Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Popular iPhone Apps Secretly Record Your Screen Without Asking (techcrunch.com)

Posted by BeauHD on from the sneaky-bastards dept.

An anonymous reader quotes a report from TechCrunch: Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won't even realize it. And they don't need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don't ask or make it clear -- if at all -- that they know exactly how you're using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy. A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

97 comments

  1. OMG Analytics! by Anonymous Coward · · Score: 0

    Just think how shocked they'll be to find all those web apps that run inside Cordova on iOS and Android record screen dumps, touches and keypresses with analytics tools like Yandex Metrica! Stored in Russa, even!

    Fucking "experts."

    1. Re: OMG Analytics! by Anonymous Coward · · Score: 0

      Kiss kiss. Howâ(TM)s that? Snooch. How about that? Mmmmmm kiss. A little tongue? Are you recording me? Do I look foolish? :)

    2. Re: OMG Analytics! by Anonymous Coward · · Score: 0

      I love it, just this week, or last, it was found that Google was doing the same. Some of their apps, controlled by others were spying on the user. Such hate I have never seen. But it chocolate and fruit baskets for the other os. Love it, they would never, and they paid a fine to the eu some years ago for the same problem.

    3. Re: OMG Analytics! by Altus · · Score: 1

      There is a huge difference between what the google and facebook enterprise apps were tracking and tracking user actions within your own app.

      --

      "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

  2. It's not always nefarious.... by froggyjojodaddy · · Score: 4, Insightful

    ..let me start by saying if your app is sending credit card/payment info, screen grabs, passport data etc. without the express and explicit knowledge of the user, that's just plain wrong.

    However, I find usage analytics in apps and websites immensely useful. For example, if I find that users are swiping around an app aimlessly or take 15 clicks across multiple pages to get to a certain form or feature, it tells me I need to reconsider the workflow or design of the UI. Without the ability to track what a user is doing in the app, I would have to rely exclusively on user feedback which is infrequent and often unactionable.

    I don't need to see screen grabs, but knowing that a user went from Page 1 to Page 8 and the clicks or journey they took is invaluable user experience information. Using the hotel booking system (screen grabs aside), I can immediately see why it would be helpful for the developer to see the entire journey a customer took in their app from logging in to completing a booking. A user that spends 40 minutes and 50+ clicks is most likely having issues navigating and the developer would want to minimize that.

    TL:DR: The intent isn't always evil behind user tracking.

    1. Re:It's not always nefarious.... by MadKeithV · · Score: 5, Insightful
      You can sort that kind of stuff out in UX testing: you can see what they are doing if you're there, in the room with them, while they are doing it, and your tester knows you are watching them. Instead of this surreptitious "it's for UX reasons, honest, and we buried it on page 24 of the EULA in a locked filing cabinet in a disused lavatory behind a sign that says "beware of the leopard"*. Can we please start putting users' rights above our own damn convenience as developers? Thanks.

      (*Not that it is even IN the EULA in this case, so there's that.)

    2. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      The problem is that it almost invariably gets used for bad things. Virtually all app developers wind up selling that click/tap stream with the user's info on it, and it winds up in places like Yandex Metrica or the Iranian equivalent. It makes the app developer a few bucks, and all the GPS and phone info goes a long way to help foreign intel.

    3. Re: It's not always nefarious.... by peragrin · · Score: 1

      You say that and it could be true but it still isn't actionable, or you choose not to take action.

      You would think that if users quickly hit the skip now button on ads for your app that you would show less ads not make the skip now button longer than the ad.

      Same goes for large whitespace and tiny moving X's for ads too.

      You are taking the wrong Info from your app feedback.

      --
      i thought once I was found, but it was only a dream.
    4. Re:It's not always nefarious.... by AHuxley · · Score: 1

      Depends what a "session replay" really is.
      Words used and pace of data entry linked back to the same site the data was entered?
      If the data is the same as the user sent up to the site, but how the site is used is the only collection?

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:It's not always nefarious.... by Moskit · · Score: 3, Informative

      Yes, but in a beta or an instrumented version, with explicit user consent.

