Apple is cracking down on apps that record iPhone users’ screens after a TechCrunch investigation revealed a number of major companies have been quietly recording their customers’ screen activity.
A review of the apps by TechCrunch and a mobile security expert found that companies like Expedia and Abercrombie & Fitch embedded so-called “session replay” technology into their apps with the help of London-based analytics firm Glassbox.
But not only are users not being explicitly informed that such screen recordings are being performed, according to a review of the companies’ privacy policies by TechCrunch and HuffPost, but also, in at least one case, sensitive user data was not omitted from the recordings.
A spokesperson for Apple, in a statement to TechCrunch on Thursday, stressed that its apps are required to provide “a clear visual indication when recording, logging, or otherwise making a record of user activity.” If they don’t comply, they could be removed from Apple’s app store, TechCrunch reported.
“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the statement read.
A spokesperson from Apple did not immediately respond to a request from HuffPost for comment.
Glassbox’s visual monitoring is designed to allow companies to examine how its users interact with the app to improve its performance, according to the company’s website.
“Always watching, always learning ― Glassbox is like giving your website or app a brain,” Glassbox said in a description of its software on Twitter late last year. “With 100% of every user journey recorded, analysed and securely stored, your digital platforms and your bottom line are protected from unexpected issues.”
Though the company argues that its data are securely stored, a review of Glassbox’s monitoring of Air Canada’s app by a tech blogger, The App Analyst, found that not all sensitive data fields were concealed from view during a session replay.
A recorded review of Air Canada’s app that was posted on YouTube showed how users’ credit card information and passwords can be visibly displayed.
This revelation comes after Air Canada’s mobile app suffered a data breach last summer that was estimated to affect 20,000 people.
Though the airline said credit card information was not accessed, it did warn that users’ personal data, such as passport numbers, may have been stolen. The airline was criticized at the time for having a weak password system, the BBC reported.
A representative of Glassbox, in an email to HuffPost on Thursday, stated that the information its firm collects is accessed only through its apps and it is not shared with any third parties. A full audit log of every user who accesses the customers’ system is also taken.
“All captured data via our solution is highly secured, encrypted, and solely belongs to the customers we support,” the company stated.
The representative did not respond to questions about Air Canada’s potential data leak and if it knew of any other instances.
Glassbox’s website notes that personally identifiable information can be encrypted and made visible to authorized users.
Companies listed as using Glassbox on the company’s website include Expedia, Air Canada, The Hartford, Guardian, USAA, Yatra, Zurich, Citibank, JP Morgan Chase & Co., Investec, Hotels.com, Singapore Airlines, Air Canada, Abercrombie & Fitch and Hollister.
Several companies that use Glassbox, reached by HuffPost, defended its use, arguing that the data collected are in accordance with its privacy policies.
A representative of Singapore Airlines specifically cited users agreeing in its privacy policy to allow data to be collected “for testing and troubleshooting issues.”
It states that the company collects “device and technical information from you when you use our website or mobile application.” It does not state that it does this by recording users’ screen time.
A representative of Air Canada emphasized that it does not and cannot capture phone screens outside of its app and that “all information is handled securely and in accordance with our policy.”