications a user can get, Tobac said — and noted in a Twitter thread — and start by rolling out security keys to a test group of users with the aim of growing the group each quarter.

For its part, Uber said on Monday that it was strengthening its MFA policies in response to its breach.

As for how the hacker got access to high-privilege credentials for the rest of its critical systems using just a contractor’s stolen password, Uber might still have a lot to answer for.

How do you fix a hack like Uber’s? by Zack Whittaker originally published on TechCrunch

Adobe buys Figma, Uber gets hacked, and Google shrinks Area 120

Hello, friends! Welcome back to Week in Review, the newsletter where we quickly sum up the most read TechCrunch stories from the last sevenish days. The goal? Even if you’ve had a busy week, a quick skim of WiR should keep you in the (tech) loop.

Want it in your inbox every Saturday? Sign up here.

This week was a bit all over the place, with another big story breaking every couple hours. Let’s just drop right in, shall we?

most read

  • Cutbacks at Area 120: Area 120 is Google’s in-house incubator, meant to let Googlers with potentially big ideas tap the mega company’s resources to turn said ideas into something real. This week, however, Google confirmed that it’s slashing half of the Area 120 projects currently in development, with the incubator “shifting its focus” to AI projects. Impacted employees are being given until early 2023 to find a new job within Google.
  • Adobe buys Figma: In one of the biggest tech acquisitions of all time, Adobe announced this week its intent to buy the collaborative/web-based design tool Figma for a whopping $20 billion. Figma saw ridiculous growth throughout the pandemic, as many, many tech teams went remote and adjusted their workflows accordingly. Even for a company as big as Adobe, winning that part of the workflow back would’ve been tough.
  • Layoffs at Twilio: Twilio confirmed this week that it’ll lay off roughly 11% of its workforce — somewhere between 800 and 900 people — as the company focuses on reaching profitability in 2023.
  • iOS 16 goes live: As expected, iOS 16 rolled out to Apple devices this week. Want our thoughts on it? Find Romain’s review here. Want to know all of the not-so-obvious new features hiding within the update? Check out Ivan’s list. Most of our readers seem to be looking for interesting ways to use those new Lock Screen widgets.
  • South Korea issues an arrest warrant for Terraform Labs’ founder: “A court in South Korea has issued an arrest warrant for Do Kwon, the founder of Terraform Labs,” writes Manish, “escalating its probe into the crypto ecosystem whose two tokens lost $40 billion in value in a span of days earlier this year.”
  • Uber hack: Late Thursday night, Uber confirmed that it’s “responding to a cybersecurity incident” after a hacker seemingly breached the company’s internal network, with the hacker reportedly announcing their presence (and protesting how Uber pays its drivers) right within Uber’s Slack.

audio roundup

If you like TechCrunch for your eyes, check out TechCrunch for your ears. This week in TechCrunch podcast land, the Equity team talked about how Y Combinator has evolved in recent years, the Chain Reaction crew “dug into the institutional embrace of blockchains by stodgy financial powerhouses,” and the Found team went all “greatest hits” by revisiting an interview with Figma founder Dylan Field from earlier this year.

techcrunch+

Want to know what TC+ members are reading most behind the paywall? I’ve got that list below. Want to become a TC+ member yourself? Sign up here and use promo code “WIR” for 15% off an annual pass.

Adobe buys Figma, Uber gets hacked, and Google shrinks Area 120 by Greg Kumparak originally published on TechCrunch

Uber investigating cybersecurity incident after hacker breaches its internal network

Uber confirmed on Thursday that it’s responding to a cybersecurity incident after reports claimed a hacker had breached its internal network.

The ride-hailing giant discovered the breach on Thursday and has taken several of its internal communications and engineering systems offline while it investigates the incident, according to a report by The New York Times, which broke the news of the breach. 

Uber said in a statement given to TechCrunch that it’s investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.

The sole hacker behind the beach, who claims to be 18 years old, told the NYT that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio, Mailchimp, and Okta.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach”, the NYT reports. The hacker also reportedly said that Uber drivers should receive higher pay. 

According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface, and the company’s EDR portal.

“If you had your data in Uber, there’s a high chance so many people have access to it,” Reed said, noting that it’s not yet clear how the attacker bypassed two-factor authentication (2FA) after obtaining the employee’s password. 

The attacker is also believed to have gained administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program. 

