Архив метки: SDK

Coinbase acquires Distributed Systems to build ‘Login with Coinbase’

Coinbase wants to be Facebook Connect for crypto. The blockchain giant plans to develop “Login with Coinbase” or a similar identity platform for decentralized app developers to make it much easier for users to sign up and connect their crypto wallets. To fuel that platform, today Coinbase announced it has acquired Distributed Systems, a startup founded in 2015 that was building an identity standard for dApps called the Clear Protocol.
The five-person Distributed Systems team and its technology will join Coinbase. Three of the team members will work with Coinbase’s Toshi decentralized mobile browser team, while CEO Nikhil Srinivasan and his co-founder Alex Kern are forming the new decentralized identity team that will work on the Login with Coinbase product. They’ll be building it atop the “know your customer” anti-money laundering data Coinbase has on its 20 million customers. Srinivasan tells me the goal is to figure out “How can we allow that really rich identity data to enable a new class of applications?”

Distributed Systems had raised a $1.7 million seed round last year led by Floodgate and was considering raising a $4 million to $8 million round this summer. But Srinivasan says, “No one really understood what we’re building,” and it wanted a partner with KYC data. It began talking to Coinbase Ventures about an investment, but after they saw Distributed Systems’ progress and vision, “they quickly tried to move to find a way to acquire us.”
Distributed Systems began to hold acquisition talks with multiple major players in the blockchain space, and the CEO tells me it was deciding between going to “Facebook, or Robinhood, or Binance, or Coinbase,” having been in formal talks with at least one of the first three. Of Coinbase the CEO said, they “were able to convince us they were making big bets, weaving identity across their products.” The financial terms of the deal weren’t disclosed.

Coinbase’s plan to roll out the Login with Coinbase-style platform is an SDK that others apps could integrate, though that won’t necessarily be the feature’s name. That mimics the way Facebook colonized the web with its SDK and login buttons that splashed its brand in front of tons of new and existing users. This turned Facebook into a fundamental identity utility beyond its social network.
Developers eager to improve conversions on their signup flow could turn to Coinbase instead of requiring users to set up whole new accounts and deal with crypto-specific headaches of complicated keys and procedures for connecting their wallet to make payments. One prominent dApp developer told me yesterday that forcing users to set up the MetaMask browser extension for identity was the part of their signup flow where they’re losing the most people.
This morning Coinbase CEO Brian Armstrong confirmed these plans to work on an identity SDK. When Coinbase investor Garry Tan of Initialized Capital wrote that “The main issue preventing dApp adoption is lack of native SDK so you can just download a mobile app and a clean fiat to crypto in one clean UX. Still have to download a browser plugin and transfer Eth to Metamask for now Too much friction,” Armstrong replied “On it :)”

On it 🙂
— Brian Armstrong (@brian_armstrong) August 15, 2018

In effect, Coinbase and Distributed Systems could build a safer version of identity than we get offline. As soon as you give your Social Security number to someone or it gets stolen, it can be used anywhere without your consent, and that leads to identity theft. Coinbase wants to build a vision of identity where you can connect to decentralized apps while retaining control. “Decentralized identity will let you prove that you own an identity, or that you have a relationship with the Social Security Administration, without making a copy of that identity,” writes Coinbase’s PM for identity B. Byrne, who’ll oversee Srinivasan’s new decentralized identity team. “If you stretch your imagination a little further, you can imagine this applying to your photos, social media posts, and maybe one day your passport too.”
Considering Distributed Systems and Coinbase are following the Facebook playbook, they may soon have competition from the social network. It’s spun up its own blockchain team and an identity and single sign-on platform for dApps is one of the products I think Facebook is most likely to build. But given Coinbase’s strong reputation in the blockchain industry and its massive head start in terms of registered crypto users, today’s acquisition well position it to be how we connect our offline identity with the rising decentralized economy.

