Some Popular iPhone Apps Are Secretly Recording Your Screen

Some Popular iPhone Apps Are Secretly Recording Your Screen

It’s a foregone conclusion that app makers will get at least some data on how you use their product. How much data do you really expect, though? Maybe which buttons you tap or the length of sessions? According to TechCrunch and analytics company App Analyst, some popular iPhone apps are getting much more. They basically see everything you do in real time, even sensitive information like passwords and credit card numbers.

The offending apps include Air Canada, Hollister, Expedia, Hotels.com, and many more. These apps use technology from a customer experience analytics firm called Glassbox. It pushes a product called “session replay,” allowing app makers to see what users do in the app. This is supposed to help developers address user experience issues to improve, but it also gives them a tremendous amount of user data.

The Glassbox session replays are essentially real-time videos of how you interact with the app. Each tap, swipe, and text entry becomes part of the replay record. The app then beams the reply back to the Glassbox servers. Data like your password or payment details that are usually transmitted over secure means can get caught up in there. As “The App Analyst” recently discovered, Air Canada wasn’t properly masking these replays before transmitting, putting customer data at risk.

Masking sensitive data sometimes failed in Air Canada session replays.
Masking sensitive data sometimes failed in Air Canada session replays.

Not all apps using Glassbox are including these sensitive pieces of information in replays, but even those that are attempting to mask data can run into errors and leak secure content. This data all ends up on the Glassbox servers, and it’s generally considered inappropriate for apps to send user data to third parties without consent. When that data is a complete record of how you use an app, the privacy implications are rather serious. None of the apps in question mention session replays in their privacy policies, either.

When contacted for comment, Glassbox merely said that it cannot “break the boundary of the app.” So, the Glassbox SDK can’t watch what you do elsewhere on the phone, but that’s not addressing the issues. Glassbox isn’t the only company offering services of this sort, and while none of them are seemingly malicious, we don’t know if they’re trustworthy. Are their servers secure? Will they use your data for any other purposes? Who knows? You’re relying on app developers to do their homework.

Continue reading

NASA Created a Collection of Spooky Space Sounds for Halloween
NASA Created a Collection of Spooky Space Sounds for Halloween

NASA's latest data release turns signals from beyond Earth into spooky sounds that are sure to send a chill up your spine.

Astronomers Might Finally Know the Source of Fast Radio Bursts
Astronomers Might Finally Know the Source of Fast Radio Bursts

A trio of new studies report on an FRB within our own galaxy. Because this one was so much closer than past signals, scientists were able to track it to a particular type of neutron star known as a magnetar.

Sony’s PlayStation 5 Debuts to Strong Reviews
Sony’s PlayStation 5 Debuts to Strong Reviews

Reviews have come in for Sony's PlayStation 5, and while they're a bit preliminary for the same reason as the Xbox Series X, they're broadly positive about Sony's latest gaming effort.

How to Build a Face Mask Detector With a Jetson Nano 2GB and AlwaysAI
How to Build a Face Mask Detector With a Jetson Nano 2GB and AlwaysAI

Nvidia continues to make AI at the edge more affordable and easier to deploy. So instead of simply running through the benchmarks to review the new Jetson Nano 2GB, I decided to tackle the DIY project of building my own face mask detector.