- Multiple iOS apps found recording users' phone screens while they use the app
- Apps use a technology called Sessions Replay to record user activity
- Details like credit card information and passwords could possibly be exposed without users' knowledge
Imagine harmlessly inputting your credit card information into a trusted application and having it exposed to makers of the app. The digital economy we live in these days compels us to use multiple apps to make online purchases on a daily basis. Be it booking airtickest to ordering groceries, our financial information is out there and we hope it’s protected. However, a recent investigation by TechCrunch has unmasked some disturbing behaviour on part of iOS app developers.
The publication has found that popular iOS apps like those of Air Canada, Hollister and Expedia are using analytics tools to record each and every customer session. The Sessions Replay feature is provided to the developers of these and many other apps by an Israeli startup called Glassbox, which is in the business of user analytics. When developers embed this technology into their apps, they can get away with recording every key tap and swipe made by users. These sessions can sometimes even expose credit card or password information being inputted by users into apps and there is no way of knowing which app is freely exposing such private information.
Some other known users of Glassbox's technology include - Yatra, Hotels.com, Expedia, and Singapore Airlines.
While the session recording technique is being used by app developers to learn how users interact with their apps, the recording of entire sessions, essentially a screen recording, without the knowledge of users is alarming to say the least. In one instance, TechCrunch found that Air Canada’s iPhone app was not masking its session replays, and hence was exposing users’ credit card details to anyone with access to their database, including employees. The publication too assistance from a mobile expert called The App Analyst and using a man-in-the-middle tool, found that the Air Canada app was sending out unmasked screen recording from a user’s device to servers belonging to Glassbox.
“The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes,” TechCrunch notes in its report.
“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” a Glassbox spokesperson told TC. The company said it does not have access to the keyboard when it is pulled up while using an app.
Glassbox is not the only app that provides these analytics to app developers. However, it it the developers’ duty to disclose this information to users and also protect it from being easily accessible, but like they say, data is the new oil and companies won’t stop at anything to get their hands on it.