Submitted via IRC for SoyCow1984
Many popular iPhone apps secretly record your screen without asking
Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.
You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.
Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.
Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”
The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.
[...] Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until
(Score: 1) by optotronic on Friday February 08 2019, @02:11AM (1 child)
I thought Apple cared about their users' privacy. Will they stop this or rationalize it?
(Score: 3, Informative) by Freeman on Friday February 08 2019, @05:05PM
https://arstechnica.com/gadgets/2019/02/apple-to-developers-disclose-screen-recording-or-get-booted-from-app-store/ [arstechnica.com]
So, I would say that's your answer.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1, Interesting) by Anonymous Coward on Friday February 08 2019, @02:26AM (2 children)
I develop an app, and I know people won't report issues they have. It is useful to be able to detect bugs that people encounter during use, so they can be fixed.
I would have a problem if one app could monitor what the user was doing in a different app.
(Score: 2) by Mainframe Bloke on Friday February 08 2019, @03:24AM
I agree up to a point, and the programmer in me agrees even more strongly, but of course "the best laid schemes of mice and men" etc...inevitably there will be data leakage as evinced in the Air Canada reference above, and even if that specific one may have been harmless, not all of them will be. Is anyone's code perfect?
Glad I don't use an Apple in this case.
(Score: 2) by fido_dogstoyevsky on Friday February 08 2019, @11:20AM
And this is one of the reasons I keep wifi and data disabled.
I have a problem with any app that can phone home (pun unintended) without my permission.
It's NOT a conspiracy... it's a plot.
(Score: 5, Insightful) by MostCynical on Friday February 08 2019, @03:03AM
there are good reasons to have user interactions and screen behaviour... But they go away one you leave testing and go to production.
Tracking is barely okay if the user consented with full awareness and knowledge. It is never oky otherwise.
Even if you claim you only do it "to make things better"
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by MichaelDavidCrawford on Friday February 08 2019, @04:28AM
I’ve been griping about mobile analytics since 2010, when I attended a talk by three analytics vendors at Mobile Portland.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Informative) by MichaelDavidCrawford on Friday February 08 2019, @04:31AM (1 child)
All three of those mobile analytics vendors I mentioned below offered free developer SDKs for Android as well.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Friday February 08 2019, @02:31PM
which of the girls in you wgot in your signature offered free development? some look pretty (pun intended) developed already.
(Score: 0) by Anonymous Coward on Friday February 08 2019, @07:40PM
At one extreme, many apps are nothing but a user interface wrapped around a web service. There's nothing an app developer can learn that they don't already know from reading their web server logs.
At the other extreme, a web browser app that did this would effectively reveal the user's entire browsing history to the browser developer. This should be self-evidently invasive to privacy.
I do have some issue with the implication of the headline that the app is recording everything on the phone, when in fact they are recording only what goes on within the app.
The data the app collects and how it is used should already be in the privacy policy. This isn't something that needs special disclosure in the app store or in the app itself.