    6. Re: It's not always nefarious.... by froggyjojodaddy · · Score: 2

      Just to be clear, our apps don't have any advertising, large white space etc. We do user experience testing but there's no way it can cover the needs of 1M+ users. Apps are launched based on what customer beta testing and internal best practices tell us, but after a couple of months, you quickly realize people are using the app very differently and some people are clearly struggling with it (calls to help desk etc.)

      There are certain things you cannot anticipate, regardless of how well you design your user experience sessions or beta program. Those you only discover once the app is released and people start using it.

    7. Re:It's not always nefarious.... by AmiMoJo · · Score: 4, Insightful

      While that information may be of great use to you, if you want it then you need to do two things:

      1. Get explicit, opt-in permission from the user.

      2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.

      These apps appear to have failed on both counts.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:It's not always nefarious.... by spire3661 · · Score: 0, Flamebait

      You fucking ask your user, you feckless piece of shit, you dont fucking SPY on them. That is what we are talking about, you spy on people. People like you are a fucking plague because you look at users as a resource and nothing more. Kindly die in a fire.

      --
      Good-bye
    9. Re:It's not always nefarious.... by Anonymous Coward · · Score: 3, Informative

      Not exactly. We do UX testing all the time (as in our research lab is running these kinds of tests daily). The results you get are valuable and can lead you to making some good decisions.

      Unfortunatly, when the user knows you’re watching they become biased. When they’re coming in for an explicit test session, they’re not using the app “realistically” (i.e. as they normally would) which also biases things.

      It’s very common for something that tests well to hit the field and then we get real world feedback that tells us we didn’t get things right. But you don’t need screen recording to do this, any of the “normal” analytics systems out there (Omniture, Google Analytics, Localytics, New Relic to a degree) can show you this in a much less intrusive way.

    10. Re:It's not always nefarious.... by Anonymous Coward · · Score: 1

      For thousands of years, people were able to provide goods and services without spying on their customers. Just because you can, and just because everyone else is doing it, doesn't make it right. If you politely asked to watch people use your app, that would be one thing. But you're sneaky about it. You silently spy on people knowing that they don't know you're doing it. So fuck that, and fuck you. Fuck all of you that think it's ok.

    11. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      So shopkeepers never watched customers in their shops to see what they were looking at?

    12. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      It's not silly at all. In meatspace there are laws that say what you as a business can and cant do with a customer's information. Why do you think its any different just because its on a computer and not on paper? Nothing changes except the laws didn't foresee the information age and you exploit loopholes in them to claim you have no responsibility or requirements.

    13. Re:It's not always nefarious.... by olau · · Score: 3, Insightful

      I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.

      And that, my friend, is the reason the EU made the GDPR and will slap a fine on you if you ever practice that kind of thinking towards consumers in the EU.

      When people do not expect to be spied on, it's not legal to spy on them.

      Just like it's not legal to hide a camera in a public restroom and take a snapshot of your private parts.

    14. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      1. Get explicit, opt-in permission from the user.

      I disagree with this point.

      t(^.^t)

      I want to use information that your browser or operating system sends to my server

      "the browser" doesn't just happen to send the types of information under discussion in this article and even for the basics that are required for the web to function (e.g. GET URI) your "right to absolute monetization" is total bullshit.

    15. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      >It's my app/website/whatever.

      Copyright law might agree with you, but natural law doesn't. Users expect natural law. Natural law says once you give someone something it's THEIRS. It may still carry your name on it as the original creator, but it's expected not to contain surprises.

      Imagine if you found out your toilet had a hidden camera to collect data on BMs for "science". You wouldn't be saying "ehhh, it's not mind because I didn't gather the sand and cast it", you'd say "MY toilet shouldn't do that!"

    16. Re:It's not always nefarious.... by Anonymous Coward · · Score: 1

      However, I find usage analytics in apps and websites immensely useful.

      We don't actually give a fuck, we don't want to be tracked by an endless stream of third party assholes who feel entitled to our data .. plain and simple.

      All analytics is bullshit, we didn't consent to the third part crap on your website, and have no way of knowing who they are or what they do with out data.

      Since it's impossible to know who is who, the only safe thing to do is assume all third party analytics are hostile to your privacy and block them.