What the Facebook Crypto team could build

Coinbase acquires Distributed Systems to build ‘Login with Coinbase’

Конкурс разработчиков приложений для платформы 2net

Qualcomm Life, "дочка" Qualcomm, объявляет о доступности пакета средств разработки приложений (SDK) для платформы 2net.
Конкурс разработчиков приложений для платформы 2net

YogiPlay Debuts “YogiMeter,” An Educator-Based Rating System For Children’s Learning Apps

yogiplay_logo_rgb

YogiPlay, a Menlo Park-based company from husband-and-wife team Cedric and Michal Selling, is attempting to tackle the critical problem of surfacing appropriate, trusted, and carefully vetted educational apps for children. The company recently raised $1 million in VC funding from DN Capital and Richmond Park Partners, in order to develop a system for rating apps for kids, specifically targeting the ages 2 through 8. Today, YogiPlay is announcing the results of those efforts with YogiMeter, its new app rating system designed to help parents find learning apps for children that have been vetted by a team of educational experts.

The Sellins are both Stanford-trained engineers, with Cedric hailing from Aruba Wireless and Michal an early Google employee. But they’re also parents who grew frustrated with how difficult it was to find quality learning apps for children. Cedric says they were inspired to start the company after watching their two-year old daughter interacting with mobile apps, and realized what powerful learning tools they could be.

In June, the company hired Dr. Jim Gray, who previously served as the Director of Learning at LeapFrog, where he was in charge of all curricula for the last seven or so years. At YogiPlay, he led the development of the YogiMeter system, which has been designed to assess the engagement levels and educational qualities of mobile apps.

“It’s using the same principles I’ve been using all along from my knowledge of child development and interactive media,” he says of YogiMeter. “I’ve structured in a way with some very specific ways to look at how and why kids would be engaged, and if they’re engaged, how and why they might learn.” He also vetted this rubric with other colleagues not associated with YogiPlay to get their feedback and input.

While there are a few startups working to rank and review mobile apps, like KinderTown, for instance (which also vets apps with educators), Dr. Gray says that he believes the YogiMeter system uses a more developmental approach with techniques common to those familiar in child development and education. “The others are not as rigorous, research-based, structured and consistent,” he says describing YogiMeter’s competition.

The system he developed ranks and analyzes apps in two main areas — engagement and educational quality. For determining an app’s engagement, it looks at things like user interactions, user experience, intrinsically motivated engagement, extrinsically motivated engagement and socially motivated engagement. And to analyze the app’s ability to teach, it looks at whether the app will actually engage the child in learning, as it proposes to do, and whether that learning is deep, authentic, personalized, differentiated, and whether or not parents can track the child’s progress throughout. On that last front, it should be noted that YogiPlay also offers mobile developers an SDK which allows them to integrate parental communication tools within their iOS or Android app. Less than twenty developers on iOS and Android are now using this SDK in their apps today.

The YogiMeter rankings will soon be featured visually in the company’s online parent-facing app discovery center and personalized dashboard as well as within its standalone mobile apps, all of which are undergoing massive redesigns right now.  (Hence, no screenshots are appropriate here). YogiPlay’s mobile app is available on Android currently, but has been held up in Apple’s approval queue for around three months. However, since the apps are HTML5-based, it seems that even if it was rejected from iOS, the company could easily make it accessible on mobile devices.

To date, YogiPlay has rated over 600 apps with YogiMeter, and is adding new apps to the system daily. The company has also seen some 45,000 parents register on the site, providing their email and their child’s age and other details. Although parents can’t see the YogiMeter rating just yet on YogiPlay.com, all the apps have now been vetted through the system.


YogiPlay Debuts “YogiMeter,” An Educator-Based Rating System For Children’s Learning Apps

Building Smarter Apps

iPhone App Store Icon Wall

A new breed of mobile applications is coming. These new apps will not only “sense” the world around you, using the smartphone’s sensors like the compass, GPS, and accelerometer – they’ll also be able to combine that data with a history of your actions to intelligently determine your likes, interests and favorites. This understanding of the world, or “ambient discovery” if you will, could then be piped into any app to make it smarter, whether it’s a social app for finding friends, a Siri-like personal assistant, a fitness app, a mobile game, or anything else.

