Widely-used iOS apps recording screens without user permission

Apps using Glassbox to record active sessions, including passwords and payment information

Graphic of individuals being glared at by cameras and having their privacy invaded

A number of widely-used iOS apps including Hotel.com and Air Canada have been recording user inputs and capturing screenshots without appropriate permissions, and forwarding the data to a third party for analysis.

Glassbox is an analytics service used by a variety of popular apps to track user behaviour, including clicks, taps and decisions, and use this data to improve user interface (UI) and general functionality. The use of such tools tends to require app developers to flag them with their end-users so that the app monitoring and data recording has user consent. 

But this also includes capturing active sessions which, in some cases, involves users entering highly sensitive personal data such as payment information, or passwords, according to mobile security expert the App Analyst, all without explicit user agreement. 

These 'session replays' are supposed to mask fields of sensitive data when this is entered, but the App Analyst and TechCrunch, which assessed Glassbox via Air Canada, found that black 'redacted' boxes are not always deployed correctly.

In one screenshot, Air Canada attempts to block the collection of payment information, which is initially redacted correctly with black boxes, but subsequent screencaps show the information is revealed.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Despite covering the password field when a user logs in, moreover, password fields are not properly redacted when a user initially creates their accounts, or needs to reset their password if they've forgotten it.

"Air Canada is unsuccessful in obfuscating credit card and password information," the App Analyst said. "As a result, sensitive data is being captured as images and potentially stored.

"Although the data is not in text format, sensitive data stored as images can just as easily be harvested and leveraged if the database is ever compromised.

"While there may be value in documenting user activity through screenshots, there is also a large amount of risk that the screenshots may capture sensitive data.

"Air Canada has attempted to mitigate this risk by configuring black boxes to cover sensitive fields. However this attempt has failed, potentially condemning a users sensitive data to residing in various screenshots stored by Air Canada."

Advertisement - Article continues below

IT Pro approached Air Canada and Glassbox for comment. Other popular iPhone apps using this form of session replay analytics include Abercrombie & Fitch, Expedia, Hotels.com and Singapore Airlines.

The privacy policies of these companies do not mention such session replays, or the recording of user behaviour for analytics purposes, which suggests that consents are not appropriately sought from users, or received.

Apple told TechCrunch that it is now informing app developers to remove or properly disclose their use of analytics tools that record user information. 

"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," an Apple spokesperson said. 

"We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary." 

Advertisement
Advertisement - Article continues below

"There can be good reasons for session replay analytics," said Avast's security evangelist Luis Corrons. "It allows those companies to see, for example, which of their options are most used, so they can then make them more accessible.

Advertisement - Article continues below

"However, doing that without even mentioning it is not right, and probably illegal in some countries. Extra security measures have to be taken in case sensitive information is involved in these recordings."

Glassbox markets itself as an "innovative customer experience" platform that analyses every digital customer interaction.

Its privacy policy suggests the information it gathers does not include personal identifiers, i.e. users remain anonymous. However, the data this it does collect, which includes demographic and location data, is stored for up to 24 months.

This is analysed to divide audiences into different categories based on factors such as age, gender, and interests, and may in some cases be combined with other information obtained from other companies.

"In many countries, such deceptive practices are unlawful and may trigger harsh legal ramifications, from individual lawsuits and class actions to regulatory financial penalties," said High-Tech Bridge's CEO Ilia Kolochenko.

"However, in many cases the app users are not completely blameless - many don't even bother reading apps' terms of usage and blindly grant any permissions requested by the app."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/business/business-strategy/354304/ex-apple-cpu-architect-accuses-the-firm-of-invading-privacy
Business strategy

Ex-Apple CPU architect accuses the firm of invading privacy

10 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019