      Fuck you and your analytics.

    17. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      While that information may be of great use to you, if you want it then you need to do two things:

      1. Get explicit, opt-in permission from the user.

      2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.

      These apps appear to have failed on both counts.

      All of that information is being submitted on the forms sent to the server already. The screen grab would be to see how the page rendered on your device.

      What exactly needs to be pointed out to the user, “analytics”? That by entering their passport number and pressing submit it will be sent to a server somewhere? Seriously, do we need a disclaimer on every submit button?

    18. Re:It's not always nefarious.... by stealth_finger · · Score: 1

      1. Get explicit, opt-in permission from the user.

      They kinda do though, and that's part of the problem. It all goes in the T&C at the start which no one ever reads because its a mile long because it legally has to cover a whole bunch of stuff and if they made you click to acknowledge every single bit no one would bother. A reasonable person these days should expect their data to be tracked and slurped where possible and take their own measures against it.

      2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.

      No excuses for that.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    19. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.

      And that, my friend, is the reason the EU made the GDPR and will slap a fine on you if you ever practice that kind of thinking towards consumers in the EU.

      When people do not expect to be spied on, it's not legal to spy on them.

      Just like it's not legal to hide a camera in a public restroom and take a snapshot of your private parts.

      But but but the Internet has no boundaries or nationalities! Or is that only when people are sued for stealing music and stuff.

    20. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      Of course they did/do. But this is equivalent to them watching what the customer does with the products after they have bought them and left the store.

    21. Re:It's not always nefarious.... by AmiMoJo · · Score: 2

      GDPR mandates that you have to ask specifically and clearly for permission to do that. If you bury it in the ToS it doesn't count, you have to have a separate opt-in tickbox with clear explanation of what it allows.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    22. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      The intent isn't always evil behind user tracking.

      Ok, not "always" "evil". But in today's solely-motivated-by-profit corporate world, the intent AMOST ALWAYS is NEFARIOUS and NOT WHAT YOU WOULD WANT if you knew it was happening. Complacency is *not* called for or appropriate, thank you very much.

    23. Re:It's not always nefarious.... by stealth_finger · · Score: 1

      Oh right, fair enough then. Carry on.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    24. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      Because in what you're referring to here, it's not really "customer's information" (except when its badly designed like in this article). A "good design" for something like this is no different than store management watching the security cameras to see which parts of the store are visited the most, and what path they took to get there (for example "most people who visit the kid's clothing section also visit toys"). It's that "good design" is what michiganbob is referring to here.

    25. Re:It's not always nefarious.... by Minupla · · Score: 2

      In psychology there is a reason you need to clear your experiment with an ethics board prior to conducting it on a subject. If the subject is unaware you need to convince your board that there is no harm to come to the subject.

      I'd say potentially exposing information (Are you redacting appropriate things, what happens if a popup from another app comes up while you're doing a screen capture? Is the metadata your collecting potentially have uses that run contrary to the interests of the user - hey this user asked for directions to an HIV clinic...) is a harm that should be considered. Maybe detect interesting behavior and offer the user a discount on your app if they allow you to send the collected data?

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    26. Re:It's not always nefarious.... by CaptainDork · · Score: 1

      This is the "let the users beta the alpha before going gold" model that Microsoft has used since its inception.

      You can "blah blah" all you want, but goddammit, get your shit together.

      ASK FOR BETA TESTERS!

      --
      It little behooves the best of us to comment on the rest of us.
    27. Re:It's not always nefarious.... by froggyjojodaddy · · Score: 1

      Good lord man. You jumped to the assumption that we didn't ask the user to begin with. I'm glad you got downvoted because you're either a troll (and deserved it) or you're insane (in which case I hope the voting makes you inwardly reflect).

    28. Re:It's not always nefarious.... by froggyjojodaddy · · Score: 1

      You missed the part where I said we run through a beta phase to understand the customer experience and use internally best practice guidelines - which are derived from the results of beta testing (as all good best practices should be)

    29. Re:It's not always nefarious.... by froggyjojodaddy · · Score: 1

      This is exactly right. User bias in beta testing or customer experience testing is largely unavoidable. You can design around it but people change their behavior when they know they're being watched / recorded / monitored - even when they KNOW they're evaluating the experience of an app and should be unbiased. It cannot be helped and it cannot be 100% eliminated.

