Many Popular iPhone Apps Secretly Record Your Screen Without Asking (techcrunch.com) 97
An anonymous reader quotes a report from TechCrunch: Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won't even realize it. And they don't need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don't ask or make it clear -- if at all -- that they know exactly how you're using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy. A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy. A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
Re: (Score:1, Troll)
A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
Government Executive: We must push the Russian involvement...guys...
A few hours later...
Main Stream Media: "The apps have links with the Kremlin and direct links with Putin...."
The Main Stream Media is publicly claiming that Air Canada is a front for Russian intelligence? That is a quite extraordinary leap, even for a conspiracy mongering Trumpkin.
Re: (Score:2)
There is a huge difference between what the google and facebook enterprise apps were tracking and tracking user actions within your own app.
It's not always nefarious.... (Score:4, Insightful)
However, I find usage analytics in apps and websites immensely useful. For example, if I find that users are swiping around an app aimlessly or take 15 clicks across multiple pages to get to a certain form or feature, it tells me I need to reconsider the workflow or design of the UI. Without the ability to track what a user is doing in the app, I would have to rely exclusively on user feedback which is infrequent and often unactionable.
I don't need to see screen grabs, but knowing that a user went from Page 1 to Page 8 and the clicks or journey they took is invaluable user experience information. Using the hotel booking system (screen grabs aside), I can immediately see why it would be helpful for the developer to see the entire journey a customer took in their app from logging in to completing a booking. A user that spends 40 minutes and 50+ clicks is most likely having issues navigating and the developer would want to minimize that.
TL:DR: The intent isn't always evil behind user tracking.
Re:It's not always nefarious.... (Score:5, Insightful)
(*Not that it is even IN the EULA in this case, so there's that.)
Re: (Score:3, Informative)
Not exactly. We do UX testing all the time (as in our research lab is running these kinds of tests daily). The results you get are valuable and can lead you to making some good decisions.
Unfortunatly, when the user knows you’re watching they become biased. When they’re coming in for an explicit test session, they’re not using the app “realistically” (i.e. as they normally would) which also biases things.
It’s very common for something that tests well to hit the field and t
Re: (Score:3)
In psychology there is a reason you need to clear your experiment with an ethics board prior to conducting it on a subject. If the subject is unaware you need to convince your board that there is no harm to come to the subject.
I'd say potentially exposing information (Are you redacting appropriate things, what happens if a popup from another app comes up while you're doing a screen capture? Is the metadata your collecting potentially have uses that run contrary to the interests of the user - hey this user
Re: (Score:2)
We've done comparative analysis of internal staff who participated in a beta and later compared their actual usage of the app and I can tell
Re: (Score:1)
No, you can't. Not even close. When you're trying to debug a hard-to-reproduce crash, being able to know exactly what was happening in the app that led up to the crash can often provide crucial insight into reproducing it.
Re: (Score:2)
Sorry, I worded that badly. The point I was trying to make was that having the data is valuable for more than just pure design issues. It also helps when figuring out bugs. For example, you might discover through reproducing the exact steps that in some particular path through the app, some critical view never becomes visible for some reason, thus resolving a customer complaint in a way that wouldn't be possible without data. And, of course, it helps in reproducing crashes and other misbehavior.
Re: It's not always nefarious.... (Score:2)
You say that and it could be true but it still isn't actionable, or you choose not to take action.
You would think that if users quickly hit the skip now button on ads for your app that you would show less ads not make the skip now button longer than the ad.
Same goes for large whitespace and tiny moving X's for ads too.
You are taking the wrong Info from your app feedback.
Re: (Score:3)
There are certain things you cannot anticipate, regardless of how well you design your u
Re: (Score:2)
Words used and pace of data entry linked back to the same site the data was entered?
If the data is the same as the user sent up to the site, but how the site is used is the only collection?
But it usually is nefarious (Score:5, Insightful)
However, I find usage analytics in apps and websites immensely useful.
Don't give a shit unless you got informed consent in advance of the data collection. The "informed" bit of that is important and usually neglected by tech companies even if they do the "consent" part. And they usually don't bother with the consent. A 50 page legal click-through agreement does not equal informed consent.
TL:DR: The intent isn't always evil behind user tracking.
The road to hell is paved with good intentions. You might be honest but I have no way to know that and just because you might be honest doesn't mean the next guy is. And let's be honest, most user tracking does have intent that does not benefit the user and it is almost never restricted to just usability studies.
Re:It's not always nefarious.... (Score:4, Informative)
Yes, but in a beta or an instrumented version, with explicit user consent.
