“Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps,” Zack Whittaker reports for TechCrunch. “In most cases you won’t even realize it. And they don’t need to ask for permission.”
“TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps,” Whittaker reports. “Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.”
“Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed ‘session replay’ technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers,” Whittaker reports. “The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session.”
“Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen,” Whittaker reports. “Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.”
Read more in the full article here.
MacDailyNews Take: If session replay, which has legitimate uses, is being used in an app, the app’s users should be clearly informed and asked for their consent.
Privacy means people know what they’re signing up for, in plain English, and repeatedly. I’m an optimist; I believe people are smart, and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data. — Steve Jobs
That has got to stop. We need to have a full list of apps that use this system so we can decide if we want to continue to use them.
Clearly the biggest concern is security. Entering passwords, credit card # etc.
If Glassox gets hacked, how we will know that our information has been compromised.
Apparently I don’t use popular apps.
Funny that MSN who bombards people with all kinds of ads, thinks that secretly recording what you do had legitimate purposes. I think they just tipped their hand here.
I’m guessing you meant MDN.
There is nothing wrong with analyzing user behavior on a site or in an App, AS LONG as it is anonymous data. Of course it is likely that an airline would ask for a passport or credit card number for secure processing in booking flights. That analytical tools, and those using them, were also capturing passport or credit card info is criminal, and should be investigated and prosecuted as attempted fraud.
You mean, as long as the user is fully informed and consents.
There is no such thing as “anonymous”. All major ad agencies have more than enough data to stitch together identity without hardly any effort. Without regulatory oversight, they will keep abusing your privacy. Including Apple, which has cashed in by allowing ad laden trackers on its platforms.
I want to session record the fake Zerorandy.