      We've done comparative analysis of internal staff who participated in a beta and later compared their actual usage of the app and I can tell you, it's extremely rare that the two match.

      The analogy I use is driving. When you're taking your driving test, you're doing everything by the book. Maybe even months after your test, you're still driving 10 to 2, using the indicator religiously etc. But after 2 years of driving? Not so much. When you ask folks to participate in a beta program or CX session, they just don't use the app as they would normally.

    30. Re:It's not always nefarious.... by CaptainDork · · Score: 1

      You are NOT missing the goddam part where you are rolling out an unfinished product. It's a lot cheaper to let people run the fucking thing into a ditch and THEN you do a front-end alignment.

      Your QA sucks.

      --
      It little behooves the best of us to comment on the rest of us.
    31. Re:It's not always nefarious.... by dgatwood · · Score: 0

      You can sort that kind of stuff out in UX testing: you can see what they are doing if you're there, in the room with them, while they are doing it, and your tester knows you are watching them.

      No, you can't. Not even close. When you're trying to debug a hard-to-reproduce crash, being able to know exactly what was happening in the app that led up to the crash can often provide crucial insight into reproducing it.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    32. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      fuck you commie. don't tell your superiors how to run their businesses. they wouldn't be doing it if it weren't cheaper, and that's what you should want: cheaper goods and services and a growing economy. you're almost as bad as Ralph Nader and his whining about seat belts that set back the automotive industry (and America!) three decades.

    33. Re:It's not always nefarious.... by dgatwood · · Score: 0

      I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.

      And that, my friend, is the reason the EU made the GDPR and will slap a fine on you if you ever practice that kind of thinking towards consumers in the EU.

      When people do not expect to be spied on, it's not legal to spy on them.

      Just like it's not legal to hide a camera in a public restroom and take a snapshot of your private parts.

      Storing data about how an app is used is hardly tantamount to hiding a camera in a public restroom. It's more like sticking a security camera in a parking lot and recording who comes and goes, and what path they take through the parking lot. Just as there's a presumption that companies can install security cameras to monitor their property, there's a presumption that every website has access to any data that the user or the user's agent (the browser) sends it.

      And even for personal data, as long as the website does not expose that personal data to anyone, it really isn't a privacy issue no matter how the website processes and aggregates that data. Personal data only really becomes a privacy issue when actual human beings other than the end user gain access to that information, either intentionally or through negligence, unless the user has expressed a desire to share that information.

      So while the GP isn't entirely correct insofar as sharing that collected information with others is potentially illegal (even in the U.S.), it isn't an entirely unreasonable starting point for understanding the website's rights. It is just missing a couple of key parts:

      I don't have to tell you what I'm collecting or how I'm using that information, so long as that information is never shared with anyone (including employees of the company) in a non-anonymized manner unless the user has agreed to such sharing.

      The GDPR requires that this agreement be explicit; such requirements seem like overkill to me, as they lead to nonsensical interpretations, such as a user having to explicitly agree to share the data that they put in their public profile on a web bulletin board (or, more comically, their posts on Slashdot). But requiring some form of agreement, either explicit or implicit, before sharing data seems kind of obvious.

      Of course, even with that narrower interpretation, the elephant in the room is the question of whether any actions that the website performs using that data could indirectly expose it. And the extent of such a violation depends on how sensitive the information is. For example, suppose you have a secret fetish for some unusual kind of porn and some website manages to learn about that fetish. If the website having that information causes you to see advertising for that type of porn while visiting some otherwise innocuous website while other people are looking over your shoulder, that's a huge privacy violation even though it didn't explicitly reveal that you like that type of porn, because the presence of those ads strongly implies it. This is equally true for medical conditions, job searches, etc. under the right circumstances.

      So merely not sharing the data with other people is not quite enough. You have to also avoid using the data in ways that could negligently imply the data even without explicitly stating it.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    34. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      It's my computer/phone. That shouldn't give you the right to run whatever you'd like on my own hardware without my permission.