Re:It's not always nefarious.... (Score:5, Insightful)
While that information may be of great use to you, if you want it then you need to do two things:
1. Get explicit, opt-in permission from the user.
2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.
These apps appear to have failed on both counts.
Re:It's not always nefarious.... (Score:4, Insightful)
I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.
And that, my friend, is the reason the EU made the GDPR and will slap a fine on you if you ever practice that kind of thinking towards consumers in the EU.
When people do not expect to be spied on, it's not legal to spy on them.
Just like it's not legal to hide a camera in a public restroom and take a snapshot of your private parts.
Re: (Score:1)
I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.
And that, my friend, is the reason the EU made the GDPR and will slap a fine on you if you ever practice that kind of thinking towards consumers in the EU.
When people do not expect to be spied on, it's not legal to spy on them.
Just like it's not legal to hide a camera in a public restroom and take a snapshot of your private parts.
Storing data about how an app is used is hardly tantamount to hiding a camera in a public restroom. It's more like sticking a security camera in a parking lot and recording who comes and goes, and what path they take through the parking lot. Just as there's a presumption that companies can install security cameras to monitor their property, there's a presumption that every website has access to any data that the user or the user's agent (the browser) sends it.
And even for personal data, as long as the web
Re: (Score:2)
I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.
Does your screengrabbing/whatever software stop the instant your app is interrupted by a message notification or any other type of context/focus switch? Everything else is not "your app", and that sure isn't "your information" to do with as you please.
When does your screengrabbing start up again?
what about devices that can run multiple apps displayed simultaneously? My phone can have 2 apps running at half-screen at the same time. Is your app screengrabbing the lot, or just your applications' half? How
Re: (Score:2)
1. Get explicit, opt-in permission from the user.
They kinda do though, and that's part of the problem. It all goes in the T&C at the start which no one ever reads because its a mile long because it legally has to cover a whole bunch of stuff and if they made you click to acknowledge every single bit no one would bother. A reasonable person these days should expect their data to be tracked and slurped where possible and take their own measures against it.
2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.
No excuses for that.
Re: (Score:3)
GDPR mandates that you have to ask specifically and clearly for permission to do that. If you bury it in the ToS it doesn't count, you have to have a separate opt-in tickbox with clear explanation of what it allows.
Re: (Score:2)
Re: (Score:1, Flamebait)
Re: (Score:2)
Re: (Score:1)
For thousands of years, people were able to provide goods and services without spying on their customers. Just because you can, and just because everyone else is doing it, doesn't make it right. If you politely asked to watch people use your app, that would be one thing. But you're sneaky about it. You silently spy on people knowing that they don't know you're doing it. So fuck that, and fuck you. Fuck all of you that think it's ok.
Re: (Score:1)
We don't actually give a fuck, we don't want to be tracked by an endless stream of third party assholes who feel entitled to our data .. plain and simple.
All analytics is bullshit, we didn't consent to the third part crap on your website, and have no way of knowing who they are or what they do with out data.
Since it's impossible to know who is who, the only safe thing to do is assume all third party analytics are hostile to your privacy a
Re: (Score:2)
This is the "let the users beta the alpha before going gold" model that Microsoft has used since its inception.
You can "blah blah" all you want, but goddammit, get your shit together.
ASK FOR BETA TESTERS!
Re: (Score:2)
Re: (Score:2)
You are NOT missing the goddam part where you are rolling out an unfinished product. It's a lot cheaper to let people run the fucking thing into a ditch and THEN you do a front-end alignment.
Your QA sucks.
Secretly? (Score:2)
Re: (Score:2)
Yeah, I can't believe they let apps receive tap events and they even let them call services on the internet! The gall of these people.
Block outbound requests,deny internet access (Score:3)
Re: (Score:3)
We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure
There is a bunch of them for MacOS, like Little Snitch for example which works fine for me. I'd be surprised if such apps don't exist on Windows and Linux. iOS on the other hand forbids that kind of app although you can block apps from accessing the cellular connection (not Wifi it seems). There used to be an app for Android called NetGuard that did this but I don't use Android so I'm not qualified to judge it's effectiveness. These things taking screenshot and sending them to some server out on the net see
Re: (Score:2)
I'd be surprised if it existed for Windows (at least at the basic level GP is talking about), but only because the OS has had it built in since at least Windows 7.
iOS isn't gating permissions with the cell connection, it's allocating your data cap. I don't think it's possible to keep apps from calling home.
As you pointed out, it's impossible to tell the difference between legit data and UI analysis data (well, can be made very difficult to the point of b
iOS app is possible (Score:2)
iOS on the other hand forbids that kind of app
If Charles as an iOS app is possible (which it is), then you could have that kind of blocking application for iOS as well.
