Popular iPhone apps are secretly recording your screen without permission: report
{{#rendered}} {{/rendered}}
Several major companies are secretly recording your every move on their iPhone apps without your permission or even your knowledge, a new investigation has found.
According to the TechCrunch report, several popular iPhone apps, including hotels and travel sites and retailers, not only know what you're doing with their apps but they could even expose sensitive data.
The technology news site discovered that apps including Hotels.com, Air Canada and Abercrombie & Fitch use Glassbox, a customer experience analytics firm that allows developers to embed so-called "session replay" technology into their apps. Developers can then record users' screens and play them back to see how people used the app.
{{#rendered}} {{/rendered}}
"Every tap, button push and keyboard entry is recorded—effectively screenshotted—and sent back to the app developers," TechCrunch reports.
The technology news site asked mobile expert The App Analyst to examine apps that Glassbox listed as customers and see what data was leaving the iPhone.
According to TechCrunch, none of the apps that were checked told users they were recording their screens or that they were sending the information back to each company. Although all apps submitted to Apple's App Store must have a privacy policy, the news site reports that none of the apps they reviewed make it clear that they record a user's screen. If any of Glassbox's customers are not correctly masking data, it could be problematic, The App Analyst told TechCrunch.
{{#rendered}} {{/rendered}}
“Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he told TechCrunch.
TechCrunch reports that it would have to analyze all the data for each app to know for sure if an app is recording a user's screens.
The App Analyst told TechCrunch that while Abercrombie & Fitch sent their session replays to Glassbox, others such as Hotels.com captured the session replay data and sent it back to their own servers. Although he reportedly said the data was "obfuscated,” he did see email addresses and postal codes in a few instances. Air Canada's iPhone app was not properly masking the session replays, however, exposing passport numbers and credit card data, according to The App Analyst.
{{#rendered}} {{/rendered}}
Hotel.com's policy does not mention recording users' screens, nor does Expedia's. In Air Canada’s case, the TechCrunch investigation did not find any mention in its privacy policy that suggests the app sends screen data back to the airline.
An Expedia spokesperson told Fox News that "Expedia Group brands are not actively using Glassbox services on any of our native applications for iOS or Android. On select Expedia Group brands native applications for Android, Glassbox exists from a prior proof of concept in the codebase but it has been disabled for some time and has not been actively capturing information."
TechCrunch asked each company where in their privacy policies it allows them to capture what users do on their phones.
{{#rendered}} {{/rendered}}
Abercrombie confirmed that it uses Glassbox but the company's privacy policy makes no mention of session replays, reports TechCrunch. Air Canada gave TechCrunch the following statement:
“Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips,” said a spokesperson.” This includes user information entered in, and collected on, the Air Canada mobile app. However, Air Canada does not—and cannot—capture phone screens outside of the Air Canada app.”
The other companies did not respond to requests for comment from the tech news site.
{{#rendered}} {{/rendered}}
A spokesperson for Glassbox told Fox News that the data they collect is not shared with third parties, nor enriched through external sources. In addition, Glassbox said the data they capture is "highly secured, encrypted, and solely belongs to the customers" the company supports.
"Glassbox is committed to complying with the highest security and data privacy standards and regulations and has dedicated significant resources to accomplish this," the company told Fox News.
“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.
{{#rendered}} {{/rendered}}
Fox News has reached out to Apple, Air Canada, Hotels.com, Abercrombie & Fitch with a request for comment on this story.
This story has been updated with a response from Expedia.