    35. Re: It's not always nefarious.... by Anonymous Coward · · Score: 0

      UX design has nothing to do with crash reports.

    36. Re: It's not always nefarious.... by dgatwood · · Score: 1

      Sorry, I worded that badly. The point I was trying to make was that having the data is valuable for more than just pure design issues. It also helps when figuring out bugs. For example, you might discover through reproducing the exact steps that in some particular path through the app, some critical view never becomes visible for some reason, thus resolving a customer complaint in a way that wouldn't be possible without data. And, of course, it helps in reproducing crashes and other misbehavior.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    37. Re: It's not always nefarious.... by Anonymous Coward · · Score: 0

      so be it. at some point you have to respect your customers privacy. I mean where do you stop? Want a toilet that reports back how you sit on it so they can make sure they engineered the bowl to not splash when you sit differently? lol

    38. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      "It's my app" - what?

      Yeah, but you're handling PII negligently, and that usually ends up with a breach, damage to consumer confidence, and general damage to consumers.
      We'll see you in court. Bring your credit card, you're gonna need it.

    39. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      Pointless discussion; if they didn't understand the law before they broke it then they probably won't understand now either.

    40. Re:It's not always nefarious.... by jezwel · · Score: 1

      I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.

      Does your screengrabbing/whatever software stop the instant your app is interrupted by a message notification or any other type of context/focus switch? Everything else is not "your app", and that sure isn't "your information" to do with as you please.
      When does your screengrabbing start up again?
      what about devices that can run multiple apps displayed simultaneously? My phone can have 2 apps running at half-screen at the same time. Is your app screengrabbing the lot, or just your applications' half? How do I know that for sure?

    41. Re:It's not always nefarious.... by Anonymous Coward · · Score: 0

      Man, it's UX, not a sociological experiment. If the user clicks 15 times to get to the information he/she is after, and keeps coming back... just let it be. Clearly the user is happy about it.

      Nobody *needs* to spy on users to design applications/websites. Plain and simple. That's why they (we?) are bias in the first place, because it's an utterly unnecessary thing to do.

  3. But it usually is nefarious by sjbe · · Score: 4, Insightful

    However, I find usage analytics in apps and websites immensely useful.

    Don't give a shit unless you got informed consent in advance of the data collection. The "informed" bit of that is important and usually neglected by tech companies even if they do the "consent" part. And they usually don't bother with the consent. A 50 page legal click-through agreement does not equal informed consent.

    TL:DR: The intent isn't always evil behind user tracking.

    The road to hell is paved with good intentions. You might be honest but I have no way to know that and just because you might be honest doesn't mean the next guy is. And let's be honest, most user tracking does have intent that does not benefit the user and it is almost never restricted to just usability studies.

    1. Re:But it usually is nefarious by Anonymous Coward · · Score: 0

      Analytics like this aren't even required to be disclosed under the GDPR. Nothing personal is used. All you get in the end is 10% of users clicked this button. 0.1% clicked that one. Maybe we don't need that one!

    2. Re: But it usually is nefarious by Anonymous Coward · · Score: 0

      Except clearly âoeanalytics like thisâ resulted in CC cards and passport stuff. So get fucked? Does that work for you?

  4. Secretly? by fortythirteen · · Score: 1

    This is an entire analytics SaaS sub-genre. TechCrunch is just figuring this out? Have they never heard of IBM's Tealeaf?

    1. Re:Secretly? by Anonymous Coward · · Score: 0

      Tealeaf? Really? The Cockney rhyming slang word for Thief? Seems appropriate - more so than the 'predicting the future' allusion that the IBM people thought they were going for.

  5. Re:I am waiting for mention of Russian involvement by Anonymous Coward · · Score: 0

    It could be the Chinese. apple loves to blame the Chinese for all their issues recently.

  6. Re:I am waiting for mention of Russian involvement by Freischutz · · Score: 0, Troll

    A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

    Government Executive: We must push the Russian involvement...guys...

    A few hours later...

    Main Stream Media: "The apps have links with the Kremlin and direct links with Putin...."

