Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Software Android IOS Security Technology

Many Popular iPhone Apps Secretly Record Your Screen Without Asking (techcrunch.com) 97

An anonymous reader quotes a report from TechCrunch: Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won't even realize it. And they don't need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don't ask or make it clear -- if at all -- that they know exactly how you're using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy.
A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
This discussion has been archived. No new comments can be posted.

Many Popular iPhone Apps Secretly Record Your Screen Without Asking

Comments Filter:
  • by froggyjojodaddy ( 5025059 ) on Thursday February 07, 2019 @08:16AM (#58083286)
    ..let me start by saying if your app is sending credit card/payment info, screen grabs, passport data etc. without the express and explicit knowledge of the user, that's just plain wrong.

    However, I find usage analytics in apps and websites immensely useful. For example, if I find that users are swiping around an app aimlessly or take 15 clicks across multiple pages to get to a certain form or feature, it tells me I need to reconsider the workflow or design of the UI. Without the ability to track what a user is doing in the app, I would have to rely exclusively on user feedback which is infrequent and often unactionable.

    I don't need to see screen grabs, but knowing that a user went from Page 1 to Page 8 and the clicks or journey they took is invaluable user experience information. Using the hotel booking system (screen grabs aside), I can immediately see why it would be helpful for the developer to see the entire journey a customer took in their app from logging in to completing a booking. A user that spends 40 minutes and 50+ clicks is most likely having issues navigating and the developer would want to minimize that.

    TL:DR: The intent isn't always evil behind user tracking.
    • by MadKeithV ( 102058 ) on Thursday February 07, 2019 @08:22AM (#58083300)
      You can sort that kind of stuff out in UX testing: you can see what they are doing if you're there, in the room with them, while they are doing it, and your tester knows you are watching them. Instead of this surreptitious "it's for UX reasons, honest, and we buried it on page 24 of the EULA in a locked filing cabinet in a disused lavatory behind a sign that says "beware of the leopard"*. Can we please start putting users' rights above our own damn convenience as developers? Thanks.

      (*Not that it is even IN the EULA in this case, so there's that.)

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Not exactly. We do UX testing all the time (as in our research lab is running these kinds of tests daily). The results you get are valuable and can lead you to making some good decisions.

        Unfortunatly, when the user knows you’re watching they become biased. When they’re coming in for an explicit test session, they’re not using the app “realistically” (i.e. as they normally would) which also biases things.

        It’s very common for something that tests well to hit the field and t

        • by Minupla ( 62455 )

          In psychology there is a reason you need to clear your experiment with an ethics board prior to conducting it on a subject. If the subject is unaware you need to convince your board that there is no harm to come to the subject.

          I'd say potentially exposing information (Are you redacting appropriate things, what happens if a popup from another app comes up while you're doing a screen capture? Is the metadata your collecting potentially have uses that run contrary to the interests of the user - hey this user

        • This is exactly right. User bias in beta testing or customer experience testing is largely unavoidable. You can design around it but people change their behavior when they know they're being watched / recorded / monitored - even when they KNOW they're evaluating the experience of an app and should be unbiased. It cannot be helped and it cannot be 100% eliminated.

          We've done comparative analysis of internal staff who participated in a beta and later compared their actual usage of the app and I can tell
      • by dgatwood ( 11270 )

        You can sort that kind of stuff out in UX testing: you can see what they are doing if you're there, in the room with them, while they are doing it, and your tester knows you are watching them.

        No, you can't. Not even close. When you're trying to debug a hard-to-reproduce crash, being able to know exactly what was happening in the app that led up to the crash can often provide crucial insight into reproducing it.

    • You say that and it could be true but it still isn't actionable, or you choose not to take action.

      You would think that if users quickly hit the skip now button on ads for your app that you would show less ads not make the skip now button longer than the ad.

      Same goes for large whitespace and tiny moving X's for ads too.

      You are taking the wrong Info from your app feedback.

      • Just to be clear, our apps don't have any advertising, large white space etc. We do user experience testing but there's no way it can cover the needs of 1M+ users. Apps are launched based on what customer beta testing and internal best practices tell us, but after a couple of months, you quickly realize people are using the app very differently and some people are clearly struggling with it (calls to help desk etc.)

        There are certain things you cannot anticipate, regardless of how well you design your u
    • by AHuxley ( 892839 )
      Depends what a "session replay" really is.
      Words used and pace of data entry linked back to the same site the data was entered?
      If the data is the same as the user sent up to the site, but how the site is used is the only collection?
    • by sjbe ( 173966 ) on Thursday February 07, 2019 @08:30AM (#58083320)

      However, I find usage analytics in apps and websites immensely useful.

      Don't give a shit unless you got informed consent in advance of the data collection. The "informed" bit of that is important and usually neglected by tech companies even if they do the "consent" part. And they usually don't bother with the consent. A 50 page legal click-through agreement does not equal informed consent.

