Some of your iOS apps have been recording your screen without permission
“What happens on your iPhone, stays on your iPhone” really didn’t age well.
Whelp, Apple might claim to not be spying on you but the same can’t be said for a bunch of popular iOS apps. Whether we like it or not, almost everything we do online collects data for analytical purposes.
With existing privacy legislation like the GDPR, we’re supposed to have to consent to this data collection, be made aware that it’s happening and other things like knowing our data is stored and transferred securely.
So what happens when your data is recorded without your permission? That’s what appears to be happening with the group of popular iPhone apps investigated by TechCrunch. These apps record every single thing you do on your screen while you use the app, from touches to passwords. Often, they don’t even ask for permission to do so, a clear violation of privacy laws. The companies involved? Big names like Air Canada, Expedia, Hotels.com, and Hollister.
Tech from Glassbox was used in the apps to record “session replays”
TechCrunch dissected these apps with help from App Analyst, an analytics company specializing in data collection. They found that tech from Glassbox was used in the apps, which can create “session replays,” or literally everything you’ve done during the time of using the app. Ever seen a screencast? This goes way beyond that, also recording things like credit card numbers, passwords, and other types of sensitive data.
Even worse, the analysis showed that Air Canada’s app even sent those credit card details across the internet unencrypted. Any hacker who wanted to skim cards could just grab the data as it went past, perhaps with a fake Wi-Fi hotspot. TechCrunch says that none of these apps warn the users that their actions are being recorded in this way, and it’s not mentioned in the privacy policies of the companies.
Glassbox is proud of its technology
While the companies using the tech might be hiding, Glassbox itself isn’t. They are proud of their capabilities, stating: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility.”
That boasting is likely to get Glassbox in hot water with EU regulators at some point, along with all of its clients. While the data collection isn’t likely illegal, the lack of transparency and consent is. There’s also the unencrypted credit card details issue, which isn’t PCI compliant. There have been major fines in the past for this, so watch this space to see if Air Canada gets any blowback.
- Skype has a new feature that blurs the background so no one can see your messy room
- That 1TB of free storage you had on Flickr is going away in March
- Spotify gains some speaking roles with new podcast acquisitions
- A weird bug in Adobe Premiere CC is supposedly destroying MacBook speakers
- Does your Twitter feed spark joy? Fix it with this handy tool