Sam Curry, a security engineer at Yuga Labs who described the breach as a “complete compromise”, said that the threat actor likely had access to all of the company’s vulnerability reports, which means they may have had access to vulnerabilities that have not been fixed. HackerOne has since disabled the Uber bug bounty program. 

In a statement given to TechCrunch, Chris Evans, HackerOne CISO and Chief Hacking Officer said the company “is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”

This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.

Uber investigating cybersecurity incident after hacker breaches its internal network by Carly Page originally published on TechCrunch

Uber turns to Nuro for AV delivery and Razor charges into the seated scooter market

The Station is a weekly newsletter dedicated to all things transportation. Sign up here — just click The Station — to receive the full edition of the newsletter every weekend in your inbox. This is a shorter version of The Station newsletter that is emailed to subscribers. Want all the deals, news roundups and commentary? Subscribe for free

Welcome back to The Station, your central hub for all past, present and future means of moving people and packages from Point A to Point B. 

Before I dive into the news of the week, check out this lovely discount to attend TechCrunch Disrupt in San Francisco. Go to this link and type in the code STATION to get 15% off passes, excluding online and expo tickets.

It will be an in-person event and I couldn’t be more excited. I’ll be interviewing Rivian founder and CEO RJ Scaringe on the main stage. Other guests include Marc Lore, Serena Williams — yes, the Serena Williams — OnlyFans CEO Ami Gan, Campfire co-founder and CEO Joshua Ogundu and investors from a16Z, Forerunner, Redpoint and Y Combinator. And a helluva lot more, which you can check out here.

There is also the TechCrunch+ stage and roundtable discussions, where founders can get insights and advice from experienced leaders and investors about to how navigate some of the trickier parts of running a business. And then, of course, we will have Startup Battlefield.

Come meet me at Disrupt!


Amid all of the coverage of Queen Elizabeth II’s death, one piece of history that might have been forgotten is her role as an ambulance driver and mechanic. Jalopnik has a nice little write up. Check it out.

OK, let’s go.

You can always email me at kirsten.korosec@techcrunch.com to share thoughts, criticisms, opinions, or tips. You also can send a direct message to @kirstenkorosec

Micromobbin’

the station scooter1a

It’s another short one this week as our expert micromobber, Rebecca Bellan, is just coming back from vacation.


Our founder Q&A series continues over at TC+. The premise — in case you’re unfamiliar — is to interview founders in the transportation sector and then check in on them a year later.

In our latest edition, Bellan interviewed Drover AI co-founder and CEO Alex Nesic about the possibilities of integrating computer vision tech into privately owned scooters, what it means when a larger company steals your idea and why tech pedigrees are overrated when it comes to running a startup.


Meanwhile, interest in seated electric scooters continues to ramp up and Razor is here for it.

The company, which might bring back memories kicking and coasting down the block to your friend’s house for a playdate, is expanding its line of adult electric scooters. The company launched a new seated electric scooter that is designed to carry cargo, or if you like, another passenger on the back.

Deal of the week

money the station

The EV SPAC world is a weird and wild place for investors hlding onto the hope that money can be made. But it’s a risky endeavor.

The latest example is Mullen Automotive. The EV SPAC acquired a 60% controlling interest in Bollinger Motors for $148.2 million. The move is intended to strengthen the two EV companies’ positions within the fast-growing electric sport utility and commercial vehicle markets.

Just a day after this announcement, Mullen disclosed it received a minimum share price warning from Nasdaq. Mullen’s shares have traded under $1 a share for 30 consecutive business days. (hat tip to Bloomberg’s Sean O’Kane, who first spotted the filing)

Why does this matter? Mullen risks a delisting, although it has about six months to turn things around. The company has 180 days to close above $1 for 10 consecutive business days. There are extensions available if Mullen shares fail to nudge above that $1 mark.

Other deals that got my attention this week … (subscribe for all the deals

Amply Power, EV fleet charging and energy management provider for fleets that was acquired by BP in 2021, has officially been folded into the energy giant’s brand called “bp pulse.”

United Airlines continues to invest in the future of flight. The company announced a conditional purchase agreement for 200 four-seat electric aircraft from Eve Air Mobility plus 200 options, expecting the first deliveries as early as 2026. United said it is also investing $15 million in Eve.

Want to read more? The Station’s weekly emailed newsletter includes a roundup of AV, EV and other news and a “A Little Bird,” a section in which I share verified insider news. Sign up! It’s free!

