Popular iPhone Apps Caught Recording Screens Without User Knowledge
Apple positions itself as a champion of privacy and security, especially on mobile, but recent events have shown that not everyone is on the same page. Both Facebook and Google have abused their Enterprise Certificates to get and pay users to install logging apps outside of the App Store. Now it seems that some highly-used iPhone apps are recording screen taps and swipes without informing the user, much less asking for their permission.
It's almost like those customer service calls where you're told the session would be recorded, supposedly to improve the service (but also for future evidence). Except apps like Hotels.com, Hollister, Expedia, Abercrombie & Fitch, Air Canada, and Singapore Airlines don't even make that disclaimer, whether outright or in very fine print. The goal is allegedly the same, to see how customers interact with apps, to study their use of it, and, supposedly, to improve it. The side effects, however, are less than innocent.
What all these apps have in common is that they use Glassbox, a customer experience analytics firm. The service provides a "session replay" technology that effectively screenshots the screen to capture every tap and keyboard entry. These screenshots are either sent for analysis either to the app developers directly or to Glassbox, who then sends them to the app makers.
TechCrunch, who has recently become a crusader to uncover such behind-the-scenes privacy violations, noted that none of these apps inform the user of such activity or ask their permission. What makes matters worse is that these are apps where users are likely to key in their passwords or credit card info. Some of these apps properly mask that sensitive information before sending them off to remote servers. Others don't. Air Canada, who recently reported a massive data breach, is one of those that don't.
At the moment, it isn't clear if the apps are in violation of any of Apple's policies but the very fact that they do so secretly is already a red flag. Sadly, Glassbox is hardly the only one of its kind and that app analytics industry isn't going away any time soon. Hopefully, this new exposé would at least give platform makers and authorities a heads up on what's happening in their own backyards.