      TL:DR: The intent isn't always evil behind user tracking.

      The road to hell is paved with good intentions. You might be honest but I have no way to know that and just because you might be honest doesn't mean the next guy is. And let's be honest, most user tracking does have intent that does not benefit the user and it is almost never restricted to just usability studies.

    • by Moskit ( 32486 ) on Thursday February 07, 2019 @08:30AM (#58083326)

      Yes, but in a beta or an instrumented version, with explicit user consent.

    • by AmiMoJo ( 196126 ) on Thursday February 07, 2019 @08:32AM (#58083334) Homepage Journal

      While that information may be of great use to you, if you want it then you need to do two things:

      1. Get explicit, opt-in permission from the user.

      2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.

      These apps appear to have failed on both counts.

      • 1. Get explicit, opt-in permission from the user.

        They kinda do though, and that's part of the problem. It all goes in the T&C at the start which no one ever reads because its a mile long because it legally has to cover a whole bunch of stuff and if they made you click to acknowledge every single bit no one would bother. A reasonable person these days should expect their data to be tracked and slurped where possible and take their own measures against it.

        2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.

        No excuses for that.

        • by AmiMoJo ( 196126 )

          GDPR mandates that you have to ask specifically and clearly for permission to do that. If you bury it in the ToS it doesn't count, you have to have a separate opt-in tickbox with clear explanation of what it allows.

    • Re: (Score:1, Flamebait)

      by spire3661 ( 1038968 )
      You fucking ask your user, you feckless piece of shit, you dont fucking SPY on them. That is what we are talking about, you spy on people. People like you are a fucking plague because you look at users as a resource and nothing more. Kindly die in a fire.
      • Good lord man. You jumped to the assumption that we didn't ask the user to begin with. I'm glad you got downvoted because you're either a troll (and deserved it) or you're insane (in which case I hope the voting makes you inwardly reflect).
    • by Anonymous Coward

      For thousands of years, people were able to provide goods and services without spying on their customers. Just because you can, and just because everyone else is doing it, doesn't make it right. If you politely asked to watch people use your app, that would be one thing. But you're sneaky about it. You silently spy on people knowing that they don't know you're doing it. So fuck that, and fuck you. Fuck all of you that think it's ok.

    • by Anonymous Coward

      However, I find usage analytics in apps and websites immensely useful.

      We don't actually give a fuck, we don't want to be tracked by an endless stream of third party assholes who feel entitled to our data .. plain and simple.

      All analytics is bullshit, we didn't consent to the third part crap on your website, and have no way of knowing who they are or what they do with out data.

      Since it's impossible to know who is who, the only safe thing to do is assume all third party analytics are hostile to your privacy a

    • This is the "let the users beta the alpha before going gold" model that Microsoft has used since its inception.

      You can "blah blah" all you want, but goddammit, get your shit together.

      ASK FOR BETA TESTERS!

      • You missed the part where I said we run through a beta phase to understand the customer experience and use internally best practice guidelines - which are derived from the results of beta testing (as all good best practices should be)
        • You are NOT missing the goddam part where you are rolling out an unfinished product. It's a lot cheaper to let people run the fucking thing into a ditch and THEN you do a front-end alignment.

          Your QA sucks.

  • This is an entire analytics SaaS sub-genre. TechCrunch is just figuring this out? Have they never heard of IBM's Tealeaf [ibm.com]?
  • by Stan92057 ( 737634 ) on Thursday February 07, 2019 @08:46AM (#58083410)
    We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure
    • We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure

      There is a bunch of them for MacOS, like Little Snitch for example which works fine for me. I'd be surprised if such apps don't exist on Windows and Linux. iOS on the other hand forbids that kind of app although you can block apps from accessing the cellular connection (not Wifi it seems). There used to be an app for Android called NetGuard that did this but I don't use Android so I'm not qualified to judge it's effectiveness. These things taking screenshot and sending them to some server out on the net see

      • I'd be surprised if such apps don't exist on Windows

        I'd be surprised if it existed for Windows (at least at the basic level GP is talking about), but only because the OS has had it built in since at least Windows 7.

        iOS isn't gating permissions with the cell connection, it's allocating your data cap. I don't think it's possible to keep apps from calling home.

        As you pointed out, it's impossible to tell the difference between legit data and UI analysis data (well, can be made very difficult to the point of b

      • iOS on the other hand forbids that kind of app

        If Charles as an iOS app is possible (which it is), then you could have that kind of blocking application for iOS as well.

        The way it works is that it acts as a local VPN, through which all traffic is routed.

    • For most of these sorts of apps you'd whitelist it through the firewall anyway, if it was granular enough to only block parts of the app it'd be very frustrating to use.
    • by antdude ( 79039 )

      Did Norton products really change it as of 2014? That's dumb/lame. I remember telling to NOT automatically create rules and to ask me what to do first. I currently use PC Tools Firewall Plus v7.0 in my decade old, updated 64-bit W7 HPE SP1 PC.

