Slashdot Mirror
Many Popular iPhone Apps Secretly Record Your Screen Without Asking (techcrunch.com)
An anonymous reader quotes a report from TechCrunch: Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won't even realize it. And they don't need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don't ask or make it clear -- if at all -- that they know exactly how you're using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy. A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy. A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
..let me start by saying if your app is sending credit card/payment info, screen grabs, passport data etc. without the express and explicit knowledge of the user, that's just plain wrong.
However, I find usage analytics in apps and websites immensely useful. For example, if I find that users are swiping around an app aimlessly or take 15 clicks across multiple pages to get to a certain form or feature, it tells me I need to reconsider the workflow or design of the UI. Without the ability to track what a user is doing in the app, I would have to rely exclusively on user feedback which is infrequent and often unactionable.
I don't need to see screen grabs, but knowing that a user went from Page 1 to Page 8 and the clicks or journey they took is invaluable user experience information. Using the hotel booking system (screen grabs aside), I can immediately see why it would be helpful for the developer to see the entire journey a customer took in their app from logging in to completing a booking. A user that spends 40 minutes and 50+ clicks is most likely having issues navigating and the developer would want to minimize that.
TL:DR: The intent isn't always evil behind user tracking.
However, I find usage analytics in apps and websites immensely useful.
Don't give a shit unless you got informed consent in advance of the data collection. The "informed" bit of that is important and usually neglected by tech companies even if they do the "consent" part. And they usually don't bother with the consent. A 50 page legal click-through agreement does not equal informed consent.
TL:DR: The intent isn't always evil behind user tracking.
The road to hell is paved with good intentions. You might be honest but I have no way to know that and just because you might be honest doesn't mean the next guy is. And let's be honest, most user tracking does have intent that does not benefit the user and it is almost never restricted to just usability studies.
We're getting paranoid now because programs know what buttons we pushed? That is sort of integral to how they work. What's next "researchers reveal Word records what you type"