A new investigative report suggests that several iPhone apps, including a number of travel apps, record users’ screens without having to ask for permission.
On Wednesday, TechCrunch revealed the results of an in-depth investigation, cautioning readers that numerous companies, including hotels, airlines, fashion brands, travel sites, mobile carriers, and financial institutions, “know exactly how you’re using their [iPhone] apps.” This means the programs could record just about every action performed on a user’s device without their knowledge and could expose sensitive customer data by accident, even if specific fields are masked for security purposes.
According to TechCrunch, Abercrombie & Fitch, Air Canada, Expedia, Hollister, Hotels.com, and Singapore Airlines are just among the many companies that work with the customer experience analytics firm Glassbox. This company is one of a few that permit app developers to bake “session replay” technology into their software, effectively allowing them to record a device owner’s screen and view the playback. While this process is done in order to determine if something isn’t working or to further analyze an error, TechCrunch‘s expose stressed that it could be very risky when it comes to a customer’s sensitive personal information.
The above report came shortly after the mobile expert known as the App Analyst revealed in his eponymous blog that Air Canada’s iPhone app did not properly mask session replays, thereby exposing the passport and credit card information of users during playbacks. This was noteworthy because Air Canada had announced a few weeks prior that about 20,000 profiles were compromised in a data breach.
“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” the App Analyst explained, in an interview with TechCrunch.
r/t Air Canada admits app data breach included customers’ passport details https://t.co/wpniLq9ZNE— Graham Cluley (@gcluley) September 3, 2018
The methodologies used by the App Analyst when helping TechCrunch in its expose included the use of “man-in-the-middle” software to intercept and study the data from devices that had apps of Glassbox clients installed. While this technique revealed that only some of the apps were leaking masked information, TechCrunch noted that it was disconcerting that none of the analyzed apps expressly stated that they were recording phone owners’ screens or sending information to their parent companies or to Glassbox itself.
“Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” the App Analyst further lamented.
Further diving into the results of the research, the App Analyst explained that some apps sent session replays to Glassbox, while others sent these clips back to their own companies’ servers. The mobile researcher added that the personal data was “mostly obfuscated,” but admitted that he spotted some email addresses and postal codes.
Did you know these iPhone apps record your screen while you use them? https://t.co/P8Pk1ORczr— Engadget (@engadget) February 7, 2019
Additionally, TechCrunch pointed out that none of the reviewed apps included anything in their privacy policies about recording a user’s screen data. This prompted the publication to ask the companies behind the apps to illustrate how their alleged use of Glassbox session replays is defined in the apps’ privacy policies.
Only Abercrombie and Air Canada responded with prepared statements, with the former justifying Glassbox’s role in providing consumers with a “seamless shopping experience” and the latter saying it uses “customer provided information” for similar customer service-related purposes. Air Canada added that it “does not, and cannot” capture phone screens outside of its mobile app.
Meanwhile, Glassbox responded to TechCrunch‘s inquiries and admitted that it doesn’t have any rules that strictly require clients to mention their connection with the company in their privacy policies.
Commenting on the above investigation, 9to5Mac stressed that Glassbox isn’t the only analytics firm that makes use of screen recording on iOS apps. While app developers are ideally limited to only seeing what happens within their programs, as opposed to the entire operating system, the publication speculated that it might not be long before Apple cracks down on such practices going forward.