Uber turns to Nuro for AV delivery and Razor charges into the seated scooter market by Kirsten Korosec originally published on TechCrunch

This Week in Apps: Apple’s event brings a ‘dynamic Island,’ new widgets and iOS 16

Welcome back to This Week in Apps, the weekly TechCrunch series that recaps the latest in mobile OS news, mobile applications and the overall app economy.

Global app spending reached $65 billion in the first half of 2022, up only slightly from the $64.4 billion during the same period in 2021, as hypergrowth fueled by the pandemic has slowed down. But overall, the app economy is continuing to grow, having produced a record number of downloads and consumer spending across both the iOS and Google Play stores combined in 2021, according to the latest year-end reports. Global spending across iOS and Google Play last year was $133 billion, and consumers downloaded 143.6 billion apps.

This Week in Apps offers a way to keep up with this fast-moving industry in one place with the latest from the world of apps, including news, updates, startup fundings, mergers and acquisitions, and much more.

Do you want This Week in Apps in your inbox every Saturday? Sign up here: techcrunch.com/newsletters.

Want to attend TechCrunch Disrupt? Click here for 15% off passes.

Top Stories

Apple debuts new iPhones — and new ways for app developers to reach users

Image Credits: Apple

Like clockwork, Apple held its annual fall event this week to introduce the latest iPhones to the public. The iPhone 14 line brings some notable new features, like the always-on display for the Pro models, emergency satellite connectivity and the removal of the SIM tray in the U.S. in favor of eSIM support, along with other updated specs across the devices’ camera systems, chips, sensors and more.

But what will most intrigue app developers are a few other changes — both expected and unexpected.

With the updated mobile operating system iOS 16, developers will have a way to reach their users directly from the phone’s Lock Screen, thanks to the new widget platform. Announced at this year’s WWDC, these new widgets join a larger Lock Screen makeover that now includes a built-in editor, wallpaper gallery, theming tools and a Live Activities feature for delivering real-time updates to this key iPhone real estate.

With WidgetKit, developers will be able to build using the same code for both watchOS and the Lock Screen, Apple had explained at WWDC. On the iPhone’s Lock Screen, they can choose from three widget designs: circular, rectangular and inline — the latter being a way to convey information with a small amount of text and SF Symbols above the Lock Screen’s clock, instead of below it like the other two.

Already, developers are coming up with clever ways to take advantage of this new screen space.

In some cases, they see the Lock Screen widgets as the extension of their existing apps — like what Flighty is doing to convey flight status and other travel updates to users. Others see the widgets as part of a larger set of personalization offerings, allowing users to pin their favorite photos, motivational quotes or even favorite app shortcuts to their Lock Screen, as ScreenKit has done.

For apps with real-time updates, the Live Activities feature will allow developers to display further information on the Lock Screen — like when a customer’s pizza is arriving or when their Lyft is nearby, for example.

But what really blew us away was when Apple surprised everyone with an extension of Live Activities that hadn’t yet been leaked: the new Dynamic Island feature. Frankly, it was exciting to learn about a new feature for the first time during the keynote, instead of reading about it in the news — something that’s become a much more common occurrence these days.

A smart combination of hardware and software, the Dynamic Island turns the dreaded sensor “notch” at the top of the device — now more compact in the latest iPhone models — into a feature. The pill-shaped cutout introduces a unique way to interact with activities, alerts and notifications, said Apple, underselling it a bit.

This adaptive area can expand, contract and morph into different shapes and sizes as it delivers information to the end user through animations and transitions — taking advantage of the black space required by the notch, rather than trying to hide it.

You can imagine keeping an eye on your Uber while you text a friend, watching a timer while you read the next steps in a recipe or getting turn-by-turn directions while in another app, among other things. It also works to deliver informational updates in a visually engaging way without interrupting what you’re already doing on your phone. This could include things like confirming your AirPods are connected, muting, starting a charge, starting a FaceID, confirming your transit card was activated when tapping your iPhone in transit locations and more, Apple suggested.

And it can show other background activity, like the music you’re playing when you exit the music app — it even includes a tiny photo of the album art. When you want to access the “now playing” controls again, you can then tap the Dynamic Island to see it expand into a larger, interactive floating widget of sorts with more options. (Will the selfie camera get dirty, we wonder?)

