Do you have an iPhone app? Now, major companies like Air Canada, Hollister and Expedia, could be recording your every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it and they don’t need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your without your knowledge.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded and sent back to the app developers.
The App Analysts, a mobile expert who writes about his analysis of popular apps on his on his eponymous blog, recently found Air Canada’s iPhone app wasn’t masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
Not every app was leaking masked data; none of the apps examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.That could be a problem if any one of Glassbox’s customers aren’t properly masking data.
The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain.
Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.
Expedia’s policymakers no mention of recording your screen, nor does Hotels.com’s`policy. And in Air Canada’s case, according to TechCrunch there was no spot a single line in its operating system states the terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline.
Air Canada responded said: “Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trip.”
“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.
When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.
“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers’ native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.
:max_bytes(150000):strip_icc():format(webp)/smartphone-apps-171278241-574880f73df78ccee1be85f6.jpg)
Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistaken harvesting passwords after masking safeguards failed.