Mobile apps are under the radar for conducting discreet activities that go against app store policies. As a result, Google and Apple have been actively removing tens and hundreds of apps from their respective app stores to keep its hundreds and thousands of users safe. But it looks like the spring cleaning is far from done.
Several iOS apps have triggered an alarm for breaching the privacy of its users, which are secretly recording users' screens without asking for consent or informing of such a practice. These aren't fake apps, but legit ones representing some of the most popular businesses in the hotel, travel, banks and airlines industries, which makes this matter even more concerning.
TechCrunch found these apps via Glassbox's customer database. Glassbox is one of the analytics companies that deploy session replaying technology into apps of its customers, which allows developers to see how its users interacted with the app in order to make improvements. While it sounds like the companies are doing this in the users' best interest, but the way it is carried out is the concerning factor here.
With the help of The App Analyst, a mobile app expert, TechCrunch said popular iOS apps such as Air Canada, Expedia, Singapore Airlines, Abercrombie & Fitch, Hollister and Hotels.com use "session replay" technology in their apps to record every tap, swipe, button push and keyboard entry and send the screenshotted data back to developers for review.
In this process, The App Analyst noted that some apps expose sensitive user information, which can be easily hacked at an event of a cyber-attack. For instance, Air Canada's iOS app gathers session replays, which usually include passport numbers, credit card and password information, all without proper encryption. It's worth pointing that Air Canada recently confirmed its app had a data breach, which exposed 20,000 profiles.
All the apps using Glassbox's controversial "session replay" technology either send the data back to their own server or push it to Glassbox's could. But none of the apps mentions recording a user's screen in their policies, which many users skip by tapping "I agree" anyway. Basically, there's no way users can find out if their screens are being recorded unless dived deep into the data for each app, which The App Analyst did by using Charles Proxy tool.
The companies behind these popular apps are not in denial of such a practice as they find it useful to help improve user experience on the app.
"Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips. This includes user information entered in, and collected on, the Air Canada mobile app. However, Air Canada does not—and cannot—capture phone screens outside of the Air Canada app," a spokesperson for Air Canada told TechCrunch.
Abercrombie said the "session replay" technology helps create "a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience." But there was no clarity on where in Abercrombie and Hollister's privacy policies it is mentioned of screen recording.
Same goes for Singapore Airlines, which said the data collection is in accordance with its privacy policy and redirected to Clause 3 of its privacy policy, but TechCrunch found nothing there.
Seeing this disturbing trend practised widely across the board, The App Analyst said: "I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users' data and who they share it with."
Apple is yet to take any action in the matter.