Multiple popular iPhone apps from major companies are using intrusive analytics services that capture detailed data like taps, swipes, and even screen recordings without customer knowledge, reports TechCrunch.
Apps that include Abercrombie & Fitch, Hotels.com, Air Canada, Hollister, Expedia, and Singapore Airlines are using Glassbox, a customer experience analytics firm that lets developers use "session replay" screen recording technology within their apps.
Session replays let developers screenshot or record or a user's screen and then play back those recordings to see how users interact with their apps. Taps, button pushes, and keyboard entries are all captured and provided to app developers.
Some apps, such as Air Canada, don't properly mask data that's recorded, exposing information like passport numbers and credit card information. Air Canada employees with access to the screenshot database can readily see this data.
TechCrunch had mobile app expert The App Analyst look at some of the apps that Glassbox lists as a customer. Not all apps leaked masked data, and most appeared to be obfuscated, but there were instances where email addresses and postal codes were visible.
"Since this data is often sent back to Glassbox servers I wouldn't be shocked if they have already had instances of them capturing sensitive banking information and passwords," The App Analyst told TechCrunch.
As TechCrunch points out, all of the apps have a privacy policy, but not one makes it clear that they're recording a user's screen. Glassbox does not require special permission from either Apple or the user to record the screen, and without checking specific app data, there is no way to know if an app is doing this.
Glassbox also does not require its customers to mention the usage of the screen recording feature in their privacy policies.
"Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app," the spokesperson said, such as when the system keyboard covers part of the native app/ "Glassbox does not have access to it," the spokesperson said.
There are other analytics companies that have practices similar to Glassbox, like Appsee and UXCam, and there are a lot of major companies that are using this kind of technology, based on their customer lists. This kind of tracking is also not limited to iOS apps -- it can be done on the web as well.
With no way to detect that this is going on, all customers can do is refuse to use the apps and services of companies that are found to be engaging in shady analytics tracking purposes without clear privacy policies.