The same goes for phone calls, where a tap can bring up a larger interface for tapping the mute button, speaker button, FaceTime option, the “end call” button and more.

Needless to say, developers and designers were enthralled by the possibilities, praising the feature on Twitter during and after Apple’s event. It’s fair to say we’ll likely see adoption of this feature in the months ahead, when the technology becomes available.

Weekly News

Platforms: Google

smartphones

Image Credits: Google

  • Not to be upstaged by Apple, Google this week announced it will host an in-person Pixel hardware event on October 6 at 10 a.m. ET in Brooklyn, where the company is planning to introduce the Pixel 7, Pixel 7 Pro and Pixel Watch.
  • Android 13 got its first patch, which addresses some issues around wireless charging and battery drains.
  • Google rolled out a broader Android update that includes an upgrade to its AirDrop-like “Nearby Share” feature that now has a “self-share” mode for moving files between your own devices. Other updates include redesigned widgets, sound alerts, audio descriptions for Google TV and live-sharing on Google Meet.

Image Credits: Google

  • Google also touted how Android 13 will make it easier to keep users’ personal data and work data separated thanks to the OS’s new “work profiles,” which let users indicate how apps should be used. This option lets users have separate photo galleries for personal and work use, and can help keep their YouTube watch history separate when used for work or personal use, among other things.
  • Shortly after news came out that Google was blocking Trump’s Truth Social app from Google Play, the company reversed another controversial decision by allowing the conservative-leaning Parler app back in, over a year after its removal following the January 6 violence. Justifying its decision, Google said Parler had implemented the necessary moderation controls required by user-generated apps.

E-commerce

  • Instagram is preparing to test a version of its app that reduces its focus on shopping, according to The Information. The app will try removing the Instagram Shopping page as part of this test. The company says the new version, known as Tab Lite, will be tested over the next few months to see how it fares.

Augmented Reality

Image Credits: Snap

  • Snap is powering several custom-built AR experiences for the Vogue World Event at New York’s Fashion Week. The event on Monday, September 12, will feature a “Skywalk” Lens that transforms the show with AR as blossoming flowers emerge as models walk the runway. Other Lenses bring sunlight or moonlight to users’ faces. The Lenses were built by Arcadia, Snap’s creative studio for AR.
  • A new Wonderlab AR app, powered by Niantic’s Lightship ARDK, allows people in the U.K. to discover the science behind ordinary objects using AR and geospatial technologies.

Fintech

  • In a crackdown on unethical lenders, India said its central bank will prepare a whitelist of legal loan apps and the IT ministry plans to ensure that only approved apps are hosted on app stores.
  • Trading app Robinhood launched an Investor Index that will be updated monthly to track the performance of the 100 most popular stocks on its platform by weighting its users’ “conviction.”
  • London-based finance app Revolut launched a one-click payments feature to rival PayPal. The feature, Revolut Pay, will work with retailers like Shopify, Prestashop, WH Smith Plc, and Funky Pigeon to start.

Adtech

  • One year later, Apple’s privacy changes with ATT have helped to boost its own ads business, a new report found. According to a review by the performance insights platform InMobi’s Appsumer, Apple’s Search Ads business has now joined the Facebook-Google advertising duopoly after growing its adoption by 4 percentage points to reach 94.8% year-over-year, while Facebook’s adoption dropped 3% to 82.8%. In addition to the growing advertiser adoption of Apple’s Search Ads, the report also found Apple’s business grew its share-of-wallet by 5 percentage points, to reach a 15% share, while Facebook’s share-of-wallet dropped 4 percentage points, to 28%, from Q1 2021 through Q2 2022.