    The Main Stream Media is publicly claiming that Air Canada is a front for Russian intelligence? That is a quite extraordinary leap, even for a conspiracy mongering Trumpkin.

  7. LOL by Anonymous Coward · · Score: 0

    fucking apple and their bullshit lies about "security". Only a fool would ever trust this shitshow company

    1. Re:LOL by Anonymous Coward · · Score: 0

      fucking apple and their bullshit lies about "security". Only a fool would ever trust this shitshow company

      -1 OFFTOPIC

    2. Re:LOL by Altus · · Score: 1

      Yeah, I can't believe they let apps receive tap events and they even let them call services on the internet! The gall of these people.

      --

      "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

  8. Block outbound requests,deny internet access by Stan92057 · · Score: 2

    We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure

    --
    Jack of all trades,master of none
    1. Re:Block outbound requests,deny internet access by Freischutz · · Score: 2

      We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure

      There is a bunch of them for MacOS, like Little Snitch for example which works fine for me. I'd be surprised if such apps don't exist on Windows and Linux. iOS on the other hand forbids that kind of app although you can block apps from accessing the cellular connection (not Wifi it seems). There used to be an app for Android called NetGuard that did this but I don't use Android so I'm not qualified to judge it's effectiveness. These things taking screenshot and sending them to some server out on the net seems pretty outrageous to me. The thing is though, that with a net connected app it's kind of hard to distinguish between legitimate data and UI analysis data.

    2. Re:Block outbound requests,deny internet access by Gilgaron · · Score: 1

      For most of these sorts of apps you'd whitelist it through the firewall anyway, if it was granular enough to only block parts of the app it'd be very frustrating to use.

    3. Re:Block outbound requests,deny internet access by Actually,+I+do+RTFA · · Score: 1

      I'd be surprised if such apps don't exist on Windows

      I'd be surprised if it existed for Windows (at least at the basic level GP is talking about), but only because the OS has had it built in since at least Windows 7.

      iOS isn't gating permissions with the cell connection, it's allocating your data cap. I don't think it's possible to keep apps from calling home.

      As you pointed out, it's impossible to tell the difference between legit data and UI analysis data (well, can be made very difficult to the point of being functionally impossible).

      --
      Your ad here. Ask me how!
    4. Re:Block outbound requests,deny internet access by Anonymous Coward · · Score: 0

      We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure

      ALL of the software in that list would be expected to have internet access.

      Expedia is trying to use your network: Allow | Deny
      Duh.

    5. Re:Block outbound requests,deny internet access by Anonymous Coward · · Score: 0

      That sort of thing will never be allowed on iOS.

    6. Re:Block outbound requests,deny internet access by antdude · · Score: 1

      Did Norton products really change it as of 2014? That's dumb/lame. I remember telling to NOT automatically create rules and to ask me what to do first. I currently use PC Tools Firewall Plus v7.0 in my decade old, updated 64-bit W7 HPE SP1 PC.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    7. Re:Block outbound requests,deny internet access by Stan92057 · · Score: 1

      Their default setting is auto create rules. they also at one time asked if you wanted to allow outbound traffic for programs today it allow all connections,To other computers or from other computers and a bevy of other non security garbage that's doesn't belong is security software.

      --
      Jack of all trades,master of none
  9. GDPR only works by Anonymous Coward · · Score: 1

    IF you know where to send your request.

  10. #freedumbs #boughtandsold by Anonymous Coward · · Score: 0

    Americans its time to wake up to your slavery.

  11. Its called analytics by Anonymous Coward · · Score: 0

    Every app wants to know how its being used, so they can direct development in to features people actually use.

    1. Re:Its called analytics by Fly+Swatter · · Score: 2

      Pff, if that actually worked no app would have advertisements because people always use the close button on them.

  12. Many web sites do this also.... by Anonymous Coward · · Score: 0

    recording everything... So for eg if you type in the wrong password, they now know that password, all thy have to do is guess which site it was really meant for.

  13. Hardly new news. by Anonymous Coward · · Score: 0

    Session Replay has been something we've had for "standard" websites for over a decade. The only thing "new" here is bringing it to the web.

