Some apps on Apple Inc.'s app store are secretly recording and replaying how you use the apps.
According to an investigation by the technology news site TechCrunch, some popular iPhone apps, ranging from travel sites, airlines, hoteliers, cell phone carriers, banks and financiers know exactly how you’re using their apps.
These apps are recording every swipe and tap you make on your iPhone apps, and they are doing so without permission or making it clear to the user they are recording their every action.
Imagine Brands Could See Exactly How You Use an App in Real Time
You don’t have to imagine—this is already happening.
Companies like Air Canada, Hotels.com, Hollister and Expedia apparently use a customer experience analytics company called Glassbox that allows app developers to embed “session replay” technology into their apps. TechCrunch reports these session replays let app developers record the screen and play them back to see how its users interacted with the app.
“Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers to figure out if something didn’t work or if there was an error,” says TechCrunch. The developers can then determine what to do next, at their own discretion.
And Glassbox isn’t the only company offering this service. It is just one of many session replay services on the market enabling this practice.
Appsee, another such customer experience analytics firm cited by TechCrunch, markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events,” notes TechCrunch.
Privacy Risks Associated with App Session Recordings and Replays
A mobile expert who writes about his analyses of popular apps on his eponymous blog, The App Analyst, says there’s danger in how app session recordings and replay services are done.
The danger and privacy risk involved was exhibied clearly on Air Canada’s iPhone app that wasn’t properly masking the session replays when they were sent. This led to a privacy debacle that exposed passport numbers and credit card data of some 20,000 profiles in each replay session.
“This [data breach] lets Air Canada employees — and anyone else capable of accessing the screenshot database — see unencrypted credit card and password information,” The App Analyst told TechCrunch.
Apple CEO Tim Cook last year warned of a rise of “data industrial complex,” where our data is being “weaponized” against us. While decrying the apparent poor data handling practices of rival tech companies like Facebook, which has been plagued by numerous high-profile data scandals, Cook called on government regulation to regulate shady data practices that are on the rise.
“The need for consumer protections is important because technological advances have led to the development of "a data industrial complex," Cook said at an annual international privacy conference in Brussels, Belgium in support of the European Union's data privacy law, enacted in May. "Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency."
Despite Cook’s tough talk against shady data practices, they seem to be happening in his own backyard.
Apple Apps Failing to Be Forthright on Their Data Handling Practices
Unfortunately, as companies seek more user data, many of their apps on the app store are not adhering to strict and transparent data handling policies—despite Apple’s public demands for it.
The hunger and thirst for user’s data is apparently too hard for some companies to resist, and users are not always let in on all the different ways apps collect and use their information.
Glassbox and similar services didn’t require any special permission from Apple or from the user to offer their services, meaning there was no way a user would know that their actions on an app are being recorded by the app developer and possibly by other third parties.
Apple has since sought to correct this creepy practice by issuing a statement instructing app developers to disclose or remove screen recording code from apps — or face removal from the app store, TechCrunch confirmed.
“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.