Apple has begun enforcing measures against applications that secretly record iPhone users’ screen activity, prompted by a TechCrunch investigation that uncovered numerous major firms quietly monitoring their customers’ on-screen behavior.
A security expert and TechCrunch examined several apps and discovered that companies such as Expedia and Abercrombie & Fitch had integrated so-called “session replay” technology into their apps, facilitated by London-based analytics firm Glassbox.
According to an analysis of the companies’ privacy policies conducted by TechCrunch and HuffPost, not only are users not clearly informed that such screen recordings are happening, but in at least one instance, sensitive user information was not excluded from the recordings.
On Thursday, an Apple spokesperson told TechCrunch that apps are obligated to show “a clear visual indication when recording, logging, or otherwise making a record of user activity.” Failure to comply could result in removal from the App Store, as reported by TechCrunch.
Apple emphasized that apps must provide “a clear visual indication when recording, logging, or otherwise making a record of user activity.”
“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the statement said.
An Apple spokesperson did not immediately respond to HuffPost’s request for comment.
According to Glassbox’s website, its visual monitoring technology is intended to help companies analyze how users interact with their apps in order to enhance performance.
“Always watching, always learning ― Glassbox is like giving your website or app a brain,” Glassbox described its software on Twitter late last year. “With 100% of every user journey recorded, analysed and securely stored, your digital platforms and your bottom line are protected from unexpected issues.”
Although the company claims its data is securely stored, a tech blogger known as The App Analyst discovered that not all sensitive data fields were hidden during a session replay of Air Canada’s app.
A YouTube video featuring a recorded review of Air Canada’s app showed how users’ credit card numbers and passwords could be visibly exposed.
This discovery follows a data breach of Air Canada’s mobile app last summer, which reportedly impacted 20,000 individuals.
While the airline stated that credit card information was not compromised, it cautioned that personal data like passport numbers might have been stolen. At the time, the airline faced criticism for its weak password system, as reported by the BBC.
In an email to HuffPost on Thursday, a Glassbox representative stated that the information collected by the firm is only accessible through its apps and is not shared with any third parties. A full audit log of every user accessing the customers’ system is also maintained.
“All captured data via our solution is highly secured, encrypted, and solely belongs to the customers we support,” the company stated.
The representative did not respond to inquiries about Air Canada’s potential data leak or any other known incidents.
Glassbox’s website notes that personally identifiable information can be encrypted and made visible to authorized users.
Companies listed as Glassbox clients on its website include Expedia, Air Canada, The Hartford, Guardian, USAA, Yatra, Zurich, Citibank, JP Morgan Chase & Co., Investec, Hotels.com, Singapore Airlines, Air Canada, Abercrombie & Fitch, and Hollister.
Several companies using Glassbox that were contacted by HuffPost defended its use, arguing that the data collection aligns with their privacy policies.
A Singapore Airlines representative specifically pointed out that users agree in the privacy policy to allow data collection “for testing and troubleshooting issues.”
The policy states that the company collects “device and technical information from you when you use our website or mobile application.” It does not mention that this is done through screen recording.
An Air Canada representative emphasized that the company does not and cannot capture phone screens outside of its app and that “all information is handled securely and in accordance with our policy.”