Social

Image Credits: Twitter

  • Ahead of the U.S. midterms, Twitter said it would begin to add 1,000 contributors per week to its crowdsourced fact-checking tool, Birdwatch, which had been previously tested with 15,000 contributors. The tool will now require users to earn their way to contributor status by rating notes as helpful or not, and earning points based on those ratings’ accuracy.
  • Twitter says its new “edit tweet” feature, now in testing, will allow users to edit their tweets up to five times during the first 30 minutes it’s live. This functionality seems to be designed to better cater to marketers or other attention-getters, who want to find the right combination of words or hashtags, rather than helping everyday users who want to fix a typo — a feature already addressed by Twitter Blue’s “Undo Tweet” option.
  • Twitter is also now testing a new way to share tweets in India by adding a WhatsApp button under the posts for Android users.
  • Instagram confirmed it’s planning to test a feature that will allow users to repost others’ Feed posts — its alternative to something like Twitter’s Retweet. The feature would be a way for aggregator accounts to better credit others’ work, instead of just stealing it.
  • Instagram removed Pornhub’s account for undisclosed reasons. Though the site offers adult material, its social media account only shared nonpornographic images and videos. The move follows a lawsuit where Pornhub parent MindGeek is being sued for allegedly distributed child sexual abuse material on its platform.
  • Nextdoor announced it would again partner with Vote.org to help increase voter turnout for U.S. midterms by encouraging its users to verify their voter registration, find their polling place and more.

Dating

  • Match Group and its flagship app Tinder announced their advocacy for the passage of the “Respect for Marriage Act,” federation legislation that protects the rights to same-sex and interracial marriage. The U.S. House of Representatives passed the legislation in July with bipartisan support and now Match Group and Tinder are asking the Senate to do the same. The Act arrives at a critical time, given the threat to people’s rights posed by the current Supreme Court.

Messaging

  • Signal appointed a former Google manager and Big Tech critic, Meredith Whittaker, as its first president. The new exec will help to determine Signal’s policy and stragey, including its communications policy.
  • In case there was any question about Apple’s position on adopting RCS, CEO Tim Cook put that to rest by telling an audience member who asked a question about this during a tech conference that he should just “buy your mom an iPhone” if she wanted to see clear videos.

Streaming & Entertainment

Image Credits: Disney+

  • Disney+ released its first AR-enabled short film, ‘Remembering,’ starring Brie Larson. The film uses ShazamKit to listen for an audio cue that will alert users when to launch the AR experience during the film, which focuses on exploring a child’s imagination. When launched, the AR companion app will display a waterfall spilling off the TV and other effects to augment the film’s storytelling.
  • Triller is facing a third lawsuit, this time from a company called Phiture, which offers consulting services to mobile app developers, over non-payment. The company has already been sued by Sony Music for nonpayment and by creators Timbaland and Swizz Beatz, who say they are owed $28 million for selling Verzuz to the company.
  • Spotify’s CFO Paul Vogel said the music streaming platform will begin testing and trialing audiobooks “very soon.” The company last fall had acquired audiobook distributor Findaway to enter this market, allowing it to compete with Amazon and Apple.
  • The Tencent-backed Indian music streaming app Gaana switched to a paid subscription biz model after failing to find an exit or close on new funding, Reuters reported.

Gaming

Health & Fitness

  • Apple confirmed it will bring its Apple Fitness+ subscription to all iPhone users regardless of whether they own an Apple Watch, as promised earlier this year at WWDC. The service will arrive in all 21 countries where Fitness+ is offered and will ship alongside the iOS 16 update on Monday, including some new workouts.

Utilities

  • Google Maps expanded its fuel-efficient and eco-friendly routing options to 40 more countries across Europe. The feature was first introduced to the U.S. in 2021, allowing users to plan their drive by how much gas they’d need to expend over other factors.
  • The Compass app will be updated with the release of watchOS 9, Apple said during its keynote this week, where it also unveiled the rugged Apple Watch Ultra. The refreshed app will surface more in-depth information and include three distinct views. A new hybrid view will simultaneously show an analog compass dial and a digital view. Turning the Digital Crown will reveal an additional view that includes latitude, longitude, elevation and incline, as well as an orienteering view showing Compass Waypoints and Backtrack (a feature powered by GPS data to show where the user has been), noted Apple’s press release.

Government & Policy

  • EU privacy regulators are fining Instagram €405 million as a result of a complaint over how the social media app handles children’s data in violation of the GDPR. Ireland’s Data Protection Commission (DPC) found Instagram, at the time of the complaint, would set accounts of child users to the public by default, among other violations, including the publication of kids’ emails and phone numbers. This fine is the second-highest fine under the GDPR, and DPC’s third for the company.

Security & Privacy

Funding and M&A

💰 LA-based Remento, an app that focuses on capturing and preserving family stories, raised $3 million in seed funding led by Upfront Ventures. The app launched this week on iOS after a year of beta testing.

🤝 Grocery delivery app Instacart announced its acquisition of the e-commerce platform Rosie, which helps local and independent retailers and wholesalers and provides them with tools for powering order flow, fulfillment and customer insights. Deal terms were not disclosed but Ithaca, New York-based Rosie had raised $11.9 million to date.