    And session replay is something that can really help in a customer service situation. Especially in travel, where things change quickly and you can't look at things 3 days later and see exactly what the customer saw (because flights sold out, changed prices, etc.) If someone calls and claims "It's wrong," it's hard to figure out what happened if you can't replay what they actually saw at the time.

  14. Re: I am waiting for mention of Russian involvemen by Anonymous Coward · · Score: 0

    China hasn't been panning out as the expansion market that was going to save the Iphone from failure.

  15. We're concerned about instrumentation? by Anonymous Coward · · Score: 1

    If you're a developer and you're not instrumenting your code, you're one cocky SOB. And obviously, if you use an application to e.g. book a flight, sensitive data will be sent to the agent or airline. It's up to developers and administrators to ensure that data doesn't find its way into application performance management data stores--but only if it's not allowed to be there.

    Replay is also common. If you're hitting a web app in someone's data center, why on earth would believe the traffic isn't being monitored, up to an including being fully decrypted and store for later retrieval?

  16. Apps == Assholes ... by Anonymous Coward · · Score: 0

    I have more or less concluded that pretty much all apps are published by assholes, and that most of those apps add no value beyond what the website gives you.

    Apps are really just thin veneers to give the assholes in advertising and analytics access to your information.

    Shit that I block the hell out of in my desktop browsers can't be so easily blocked on phones, so I refuse to use most apps.

    If you are one of the assholes who works in this field, you are in serious need of a beat down.

    Apps are now just asshole corporate behavior taken to the extreme. Fuck 'em all.

    1. Re:Apps == Assholes ... by Anonymous Coward · · Score: 0

      Assholes == capitalists

  17. PCI by Anonymous Coward · · Score: 0

    isn't this a PCI compliance issue if the CC numbers are being transmitted without proper encryption?

  18. Re: I am waiting for mention of Russian involveme by Anonymous Coward · · Score: 0

    Probably the worst failure of a tech product ever. Worse than OS/2, amiright?

  19. So it's like HotJar for websites? by fons · · Score: 1

    How is this different from HotJar, which lets you record all website visits and replay? (https://www.hotjar.com/tour check the recording tab). Pretty creepy too, but I think all websites use it and nobody asks beforehand. Opened my eyes when I had to use it for the first time for UI improvements. A true added value for the UI job, but a bit voyeuristic to watch people browse your website without them knowing...

  20. Hypersensationalize much? by Anonymous Coward · · Score: 1

    Recording inputs and clicks in an app is hardly the same thing as recording your screen.
    God Im sick of this sensationalistic crap /.

  21. People have no idea how their devices work by Anonymous Coward · · Score: 0

    It especially shows when they are surprised that the code that they run on their devices tracks what you are doing when the code is running. There are no laws to stop companies from doing this so why would they stop? Almost every piece of software logs what you do, its how software works! This should have been understood from the first use of the undo button and there is nothing that can be done about it because if the software doesnt log what you do then it doesnt do anything. Could you imagine a word processor that doesnt log your key strokes? good luck writing that report!

    The shitty security on those logs is a whole other issue, and it wont be solved until there are actual consequences for data breaches and security issues. Those consequeces need to include fines based on the revenue from the product and in the most egregious cases jail time for the executives. Until you increase the motivation to actually care about security, there will never be a cultural change with regards to security.

  22. Glassdoor website explains how invasive they are by bagofbeans · · Score: 2

    https://www.glassboxdigital.co...

    Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility. This is Glassbox, an innovative customer experience solution to help your organization manage the results of big data analytics. Glassbox is the first Enterprise analytics platform that analyses every digital customer interaction. Can your website afford not to have a brain?

  23. LOL by Anonymous Coward · · Score: 1

    Play a game and ruin all the thumb guess data.

  24. Really? by TRRosen · · Score: 3, Insightful

    We're getting paranoid now because programs know what buttons we pushed? That is sort of integral to how they work. What's next "researchers reveal Word records what you type"

    1. Re:Really? by ItsJustAPseudonym · · Score: 1

      It would be closer to "researchers reveal Word sends what you type to Microsoft without your knowledge or consent."

    2. Re:Really? by TRRosen · · Score: 1

      Were talking about web based apps here. if you can't figure out there is data exchanged that is your issue.