This, at least, is the promise from the Palo Alto-based startup, Alohar Mobile, which recently introduced new SDKs for mobile app developers interested in experimenting with the possibilities of smarter apps.

Alohar Mobile (newly emerged from stealth mode), was founded by a former Platform Architect of Google’s Location Server Platform, Sam Liang. You may know him as the guy who put the “blue dot” location service in tens of thousands of mobile apps, including the default Map app on iPhone and Android, as well as in the Facebook check-in, Foursquare and Yelp. He also architected Google Latitude.

Liang started the company with Stanford alumni, Larry Wang and Alvin Lau, and they’ve now raised $2 million in funding from notable angel investors, including David Cheriton, the first investor in Google, Fortinet founder and CEO Ken Xie, and Tim Draper of Draper Fisher Jurvetson.

As for what, exactly, Alohar is providing – that’s a bit more complicated. It’s not just developing a smarter Siri, although that description is sure to catch more readers’ attention than something like “mobile development platform,” for example. While a smarter Siri-like app could be the product of Alohar’s work, it is not the work itself.

Lau describes the technology as an “ambient sensing platform.”

Um, say what?

“We’ve developed technology that sits on a smartphone that analyzes data coming from all the different sensors on your phone – for example, GPS and Wi-Fi – but a lot of companies do that, that’s nothing special. But we also gather data from the accelerometer, the compass, the gyroscope,” explains Lau. “It helps us to determine a person’s exact location.”

What that means is that apps using Alohar’s technology can precisely determine where someone is because of the way data is combined. For example, an app relying on GPS alone may know that you’re somewhere near a Starbucks, but can’t really tell if you’re there or in an adjacent store. Alohar-enabled apps, however, could detect things like the rate at which you’re moving (60 MPH? You’re probably driving down the road past a Starbucks), the direction you’re headed (moving towards the building slowly? You’re probably walking into the Starbucks), the network you’re connected to (ATTWIFI? You’re probably inside the Starbucks), and even time of day (8:30 AM? You’re probably at the Starbucks on the ground level of that skyscraper, not the nightclub on the top floor).

None of the data is used in isolation, but is instead parsed by advanced algorithms to make sense of your actions and movements. The algorithms give the app higher or lower probabilities to different types of places.

These algorithms can also take into account what you’ve done in the past and use that to help weight the data appropriately. For example, if you’ve visited that Starbucks several times over the past couple of weeks, but have never visited the bagel shop next door, the algorithm knows that you’re probably at the Starbucks.

Alohar’s technology has been packaged into a SDK for mobile developers, which allows them to create new apps or enhance existing ones. They’ve also released a sample app into the App Store called PlaceMe, which is an interesting product on its own. The app tracks and records your movements, producing a virtual trail you could later pull up online. A bit creepy, perhaps, but the company says it would be handy for Alzheimer’s patients to have installed.

But while PlaceMe is a fun experiment, the focus for the company is more so on the tech behind it. Some mobile app makers are already working on integrations, but Alohar can’t reveal who just yet, only give general descriptions. “Developers who are using [the SDK] are in the categories of dating, fitness and health apps that want to track your exercise and make recommendations, and shopping apps that make suggestions based on your location and your likes and favorites,” says Lau.

He also mentioned some check-in apps were experimenting with auto-checkins and the reduced battery consumption the tech enables. Plus, two of these twelve “ambient location” startups that were hot during this year’s SXSW have begun to implement the technology, too.

But it’s still early days for Alohar. The Android SDK came out in March and the iOS version arrived just this month. Both are in beta. So far, around 65 developers are evaluating or integrating the technology, Lau says.

