Many Popular iPhone Apps Secretly Record Your Screen Without Asking

An anonymous reader quotes a report from TechCrunch: Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won't even realize it. And they don't need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don't ask or make it clear -- if at all -- that they know exactly how you're using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy. A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

Overblown FUD

[Dan+East]

No, they are not literally recording your screen. Phrasing it in that way is FUD. iOS requires special permissions for that. What they are doing (which I have long suspected FB of doing) is to simply report all your user input within the app. By knowing the state of the app, coupled with your exact actions, they can potentially replay what you would have seen. This allows them to know what you spent the most time looking at. If a customer zooms in on a photo of an item they're selling, then what specifically were they zooming in on? If they see a common pattern there then they can provide closeups of the parts of the product people are most interested in by default.

This is really no different than having 5 buttons in an app, and tracking which buttons are clicked most, and removing the buttons that no one ever uses. That's been going on in UI design for ages. This is more precise and can involve tools that allow the "replay" of sessions allowing someone to see what the user would have seen as they interacted. Going back 20 years, my software tracked which widgets the user interacted with. I could then do the same set of actions they did and *gasp* I would be seeing the same thing they must have seen as they used the software. That's not "secretly recording your screen". I guess by that definition the undo / redo history of thousands of apps mean they also secretly record the screen as well.

In the case of FB I have long suspected that FB tracks the time you "hover" over a post, or more simply, the points at which users momentarily halt their incessant and never-ending scrolling when they finally see something that catches their eye. Then FB will start showing you more related posts, even though you didn't like or interact with the post - they simply know you stopped scrolling and spent time looking at it for some reason. You better believe they infer meaning from that.