💰 Latana, a platform that bids on mobile ad space, raised €36 million (~$35.79 million) in Series B funding — €10 million (~$9.94 million) of which was debt — led by Oxx.

💰 Subscription-based Android fintech app Stack raised $2.7 million from Madrona, The Venture Collective, Santa Clara Ventures and others. The app aims to offer crypto education and trading for teens and their parents.

🤝 Headspace Health acquired Shine, a mental health and wellness app dedicated to providing an inclusive mental health experience for the BIPOC community. Deal terms weren’t disclosed.

Downloads

LineupSupply

If you often find yourself making Spotify playlists to get hyped for an upcoming music festival or to relive a favorite past show, a new mobile app called LineupSupply can now help make that process easier. This clever new utility allows you to upload a photo of a music festival’s poster to have it automatically transformed into a Spotify playlist in a matter of moments. Alternately, you can use the app to find playlists created by others or, with a one-time purchase of $1.99, tap into music recommendations based on the artists in the images you uploaded.

LineupSupply also lets you customize the playlist before its creation by removing artists you don’t want to be included in your playlist. And if you don’t want to do the work of finding and uploading your own image, you may be able to find an existing playlist built by other users in the app’s “Discover” section.

There’s no limit to the number of playlists you can create with the free version. But with a one-time upgrade of $1.99, you can gain access to a few additional features, including the ability to set a custom app icon or further customize the playlist by controlling the number of songs per artist, the song sorting options, and the playlist description.

 

This Week in Apps: Apple’s event brings a ‘dynamic Island,’ new widgets and iOS 16 by Sarah Perez originally published on TechCrunch

Daily Crunch: Tim Cook weighs in on standardized messaging features: ‘Buy your mom an iPhone’

To get a roundup of TechCrunch’s biggest and most important stories delivered to your inbox every day at 3 p.m. PDT, subscribe here.

Helloooo! Since our last Daily Crunch, our adrenaline-fueled TechCrunch team has added more than 70 stories to the site. We’re picking out some of the best below, but we’ll almost certainly miss a story you wish you’d read. Give our homepage a quick scroll to see what strikes your fancy! — Christine and Haje

The TechCrunch Top 3

  • Tim Cook and green bubbles: Christine is an Android user and her iPhone-using friends talk about “green bubbles,” but until now she did not know this was a problem. Christine’s text bubbles come in all different colors and even tells her who is “speaking” when in a group. However, she’s now learned that her iPhone-using friends secretly hate her green bubbles. Tim Cook is on their side, Ivan writes.
  • Ambient Mesh: That’s the name of Google and Solo.io’s new Istio service mesh. We’ll yield to Frederic to explain what all of that means.
  • Electric vroom: Jeep has three, three new electric vehicles, ah ah ah!, poised to enter the market beginning in 2023, Jaclyn reports.

Startups and VC

It’s day 2 of Y Combinator-vaganza, which means we have buckets and buckets of news for you. Assuming news comes in buckets, but that’s a conversation for another day.

Tage reports that YC’s latest batch cuts African startup presence by more than half, and Anna, Alex and Tage are curious where Y Combinator is startup-hunting in 2022. And Kyle explored 7 AI startups that stood out among the YC hopefuls, and a load of TechCrunch writers selected our 11 favorite companies from Day 1 and Day 2 and the moonshots.

Whew. In addition to YC, Apple ran an event yesterday, and boy did we cover a bunch of that, too. Luckily, Christine has you covered on that front in the Big Tech section below.

Here’s a few more for ya:

5 metrics Series A investors look for at dev-tools startups

Steel chain links connected in the middle by a red paperclip, on white background, cut out

Image Credits: I Like That One (opens in a new window) / Getty Images

The median Series A for developer-tooling companies fell to $47.5 million in Q3 2022, “the lowest it has been since the beginning of 2021,” writes Rak Garg, a principal at Bain Capital.

After meeting with hundreds of companies since the start of the downturn, Garg has written a fundraising guide for seed-stage founders who are hoping to reach the next level.

“I’ve noticed a common characteristic among founders who have raised successful Series A rounds: They’re great at telling their companies’ stories,” says Garg.

(TechCrunch+ is our membership program, which helps founders and startup teams get ahead. You can sign up here.)

