In an effort to better understand how their customers interact with mobile apps, certain companies employed a third-party analytics data that can record everything you do while inside an application, including every single tap, swipe and text input. All that happens without explicit consent from the user, who has no idea that screenshots from the app may reach a third-party server, sometimes including sensitive personal data such as credit card numbers, passwords, and contact details.
The iPhone hasn’t been hacked to allow such functionality, and it’s not a bug. It’s just the kind of clever-yet-creepy iOS that some companies were able to come up with.
According to a TechCrunch report, several popular iPhone apps from hotels, travel sites, airlines, carriers, and banks, track everything you do inside the app.
The report makes specific mention of apps from all the companies listed below, which record the action on the screen while inside the app. None of the privacy policies that accompany these apps mention this kind of analytics power explicitly.
- Abercrombie & Fitch
- Singapore Airlines
- Air Canada
Some of these companies use Glassbox, a customer experience analytics firm that lets developers include so-called “session replay” features inside their apps. These replays allow developers to see exactly what you do with their apps and understand what, if anything, went wrong during a session. Screenshots are sent back either directly to the company’s servers or Glassbox’s cloud.
In one example, App Analyst found that Air Canada wasn’t properly masking the session replays, which meant that sensitive data including passport number and credit card data would show up in replays. What’s worse is that Air Canada disclosed a few weeks earlier a data breach that exposed 20,000 profiles.
The same analyst looked at other apps for TechCrunch and found that not every app was leaking data, and that none of the apps revealed this practice to customers — not that too many people do read the terms of conditions of any apps. Some apps sent the screenshots directly to a company’s website, although some sensitive data was exposed in some cases.
Some of these companies they do include Glassbox tech in their apps, and some stressed on the fact that their apps don’t capture screens outside the applications, and they do not have that ability. Glassbox also said that its SDK only works with the app and “technically cannot break the boundary of the app.”