And yet, almost any app that uses location services could benefit from the more precise targeting the tech offers, assuming everything works as advertised. More than that, the tech could enable a whole new kind of experience for developers to build on top of – one where users don’t have to do so much manual labor to explain to apps where they are and what they’re doing and what they want to do.

It’s yet another step towards engineering the serendipitous discovery of the world around us, via our mobile devices. It’s the underpinnings that could breathe intelligence into our apps, which could then make them, at best, more useful, more engaging, and ultimately, more loved…or, at worst, more creepy, more intrusive, more stalker-ish.

How developers choose to implement the technology, and the level of control they give to users surrounding that data’s use and storage, could raise a whole new series of questions about data privacy even though Apple, Google, developers and the government, are still figuring out what to do about the concerns we already have now – those that come more basic actions like accessing the address book or storing GPS data.

But with the fast pace of technology, sometimes you have to weigh the good with the bad and choose to move forward or get left behind. Using this scale, the possibilities to develop more intelligent apps – not to mention ones that can reduce battery drains – is a more exciting and promising step than the potential for abuse, real as it may be, from unscrupulous developers or the government (at least in less authoritarian regimes like the U.S.). You may not agree. That’s fine. But sometimes the laws have to catch up with the world, and in the mobile ecosystem, this is clearly going to be the case for years to come.

Below, a demo of how Alohar, doing things like automatically ordering an ambulance for you. “I’ve fallen and I can’t get up?” Yes, your phone will know.

Image credit: Ryan Orr


Building Smarter Apps

Security Hole Spotted In Facebook Android SDK, Long Tail Apps May Still Be Unpatched

facebook-security

Mobile app platform provider Parse is reporting having discovered a major security hole in the Facebook Android SDK. The problem was quickly patched after being reported to Facebook, but that alone may not be enough to secure affected mobile applications, the company says.

The security vulnerability affected all apps using the Facebook Android SDK, including major apps like Foursquare, and there’s no way for end users to know which app developers, outside the big ones, have implemented the fixes needed to secure users’ data. (Except for Foursquare, which we know to be patched – whew!)

Parse, for those unfamiliar, offers a mobile platform that enables developers to add scalable backend services to their applications. One of the tools the company provides makes it easier to add Facebook support to their Android apps. When used, developers can show a Facebook authentication flow to users, allowing users to sign into an app with their Facebook credentials.

To implement the feature, Parse uses Facebook’s Android SDK to get its authorized access token from the social network. This gives app developers the ability to perform common social actions on behalf of the app’s users, like posting to their Facebook Wall, for example, or accessing their Facebook profile data or friend list. Nothing malicious, of course, as the user is in control and can revoke the app’s permissions whenever they want.

Parse engineer David Poll explains via blog post how he spotted the vulnerability.  Android developers often use logcat, a diagnostic log that apps and system processes can write to, he says. This is actually an executable that can run on a developer’s PC and device. Applications can capture its log for debugging purposes, which, when combined with bug or crash reports, can help developers get to the meat of a problem in an app’s code.

Again, nothing odd or malicious.

However, when working on adding Facebook integration to Parse, Poll noticed something strange: a line appeared in the logcat viewer which basically showed the entire access token that had been just granted after logging in, encoded in a URL.

But Poll’s first thought was that the token was only viewable to them, even though they knew that logcat was essentially a public diagnostic bulletin board for Android apps. But to be sure, Poll tested to see if he could discover other apps (like Foursquare) that also use the Facebook SDK to see if they showed the same thing.

And they did.

Next, Poll used an Android app called CatLog (it lets you view logcat files), which let him see the same line of code without first debugging the app.

Uh-oh.

For those that don’t follow the above dev speak, what this all means is that anyone could write a simple app that scraped the output from the Facebook SDK and steal access tokens from the user of the device.

So Poll did that, too.

And yep, his “FacebookThief” proof-of-concept app worked, running in the background, snagging user tokens.