Big Tech Inc.

So much Apple, so little time. The Apple iPhone 14 event dominated our news cycle for the second day, especially this one by Greg, who we think nicely summed up everything from the event. If you want to read every drooling detail, head over to the Apple fall event hub.

Speaking of things to drool over, Christine wrote a brief piece about Bloomingdale’s getting into the metaverse with its new virtual store that looks like it will give you purse envy.

Daily Crunch: Tim Cook weighs in on standardized messaging features: ‘Buy your mom an iPhone’ by Christine Hall originally published on TechCrunch

Why this Californian founder moved to Minneapolis to build a B2B fintech

Minneapolis-based Branch was founded in 2015, and it’s now one of the fastest-growing companies in the Midwest. Its founder, Atif Siddiqi, is a Southern California transplant who first relocated to the Twin Cities to participate in the Target Techstars accelerator program. He hasn’t looked back since.

Siddiqi has spent the past seven years building up Branch from its roots as a Midwestern upstart focused on earned-wage access into a formidable Series C-stage business with $75 million in funding from investors such as Addition and General Atlantic and clients including Uber and Walmart.

Branch, which has seen over 2,000% revenue growth in the last three years, helps contractors get paid faster through a wide range of product offerings today. Siddiqi and early Branch investor Ryan Broshar of Minneapolis-based Matchstick Ventures explain how the city’s venture ecosystem has evolved over the years and share their tips for founders outside coastal tech hubs looking to raise capital, bring in customers and make an impact on their industries far beyond their immediate locales.

Why this Californian founder moved to Minneapolis to build a B2B fintech by Anita Ramaswamy originally published on TechCrunch

Uber turns to autonomous vehicle startup Nuro for Eats deliveries

Uber will use Nuro autonomous delivery vehicles to shuttle meals and other goods to its Eats customers as part of a 10-year commercial deal between the two companies.

The partnership, which kicks off this fall, will start in Houston and Mountain View, California and eventually expand to other areas, including the greater Bay Area, according to the companies.

Nuro has managed to launch pilot programs and partnerships with a number of high-profile companies, including Walmart and Kroger. This latest deal, however, marks an escalation of Nuro’s commercial plans.

It also highlights Nuro’s enviable position in the nascent autonomous vehicle industry. Nuro is one of the few companies to have received all of the necessary approvals and permits to operate an autonomous vehicle delivery service — that can charge customers — in California. Which means it can — and will — will receive a fee for every autonomous delivery made for Uber.

Nuro bots are not going to replace the human gig workers who currently pick up and deliver foods for customers,  Noah Zych, global head of autonomous mobility and delivery at Uber, told TechCrunch. Instead, the company sees an opportunity to strategically use autonomous vehicles where they make the most sense.

This partnership, particularly in its first years, will help both companies pinpoint those best uses.

“We’ll get a really good representative sample of where demand needs to be and how it is shaped throughout the day and throughout the week. And then, in turn, that not only obviously has benefits for the business, but it also allows us to be very focused in deciding and developing together alongside Uber, where do we really need to be developing our services and where to work?” Cosimo Leipold, head of partnerships at Nuro, said in a recent interview. “Where can we get the most bang for our buck, so to speak, in terms of AV development, and in terms of capacity and volume that’s going to come through the system?”

Nuro, which was founded in June 2016 and has since raised more than $2.13 billion, will initially use its second-generation vehicle called the R2. This vehicle, introduced in February 2020, is not a sidewalk delivery bot. Nor can it shuttle people.

The R2, and its upcoming third-generation vehicle — simply called “Nuro” — are designed to carry packages and to travel on public roads.

The R2 is equipped with lidar, radar and cameras to give the “driver” a 360-degree view of its surroundings and designed and assembled in the U.S. in partnership with Michigan-based Roush Enterprises. The upcoming Nuro bot, which is expected to roll out in late 2023, is automotive production-grade vehicle with twice the cargo volume of the previous model, customizable storage and temperature-controlled compartments to keep items warm or cool.

Nuro’s supplier partner BYD North America will assemble the hardware components of the new third-generation model. The bots will then head to Nuro’s new $40 million end-of-line manufacturing facility in southern Nevada, where they will be readied for deployment.

 

Uber turns to autonomous vehicle startup Nuro for Eats deliveries by Kirsten Korosec originally published on TechCrunch