  25. Overblown FUD by Dan+East · · Score: 4, Interesting

    No, they are not literally recording your screen. Phrasing it in that way is FUD. iOS requires special permissions for that. What they are doing (which I have long suspected FB of doing) is to simply report all your user input within the app. By knowing the state of the app, coupled with your exact actions, they can potentially replay what you would have seen. This allows them to know what you spent the most time looking at. If a customer zooms in on a photo of an item they're selling, then what specifically were they zooming in on? If they see a common pattern there then they can provide closeups of the parts of the product people are most interested in by default.

    This is really no different than having 5 buttons in an app, and tracking which buttons are clicked most, and removing the buttons that no one ever uses. That's been going on in UI design for ages. This is more precise and can involve tools that allow the "replay" of sessions allowing someone to see what the user would have seen as they interacted. Going back 20 years, my software tracked which widgets the user interacted with. I could then do the same set of actions they did and *gasp* I would be seeing the same thing they must have seen as they used the software. That's not "secretly recording your screen". I guess by that definition the undo / redo history of thousands of apps mean they also secretly record the screen as well.

    In the case of FB I have long suspected that FB tracks the time you "hover" over a post, or more simply, the points at which users momentarily halt their incessant and never-ending scrolling when they finally see something that catches their eye. Then FB will start showing you more related posts, even though you didn't like or interact with the post - they simply know you stopped scrolling and spent time looking at it for some reason. You better believe they infer meaning from that.

    --
    Better known as 318230.
    1. Re:Overblown FUD by Anonymous Coward · · Score: 0

      This. Hence TFA uses the weasel words "effectively screenshotted"

    2. Re:Overblown FUD by Anonymous Coward · · Score: 1

      Glassbox does also send screenshots back to the developer: http://theappanalyst.com/aircanada.html

  26. iOS app is possible by SuperKendall · · Score: 1

    iOS on the other hand forbids that kind of app

    If Charles as an iOS app is possible (which it is), then you could have that kind of blocking application for iOS as well.

    The way it works is that it acts as a local VPN, through which all traffic is routed.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  27. And guess what? by Anonymous Coward · · Score: 0

    Web sites know what links you click too.

    Do people really connect their software to other computers over a network and then expect that usage data isn't transmitted to the other computers?

    Really?

    You know that's WHY they connect them, right?

    LOL

  28. Every Big Website Does this by Anonymous Coward · · Score: 1

    The site I work on, and the last two I worked on recorded every user session. This is super common. The tools typically block out form fields. Lot's of companies offer this service, they include Inspectlet, Clicktale, hotjar. This is a standard analytics package feature. Every site and app is doing this.

    Worrying about this is silly. Consider does your app know how many users clicked button x? Of course, Does it track conversion? Of course. Does it track the number of type xxx errors users encountered? Of Course. All this is just basic analytics.

    Here is what is new. They track finger and mouse movements with timing. They are not sending back video or your session. They send back data that can be played back over screens that can be regenerated.

    Typical data sent is just a normal analytics log. Imagine it looks like this Product page x, customer ip:x, swipe left on image starting at position x, ending at position y, at time t to t1. The video's are recreations from the log over pages from the app being loaded in realtime.

    It seems creepy, but honestly you can do everything but the timing stuff with basic analytics logs. Nothing to see here.

  29. words by Falos · · Score: 1

    >apps know exactly what you accessed, what you clicked, what you wrote, what you bought, what you gazed at

    BUT MUH IPHONE = PRIVACY

    See also: Incognito mode keeps Amazon from knowing what I like

  30. Websites do this all the time by Anonymous Coward · · Score: 1

    There a number of technologies that do this on websites all the time. IBM Tealeaf is great example of this. It has been used in replaced of eye tracking analysis for years. Allows for improvements to the UI based on customer behavior.

  31. Essentially screenshotted. - Um no. by dimmthewitted · · Score: 1

    I'm certain it's recording every interaction, no not through screenshots.
    It is merely logging actions on the site through special events.

    Recording the screen inplies the logging extends beyond their app. Which in many case of malicious activity outside of GlassBox holds true.

    #yellowjournalism