Apple Directs App Developers To Disclose Or Remove Codes That Were Recording Screen Interactions Without Permission


On 6-2-2019 was brought to light this shocking information that several major companies were recording each and every movement that was being made by you on their iPhone apps. Which means even a tap or a swipe that was made was being recorded. Without your knowledge, most of the times. Without your consent – probably every time.

When TechCrunch brought this news forth, names of leading companies such as Expedia, Air Canada, and Hollister were referred to.

It is one thing to assume that most apps are likely to be collecting data on you; and a completely different shock to know that many popular iPhone apps from

  • Banks
  • Financers
  • Airlines
  • Hoteliers
  • Travel Sites

and so on were getting to know how exactly you were using their apps. For all you knew, they could be monetizing your data without a by your leave, too.

This isn’t all. Some of these apps were – inadvertently, though – exposing sensitive data, as well.

It has also come to be known that apps like Singapore Airlines, Abercrombie & Fitch, and use Glassbox. This customer experience analytics firm is one of those few companies that allow developers to embed the ‘session replay’ technology in their apps. This enables app developers to record – have screenshots of, actually – each and every keyboard entry, button push, and tap – to replay them for checking how users have been interacting with the app. The process helped the developers to check if everything was working properly, or if there were any errors anywhere.

Glassbox has been quoted to tweet, ‘Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?’

A Mobile Expert and App Analyst has recently discovered that the iPhone app of Air Canada was not masking the session replays that were being sent to them, adequately. As a result, credit card data, and passport numbers were getting exposed in each session of replay.

This, when just a few weeks earlier, Air Canada had said that its app had exposed 20,000 profiles, owing to a data breach.

This meant people who knew how to do it could view unencrypted password, and credit card information.

TechCrunch says that they had, with the help of the App Analyst, looked at a sample of apps mentioned by Glassbox on its website as customers. Charles Proxy was used for this process.

  • None of the apps examined said that they were recording the screen of the user
  • None of the apps examined said that they were recording the screen of the user and sending the matter directly to the cloud of Glassbox, or to the company
  • All the apps were not leaking masked data.

The App Analyst opined that he would not be surprised if sensitive information related to banking, or passwords, were being captured; as the data is sent to Glassbox servers often.

Now, it would be impossible to know, without having the data for each app analyzed, whether an app is recording a user’s screen to see how s/he is using it. The alarming part is that this possibility was not found to have any mention even in the small print of the privacy policies of such apps.

As per TechCrunch, the policies of

  • Expedia
  • Singapore Airlines
  • Air Canada

had no mention of recording the users’ screens.

It is mandatory for apps which are submitted to Apple’s App Store to have a privacy policy. However, none of the apps reviewed by TechCrunch had expressed that it records the screen of the user. Since Glassbox needs no special permission from either the user or Apple, there could hardly be a way for the user to know if his/her screen was being recorded.

Apple’s Move

Around 7-2-2019, Apple updated its developer guidelines and informed app developers that they should either disclose their analytics code that lets them record how users interact with their iPhone apps, or get removed from the app store.

A spokesperson from Apple is quoted to have said that their App Store Review Guidelines require apps to request explicit consent from users, and give clear visual indications while logging, or recording user activity in any way.

The spokesperson went on to add that developers who are in violation of these guidelines have been duly notified, and immediate action might be taken against them, if necessary.

Google Play, too, expressly prohibits the secret collection of data from device usage by apps. Though it has not been known yet whether Google was planning to ban the screen recording code or not.

To Conclude

Users need to be more careful, and aware.

There are many session replay services on the market, and Glassbox is just one of those.

UXCam says it lets developers watch their users’ sessions – which includes their gestures, and all the events that they trigger.

Appsee, too, markets its user recording technology actively.

This is a flourishing industry; and many companies depend on such data to understand the reasons behind things going wrong. After all, in high-revenue situations, something going wrong might cost a company a lot.

It is to be seen, with time, what a change Apple’s step can bring about.

Posted in Articles, News on Feb 08, 2019

Add comment

We would love to hear about your project.

Contact us for a free consultation and quote.

Get started now