Some Popular iPhone Apps Are Secretly Recording Your Screen

Some Popular iPhone Apps Are Secretly Recording Your Screen

It’s a foregone conclusion that app makers will get at least some data on how you use their product. How much data do you really expect, though? Maybe which buttons you tap or the length of sessions? According to TechCrunch and analytics company App Analyst, some popular iPhone apps are getting much more. They basically see everything you do in real time, even sensitive information like passwords and credit card numbers.

The offending apps include Air Canada, Hollister, Expedia, Hotels.com, and many more. These apps use technology from a customer experience analytics firm called Glassbox. It pushes a product called “session replay,” allowing app makers to see what users do in the app. This is supposed to help developers address user experience issues to improve, but it also gives them a tremendous amount of user data.

The Glassbox session replays are essentially real-time videos of how you interact with the app. Each tap, swipe, and text entry becomes part of the replay record. The app then beams the reply back to the Glassbox servers. Data like your password or payment details that are usually transmitted over secure means can get caught up in there. As “The App Analyst” recently discovered, Air Canada wasn’t properly masking these replays before transmitting, putting customer data at risk.

Masking sensitive data sometimes failed in Air Canada session replays.
Masking sensitive data sometimes failed in Air Canada session replays.

Not all apps using Glassbox are including these sensitive pieces of information in replays, but even those that are attempting to mask data can run into errors and leak secure content. This data all ends up on the Glassbox servers, and it’s generally considered inappropriate for apps to send user data to third parties without consent. When that data is a complete record of how you use an app, the privacy implications are rather serious. None of the apps in question mention session replays in their privacy policies, either.

When contacted for comment, Glassbox merely said that it cannot “break the boundary of the app.” So, the Glassbox SDK can’t watch what you do elsewhere on the phone, but that’s not addressing the issues. Glassbox isn’t the only company offering services of this sort, and while none of them are seemingly malicious, we don’t know if they’re trustworthy. Are their servers secure? Will they use your data for any other purposes? Who knows? You’re relying on app developers to do their homework.

Continue reading

Third-Party Repair Shops May Be Blocked From Servicing iPhone 12 Camera
Third-Party Repair Shops May Be Blocked From Servicing iPhone 12 Camera

According to a recent iFixit report, Apple's hostility to the right of repair has hit new heights with the iPhone 12 and iPhone 12 Pro.

Nvidia, Google to Support Cloud Gaming on iPhone Via Web Apps
Nvidia, Google to Support Cloud Gaming on iPhone Via Web Apps

Both Nvidia and Google have announced iOS support for their respective cloud gaming platforms via progressive web applications. Apple can't block that.

Google Uncovers iPhone Exploit That Can Steal Data Over Wi-Fi
Google Uncovers iPhone Exploit That Can Steal Data Over Wi-Fi

According to Ian Beer of Google's Project Zero security team, the flaw allowed him to steal photos from any iPhone just by pointing a Wi-Fi antenna at it.

Stadia Is Now Playable on iPhone Thanks to Google’s New Web App
Stadia Is Now Playable on iPhone Thanks to Google’s New Web App

Google promised iPhone support, but Apple's App Store policies got in the way. Now, there's finally a way to play Stadia on iOS — just fire up Safari and go to the Stadia site to use the new progressive web app.