“In less than 20 lines of non-boilerplate code, I could masquerade as any Facebook user that logged into any app on the device that used the Facebook SDK,” explains Poll. “It wouldn’t even be clear that my app was the culprit. If my app posted to a user’s profile using the stolen access token, it would show up as though it came from the application from which it was stolen!”

And why is this bad? Because with the access token, a malicious app developer could then access the Facebook API and pull down personal data for the Facebook user whose token they had grabbed.

Parse was worried about what this meant for their own developer community. “By using an unmodified version of the Facebook SDK with Parse, we were exposing our developers and their apps’ users to the same vulnerability – something with potentially broad repercussions,” says Poll.

As for Facebook’s response to the reported vulnerability – no complaints here. The issue was patched within 24 hours, and Parse quickly updated to use the new SDK with its platform.

So maybe it sounds like this whole story is sort of a non-starter? Security hole gets patched in a day. Nothing to see here, move along?

But it’s not really a story about Facebook security. Facebook handled the situation as professionally as possible.

There’s a greater issue to be examined here about developers using SDKs and apps over-reaching when asking permissions to run.

Facebook (or any SDK maker, really), doesn’t have a way to push updates into developers’ apps. Instead, developers have to be proactive and manually pull down the latest Facebook SDK, incorporate the new version into their apps, and then push out updates through the app store.

Meanwhile, users are unknowingly exposed to security issues simply because they haven’t updated their apps, or worse, because a developer hasn’t yet addressed the issue on their end.

This particular issue happened in February, and Parse was asked to wait to disclose the issue until Facebook could work with major app developers to get app updates pushed out. Foursquare, you’ll be glad to know, is fixed.

However, Poll says ominously, “there are still some major apps out there that display this vulnerability.”

Which ones, we asked?

“I honestly don’t know,” says Poll.  ”We worked with Facebook to make sure that the major apps had fixed this issue before disclosure, and I know Facebook has sent a broad email to all developers with Android apps on their platform asking them to update their Facebook SDKs. I’m not even sure if Facebook has a way of knowing how many apps are still out there with this issue…”

Facebook, however, confirmed that it has reached out to all major app makers to get their code resolved, and it does have ways to tell that which apps are patched or not. But its response is being determined by how serious a problem this issue really is.

Users are only vulnerable if they have a previously installed malicious application on their system that they have granted the “Read Sensitive Log Data” extended permission. Users can protect themselves by downloading the latest version of their applications and uninstalling any untrustworthy apps.  Due to the responsible reporting of this issue to Facebook, no one within the security community has evidence of an application abusing this vulnerability. We have provided a bounty to the team to thank them for their contribution to Facebook Security.

What should Android users do then?

Poll suggests that, for starters, users should update their apps. But also be careful when granting an app permission which it doesn’t need. Applications that request the “Read Sensitive Log Data” permission have the potential to access private data, so only grant that permission to those you trust, he says.

Frankly, while accurate, I worry about these suggestions. On platforms where apps auto-update, great, that part is handled. (Ahem, Apple – listening?). However, asking users to read complicated and confusing dialog boxes and then make judgement calls based on what’s displayed sounds like a recipe for failure.

Really, it’s up to the mobile ecosystem itself to figure out a safer way to manage issues like this on the developer side. For what it’s worth, that’s what Poll says Parse is working on (as, I would imagine, are their competitors). The company tries to future-proof its design by reviewing code for any area where there’s potential for information to be exposed, he says, and it continually adds new features to the SDK to push developers to upgrade.

But at the end of the day, getting a developer to upgrade their SDK still involves a lot of manual outreach, it seems. Meanwhile, Android still need to think for themselves about every app they install by carefully reading the permissions. Depending on where you stand on things, that situation is either better or worse than Apple’s system, where apps just steal your data because users blindly trusted Apple to weed out the bad ones.


Security Hole Spotted In Facebook Android SDK, Long Tail Apps May Still Be Unpatched