Plenty of popular iOS apps have been caught recording iPhone users' screens without their consent.
Called "session replay" technology, it allows developers to record the displays of users to see activity and interactions with their apps to iron out bugs or something along those lines. However, it's also putting sensitive information at risk, such as credit card info and the like.
Intrusive iOS Apps
According to an investigation carried out by TechCrunch, the culprit in this case is Glassbox. It's described as a "customer experience analytics firm," which said in a now-deleted tweet, "Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility."
The apps involved with the aforementioned company are from airlines, hotel and travel services, banks, financiers, retailers, and even carriers. Specifically, the technology news website mentions Air Canada, Hotels.com, Abercrombie & Fitch, and Singapore Airlines, to name a few.
With session replay, TechCrunch says that developers can get a recording of users' "every tap, button push, and keyboard entry." It also says that these apps don't make this clear in their privacy policies and whatnot, and from what can be gathered, they don't receive user consent to employ this practice.
Evidence Of The Potential Dangers
The App Analyst, which TechCrunch cites in its report, discovered that Air Canada doesn't mask session replays properly. In other words, personal info, such as passport numbers and credit card information, of its app's users are inadvertently exposed to the company's employees and anyone else who have access to the playback data collected.
"This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information," The App Analyst told TechCrunch.
To make matters worse, Air Canada confirmed that it had been the victim of a data breach in August 2018 that affected 20,000 profiles.
It's no mystery that companies and apps are out to gather data like this, but it becomes worrisome when it's in the hands of a firm or service provider that doesn't have secure measures in place.