The way it works is that it acts as a local VPN, through which all traffic is routed.
Re: (Score:2)
Re: (Score:2)
Did Norton products really change it as of 2014? That's dumb/lame. I remember telling to NOT automatically create rules and to ask me what to do first. I currently use PC Tools Firewall Plus v7.0 in my decade old, updated 64-bit W7 HPE SP1 PC.
Re: (Score:2)
GDPR only works (Score:1)
IF you know where to send your request.
Re: (Score:3)
We're concerned about instrumentation? (Score:1)
If you're a developer and you're not instrumenting your code, you're one cocky SOB. And obviously, if you use an application to e.g. book a flight, sensitive data will be sent to the agent or airline. It's up to developers and administrators to ensure that data doesn't find its way into application performance management data stores--but only if it's not allowed to be there.
Replay is also common. If you're hitting a web app in someone's data center, why on earth would believe the traffic isn't being monitor
So it's like HotJar for websites? (Score:2)
Hypersensationalize much? (Score:1)
Recording inputs and clicks in an app is hardly the same thing as recording your screen. /.
God Im sick of this sensationalistic crap
Glassdoor website explains how invasive they are (Score:3)
https://www.glassboxdigital.co... [glassboxdigital.com]
Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility. This is Glassbox, an innovative customer experience solution to help your organization manage the results of big data analytics. Glassbox is the first Enterprise analytics platform that analyses every digital customer interaction. Can your website afford not to have a brain?
LOL (Score:1)
Play a game and ruin all the thumb guess data.
Really? (Score:4, Insightful)
We're getting paranoid now because programs know what buttons we pushed? That is sort of integral to how they work. What's next "researchers reveal Word records what you type"
Re: (Score:2)
Re: (Score:2)
Were talking about web based apps here. if you can't figure out there is data exchanged that is your issue.
Overblown FUD (Score:5, Interesting)
No, they are not literally recording your screen. Phrasing it in that way is FUD. iOS requires special permissions for that. What they are doing (which I have long suspected FB of doing) is to simply report all your user input within the app. By knowing the state of the app, coupled with your exact actions, they can potentially replay what you would have seen. This allows them to know what you spent the most time looking at. If a customer zooms in on a photo of an item they're selling, then what specifically were they zooming in on? If they see a common pattern there then they can provide closeups of the parts of the product people are most interested in by default.
This is really no different than having 5 buttons in an app, and tracking which buttons are clicked most, and removing the buttons that no one ever uses. That's been going on in UI design for ages. This is more precise and can involve tools that allow the "replay" of sessions allowing someone to see what the user would have seen as they interacted. Going back 20 years, my software tracked which widgets the user interacted with. I could then do the same set of actions they did and *gasp* I would be seeing the same thing they must have seen as they used the software. That's not "secretly recording your screen". I guess by that definition the undo / redo history of thousands of apps mean they also secretly record the screen as well.
In the case of FB I have long suspected that FB tracks the time you "hover" over a post, or more simply, the points at which users momentarily halt their incessant and never-ending scrolling when they finally see something that catches their eye. Then FB will start showing you more related posts, even though you didn't like or interact with the post - they simply know you stopped scrolling and spent time looking at it for some reason. You better believe they infer meaning from that.
Re: (Score:1)
Glassbox does also send screenshots back to the developer: http://theappanalyst.com/aircanada.html
Every Big Website Does this (Score:1)
The site I work on, and the last two I worked on recorded every user session. This is super common. The tools typically block out form fields. Lot's of companies offer this service, they include Inspectlet, Clicktale, hotjar. This is a standard analytics package feature. Every site and app is doing this.
Worrying about this is silly. Consider does your app know how many users clicked button x? Of course, Does it track conversion? Of course. Does it track the number of type xxx errors users encountered? Of Co
words (Score:2)
>apps know exactly what you accessed, what you clicked, what you wrote, what you bought, what you gazed at
BUT MUH IPHONE = PRIVACY
See also: Incognito mode keeps Amazon from knowing what I like
Websites do this all the time (Score:1)
There a number of technologies that do this on websites all the time. IBM Tealeaf is great example of this. It has been used in replaced of eye tracking analysis for years. Allows for improvements to the UI based on customer behavior.
Essentially screenshotted. - Um no. (Score:1)
I'm certain it's recording every interaction, no not through screenshots.
It is merely logging actions on the site through special events.
Recording the screen inplies the logging extends beyond their app. Which in many case of malicious activity outside of GlassBox holds true.
#yellowjournalism