Popular iPhone Apps Caught Secretly Recording Screen Activity

While it should really come as no surprise that many apps are collecting personal data on their users, a new report has discovered that a selection of popular travel, shopping, and banking apps are going so far as to actually record all of a user’s screen activity.

An investigation by TechCrunch revealed that companies like Air Canada, Hollister, and Expedia are “recording every tap and swipe” that users make in their iPhone apps, without any indication that they’re doing so, or any need to ask for permission. TechCrunch found this happening in a number of popular iPhone apps from hoteliers, travel sites, airlines, cell phone carriers, banks, and financiers, and in no case did the apps let users know that they were being tracked in this way.

The culprit behind all of this appears to be a service called Glassbox, a customer experience analytics firm that develops “screen replay” technology that can be embedded into apps for diagnostic and analytical purposes. The recorded sessions are intended to be used by developers to watch how users interact with an app in order to improve the experience, but there seems to be no requirement to let users know that every tap, button push, and keyboard entry is being recorded and sent back to the developers of the app — data that may include confidential information such as credit cards and passwords.

While this data should obviously be masked when entered into an app, and therefore not available as part of a screen recording, it appears that at least some developers haven’t shown much diligence in ensuring that this is the case. For example, according to an analysis of Air Canada’s app by The App Analyst, information was improperly being masked in replays, resulting in credit card and passport numbers being exposed and stored in the screenshot database in unencrypted form. Not surprisingly, TechCrunch also reported that Air Canada had a security breach several weeks ago that exposed 20,000 user profiles.

TechCrunch also asked The App Analyst to look at several other apps incorporating Glassbox technology — as per Glassbox’s customer list. Researchers discovered that while not every app was leaking masked data, none of them advised users that they were recording screen activity at all, much less that this data was being transmitted outside of the app back to the app developers and/or Glassbox’s cloud.

The researcher noted that some apps sent their session replays directly to Glassbox, where they’re presumably hosted for access by developers, while others send data directly to servers on their own domain. Data was described as “mostly obfuscated,” but the Air Canada example suggests that there’s a definite risk of this not being the case, and the level of private data that was properly masked varied from app to app, with some properly filtering out extremely sensitive information like credit card numbers and passwords, but still exposing e-mail addresses and mailing addresses.

The report adds that the wide number of apps on the App Store make it impossible to know if any given app is recording a users’ screen, or what data is being sent. While all apps submitted to Apple’s App Store are required to have a privacy policy, none of the apps that TechCrunch looked at included information about screen recording — even in the fine print.

While Apple does a good job at the iOS level of enforcing what an app is able to access outside of its own “sandbox,” there are considerably fewer restrictions on what an app can do within its own environment, allowing Glassbox, and other apps like it, to function without needing any special permissions from Apple or the user. That said, it should be made clear that each of these apps is only recording activity within the app itself — Apple’s iOS restrictions should definitely prevent any app from recording the screen once the user leaves the app — but that’s small consolation for shopping, banking, and travel apps that are frequently used to enter sensitive information.

After carefully examining the privacy policies for several of the offending apps, including Expedia, Hotels.com, Air Canada, and Singapore Airlines, TechCrunch reached out to the companies involved, asking them to point out the section of their privacy policies where this is disclosed to users. Only Abercrombie and Air Canada responded, offering “PR spin” answers that acknowledged that screen recording occurs within their apps, but only generically pointing to their privacy policy and evading the question of why those policies don’t actually disclose this to their users. Air Canada also emphasized that its app “does not — and cannot — capture phone screens outside of the Air Canada app.” Glassbox also responded to TechCrunch, stating that it doesn’t require that its customers mention its usage in their privacy policies, and also reiterated that the Glassbox SDK “cannot break the boundary of the app.”

Glassbox isn’t alone in this however — it’s actually one of several session replay services used by iOS developers, a list that includes Appsee, UXCam, and Mixpanel. None of these require that their clients disclose to users that such screen recording technology is in use, much less where and how it is stored, and how it is actually used. While most are only used by developers seeking to understand how to improve the user experiences in their apps, this does not let any of these companies off the hook for failing to provide full disclosure, nor does it explain why Apple — a company that claims to champion user privacy — allows this sort of thing to occur on its iOS platform without any kind of limitations or even transparency.

Sadly, until there’s a requirement for full disclosure, there’s going to be no way to be certain which apps are bad actors, so users who are concerned that sensitive information like credit card and passport numbers won’t be potentially vulnerable to data breaches, the only way to guarantee security is going to be to avoid using these kinds of dedicated travel, shopping, and banking apps altogether, opting to make bookings and purchases in mobile Safari or another desktop browser instead.