iOS apps like those of Air Canada, Hollister, Expedia and others are using analytics tools to record each and every customer session.
Make your home smarter than the average home
Make your life smarter, simpler, and more convenient with IoT enabled TVs, speakers, fans, bulbs, locks and more.
Click here to know more
Imagine harmlessly inputting your credit card information into a trusted application and having it exposed to makers of the app. The digital economy we live in these days compels us to use multiple apps to make online purchases on a daily basis. Be it booking airtickest to ordering groceries, our financial information is out there and we hope it’s protected. However, a recent investigation by TechCrunch has unmasked some disturbing behaviour on part of iOS app developers.
The publication has found that popular iOS apps like those of Air Canada, Hollister and Expedia are using analytics tools to record each and every customer session. The Sessions Replay feature is provided to the developers of these and many other apps by an Israeli startup called Glassbox, which is in the business of user analytics. When developers embed this technology into their apps, they can get away with recording every key tap and swipe made by users. These sessions can sometimes even expose credit card or password information being inputted by users into apps and there is no way of knowing which app is freely exposing such private information.
Some other known users of Glassbox's technology include - Yatra, Hotels.com, Expedia, and Singapore Airlines.
While the session recording technique is being used by app developers to learn how users interact with their apps, the recording of entire sessions, essentially a screen recording, without the knowledge of users is alarming to say the least. In one instance, TechCrunch found that Air Canada’s iPhone app was not masking its session replays, and hence was exposing users’ credit card details to anyone with access to their database, including employees. The publication too assistance from a mobile expert called The App Analyst and using a man-in-the-middle tool, found that the Air Canada app was sending out unmasked screen recording from a user’s device to servers belonging to Glassbox.
“The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes,” TechCrunch notes in its report.
“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” a Glassbox spokesperson told TC. The company said it does not have access to the keyboard when it is pulled up while using an app.
Glassbox is not the only app that provides these analytics to app developers. However, it it the developers’ duty to disclose this information to users and also protect it from being easily accessible, but like they say, data is the new oil and companies won’t stop at anything to get their hands on it.
Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.
We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.