Some airline, hotel booking apps on iOS found recording user screens – report

  

MANILA, Philippines – Some iOS apps have been found to be recording user screens, which are then sent back to the server of third-party companies, TechCrunch reported.

The recordings are made to see user behavior within a certain app. One app, for example, records what a user swipes on or taps as they use the app.

Some of the entities whose apps have been found to engage in screen recording include Air Canada, Hollister, Expedia, Abercrombie & Fitch, Hotels.com, and Singapore Airlines. These companies work with Glassbox, a firm specializing on analyzing screen data.

While the analysis of screen data may appear to be a legitimate, if creepy, area in data analysis with other several firms in the mix such as Appsee and UXCam, TechCrunch found pressing issues that violate nascent data privacy rules.

In their investigation with partner App Analyst, TechCrunch found that none of the apps they tested explicitly asked for user permission with regards to screen recording permissions or have anything in their privacy policies that point to the recording activities.

The apps didn’t say they were recording the screen.

Another problem: the recordings reveal sensitive data. The companies, including Glassbox, vow that their recordings are encrypted and mask sensitive data automatically, including keyboard presses. But that’s a little hard to trust right now as recordings analyzed by App Analyst showed that extremely sensitive data such as credit card information and passport information were not properly masked.

Apple’s reaction

A day after TechCrunch’s report, Apple cracked down on the said apps.

The company told the developers and the companies to remove the recording code on their apps or properly disclose to users that their screens will be recorded. Failure to do so would merit removal from the App Store.

In Apple’s email to developers, it said: “Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

The developers had less than a day to fix their apps, TechCrunch said.

Apple is known for having strict policies on data privacy and enforcement, recently taking down Google and Facebook apps which used an exclusive enterprise-level certificate that allowed them to collect consumer data. Rappler.com