An inside job at AT&T

One of the craziest things that still exists, in my mind, is smartphone locking to a carrier network‚ÄĒI¬†haven't seen it for a number of years outside of North America, but it's alive and well there.¬†

For those that don't know, if you buy a phone from a carrier like AT&T on a contract, they'll often lock it to only be usable on their network until you've paid it off.

It sounds absurd, and it is, but it's a gloriously profitable way to shackle customers to a company. Over the weekend, it was revealed that a Pakistani duo had operated a rogue unlocking operation for AT&T-locked devices:

The bribery scheme lasted from at least April 2012 until September 2017. Initially, the two Pakistani men bribed AT&T employees to unlock expensive iPhones so they could be used outside AT&T's network. The two recruited AT&T employees by approaching them in private via telephone or Facebook messages. Employees who agreed, received lists of IMEI phone codes which they had to unlock for sums of money.

The crazy thing about this story is that this was just part one. 

When this method got too slow, and employees left the company, they created new tactics: breaching the AT&T network by bribing employees to install malware intentionally. Worse still, they even convinced employees to install rogue network devices that could automatically unlock AT&T devices using their own internal tools.

It sounds like a spy movie or something out of the¬†Darknet Diaries¬†podcast, but it all happened over the simple act of smartphone unlocking‚ÄĒwith millions of dollars changing hands in the process. The man responsible,¬†Muhammad Fahd, was arrested in 2018 and extradited just last week to face trial in the coming weeks.

The only reason this space can even exist is the fact that unlocking phones sucks for customers, increases waste (because a thrown away locked phone probably can't be used), and the process of unlocking through official routes is absurdly expensive or nigh impossible in some cases. 

I'm still not sure what's more ridiculous, however: that the unlocking of handsets needs to exist in the first place, or that this man was able to actually breach the network and run a rogue unlocking business from within without being detected for years. 

‚ÄčFacebook hit by Apple crackdown on messaging features‚Äč

Apple made a small change with big consequences in iOS 13 that has largely gone unnoticed: it's locking down the Voice over IP API‚ÄĒwhich is often used to run in the background‚ÄĒso that it can't be used unless a call is actively being made.¬†

This is a complicated story, but often developers used the API to open a long-running connection with their servers, keeping the app alive all the time and allowing them to refresh data on a regular basic (or track data). 

Facebook says it uses the feature to deliver end-to-end encryption, but Apple is worried about what it¬†can't¬†see happening behind the scenes, so is moving to lock it down. The problem it's working around is that end-to-end encryption was broken until recently on iOS‚ÄĒdevelopers needed to hand Apple a plain-text copy of a message to send a notification, defeating the point of encryption in the first place.

Abusing the VoIP feature allowed them to keep a connection alive, deliver an encrypted blob of data to the device, decrypt it locally on your phone, then deliver the notification. Apple's rules are such that there was no other way to reliably, and securely do this, until iOS 10.

The voice-calling feature is a well-known workaround on iOS for apps that are killed by the OS, which aggressively terminates processes for battery life and performance reasons. Because Facebook used the above processes to deliver those notifications, it needed to be kept awake as long as possible, or the user wouldn't be notified until they open the app.

In 2015, this actually appeared and didn't make a huge splash in the media, but revealed that Facebook has been doing this for years‚ÄĒit's also not the only one, with Snap and WeChat using the feature as well.¬†

Now, Apple will force them to re-architect, but for good reason: it's really hard to check that these apps aren't up to anything else behind the scenes, and that's not an acceptable privacy risk any longer.

Tab Dump

Snap will raise $1 billion to invest in augmented reality
It's public, but it's still raising more money‚ÄĒthe company will issue convertible notes¬†(debt, essentially), to invest in acquiring new platforms, content or other things and revive its growth. Given that the company missed the boat on what makes TikTok so popular, I'm not sure how this will help in reality.

Disney+ is coming on November 12‚ÄĒwith a Hulu and ESPN+ bundle in tow for $12.99
Customer acquisition 101:

1) Make a cheap, compelling bundle for all the great content you own to get customers.
2) Wait a while so they're hooked.
3) Ratchet up the price 2-3x once they're all loyal customers, rake the money in‚ÄĒbecause there's nowhere else to watch that content.
4) There is no 4.

Yelp is quietly screwing over restaurants by secretly replacing their phone numbers
This is¬†dastardly‚ÄĒit re-routes calls for restaurants to its own number, tracks the call, then connects customers to the restaurant, then sends them a bill for a "marketing fee."

Good read: There’s Too Much Damn Content, and Slick UX Design Is Making it Worse