      • Their default setting is auto create rules. they also at one time asked if you wanted to allow outbound traffic for programs today it allow all connections,To other computers or from other computers and a bevy of other non security garbage that's doesn't belong is security software.
  • by Anonymous Coward

    IF you know where to send your request.

  • by Anonymous Coward

    If you're a developer and you're not instrumenting your code, you're one cocky SOB. And obviously, if you use an application to e.g. book a flight, sensitive data will be sent to the agent or airline. It's up to developers and administrators to ensure that data doesn't find its way into application performance management data stores--but only if it's not allowed to be there.

    Replay is also common. If you're hitting a web app in someone's data center, why on earth would believe the traffic isn't being monitor

  • How is this different from HotJar, which lets you record all website visits and replay? (https://www.hotjar.com/tour check the recording tab). Pretty creepy too, but I think all websites use it and nobody asks beforehand. Opened my eyes when I had to use it for the first time for UI improvements. A true added value for the UI job, but a bit voyeuristic to watch people browse your website without them knowing...
  • by Anonymous Coward

    Recording inputs and clicks in an app is hardly the same thing as recording your screen.
    God Im sick of this sensationalistic crap /.

  • by bagofbeans ( 567926 ) on Thursday February 07, 2019 @10:35AM (#58083970)

    https://www.glassboxdigital.co... [glassboxdigital.com]

    Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility. This is Glassbox, an innovative customer experience solution to help your organization manage the results of big data analytics. Glassbox is the first Enterprise analytics platform that analyses every digital customer interaction. Can your website afford not to have a brain?

  • by Anonymous Coward

    Play a game and ruin all the thumb guess data.

  • Really? (Score:4, Insightful)

    by TRRosen ( 720617 ) on Thursday February 07, 2019 @11:09AM (#58084164)

    We're getting paranoid now because programs know what buttons we pushed? That is sort of integral to how they work. What's next "researchers reveal Word records what you type"

  • Overblown FUD (Score:5, Interesting)

    by Dan East ( 318230 ) on Thursday February 07, 2019 @11:30AM (#58084242) Journal

    No, they are not literally recording your screen. Phrasing it in that way is FUD. iOS requires special permissions for that. What they are doing (which I have long suspected FB of doing) is to simply report all your user input within the app. By knowing the state of the app, coupled with your exact actions, they can potentially replay what you would have seen. This allows them to know what you spent the most time looking at. If a customer zooms in on a photo of an item they're selling, then what specifically were they zooming in on? If they see a common pattern there then they can provide closeups of the parts of the product people are most interested in by default.

    This is really no different than having 5 buttons in an app, and tracking which buttons are clicked most, and removing the buttons that no one ever uses. That's been going on in UI design for ages. This is more precise and can involve tools that allow the "replay" of sessions allowing someone to see what the user would have seen as they interacted. Going back 20 years, my software tracked which widgets the user interacted with. I could then do the same set of actions they did and *gasp* I would be seeing the same thing they must have seen as they used the software. That's not "secretly recording your screen". I guess by that definition the undo / redo history of thousands of apps mean they also secretly record the screen as well.

    In the case of FB I have long suspected that FB tracks the time you "hover" over a post, or more simply, the points at which users momentarily halt their incessant and never-ending scrolling when they finally see something that catches their eye. Then FB will start showing you more related posts, even though you didn't like or interact with the post - they simply know you stopped scrolling and spent time looking at it for some reason. You better believe they infer meaning from that.

    • by Anonymous Coward

      Glassbox does also send screenshots back to the developer: http://theappanalyst.com/aircanada.html

  • by Anonymous Coward

    The site I work on, and the last two I worked on recorded every user session. This is super common. The tools typically block out form fields. Lot's of companies offer this service, they include Inspectlet, Clicktale, hotjar. This is a standard analytics package feature. Every site and app is doing this.

    Worrying about this is silly. Consider does your app know how many users clicked button x? Of course, Does it track conversion? Of course. Does it track the number of type xxx errors users encountered? Of Co

  • >apps know exactly what you accessed, what you clicked, what you wrote, what you bought, what you gazed at

    BUT MUH IPHONE = PRIVACY

    See also: Incognito mode keeps Amazon from knowing what I like

  • by Anonymous Coward

    There a number of technologies that do this on websites all the time. IBM Tealeaf is great example of this. It has been used in replaced of eye tracking analysis for years. Allows for improvements to the UI based on customer behavior.

  • I'm certain it's recording every interaction, no not through screenshots.
    It is merely logging actions on the site through special events.

    Recording the screen inplies the logging extends beyond their app. Which in many case of malicious activity outside of GlassBox holds true.

    #yellowjournalism

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...