Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Popular iPhone Apps Secretly Record Your Screen Without Asking (techcrunch.com)

Posted by BeauHD on from the sneaky-bastards dept.

An anonymous reader quotes a report from TechCrunch: Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won't even realize it. And they don't need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don't ask or make it clear -- if at all -- that they know exactly how you're using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy. A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

49 of 97 comments (clear)

  1. It's not always nefarious.... by froggyjojodaddy · · Score: 4, Insightful

    ..let me start by saying if your app is sending credit card/payment info, screen grabs, passport data etc. without the express and explicit knowledge of the user, that's just plain wrong.

    However, I find usage analytics in apps and websites immensely useful. For example, if I find that users are swiping around an app aimlessly or take 15 clicks across multiple pages to get to a certain form or feature, it tells me I need to reconsider the workflow or design of the UI. Without the ability to track what a user is doing in the app, I would have to rely exclusively on user feedback which is infrequent and often unactionable.

    I don't need to see screen grabs, but knowing that a user went from Page 1 to Page 8 and the clicks or journey they took is invaluable user experience information. Using the hotel booking system (screen grabs aside), I can immediately see why it would be helpful for the developer to see the entire journey a customer took in their app from logging in to completing a booking. A user that spends 40 minutes and 50+ clicks is most likely having issues navigating and the developer would want to minimize that.

    TL:DR: The intent isn't always evil behind user tracking.

    1. Re:It's not always nefarious.... by MadKeithV · · Score: 5, Insightful
      You can sort that kind of stuff out in UX testing: you can see what they are doing if you're there, in the room with them, while they are doing it, and your tester knows you are watching them. Instead of this surreptitious "it's for UX reasons, honest, and we buried it on page 24 of the EULA in a locked filing cabinet in a disused lavatory behind a sign that says "beware of the leopard"*. Can we please start putting users' rights above our own damn convenience as developers? Thanks.

      (*Not that it is even IN the EULA in this case, so there's that.)

    2. Re: It's not always nefarious.... by peragrin · · Score: 1

      You say that and it could be true but it still isn't actionable, or you choose not to take action.

      You would think that if users quickly hit the skip now button on ads for your app that you would show less ads not make the skip now button longer than the ad.

      Same goes for large whitespace and tiny moving X's for ads too.

      You are taking the wrong Info from your app feedback.

      --
      i thought once I was found, but it was only a dream.
    3. Re:It's not always nefarious.... by AHuxley · · Score: 1

      Depends what a "session replay" really is.
      Words used and pace of data entry linked back to the same site the data was entered?
      If the data is the same as the user sent up to the site, but how the site is used is the only collection?

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:It's not always nefarious.... by Moskit · · Score: 3, Informative

      Yes, but in a beta or an instrumented version, with explicit user consent.

    5. Re: It's not always nefarious.... by froggyjojodaddy · · Score: 2

      Just to be clear, our apps don't have any advertising, large white space etc. We do user experience testing but there's no way it can cover the needs of 1M+ users. Apps are launched based on what customer beta testing and internal best practices tell us, but after a couple of months, you quickly realize people are using the app very differently and some people are clearly struggling with it (calls to help desk etc.)

      There are certain things you cannot anticipate, regardless of how well you design your user experience sessions or beta program. Those you only discover once the app is released and people start using it.

    6. Re:It's not always nefarious.... by AmiMoJo · · Score: 4, Insightful

      While that information may be of great use to you, if you want it then you need to do two things:

      1. Get explicit, opt-in permission from the user.

      2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.

      These apps appear to have failed on both counts.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:It's not always nefarious.... by Anonymous Coward · · Score: 3, Informative

      Not exactly. We do UX testing all the time (as in our research lab is running these kinds of tests daily). The results you get are valuable and can lead you to making some good decisions.

      Unfortunatly, when the user knows you’re watching they become biased. When they’re coming in for an explicit test session, they’re not using the app “realistically” (i.e. as they normally would) which also biases things.

      It’s very common for something that tests well to hit the field and then we get real world feedback that tells us we didn’t get things right. But you don’t need screen recording to do this, any of the “normal” analytics systems out there (Omniture, Google Analytics, Localytics, New Relic to a degree) can show you this in a much less intrusive way.

    8. Re:It's not always nefarious.... by Anonymous Coward · · Score: 1

      For thousands of years, people were able to provide goods and services without spying on their customers. Just because you can, and just because everyone else is doing it, doesn't make it right. If you politely asked to watch people use your app, that would be one thing. But you're sneaky about it. You silently spy on people knowing that they don't know you're doing it. So fuck that, and fuck you. Fuck all of you that think it's ok.

    9. Re:It's not always nefarious.... by olau · · Score: 3, Insightful

      I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.

      And that, my friend, is the reason the EU made the GDPR and will slap a fine on you if you ever practice that kind of thinking towards consumers in the EU.

      When people do not expect to be spied on, it's not legal to spy on them.

      Just like it's not legal to hide a camera in a public restroom and take a snapshot of your private parts.

    10. Re:It's not always nefarious.... by Anonymous Coward · · Score: 1

      However, I find usage analytics in apps and websites immensely useful.

      We don't actually give a fuck, we don't want to be tracked by an endless stream of third party assholes who feel entitled to our data .. plain and simple.

      All analytics is bullshit, we didn't consent to the third part crap on your website, and have no way of knowing who they are or what they do with out data.

      Since it's impossible to know who is who, the only safe thing to do is assume all third party analytics are hostile to your privacy and block them.

      Fuck you and your analytics.

    11. Re:It's not always nefarious.... by stealth_finger · · Score: 1

      1. Get explicit, opt-in permission from the user.

      They kinda do though, and that's part of the problem. It all goes in the T&C at the start which no one ever reads because its a mile long because it legally has to cover a whole bunch of stuff and if they made you click to acknowledge every single bit no one would bother. A reasonable person these days should expect their data to be tracked and slurped where possible and take their own measures against it.

      2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.

      No excuses for that.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    12. Re:It's not always nefarious.... by AmiMoJo · · Score: 2

      GDPR mandates that you have to ask specifically and clearly for permission to do that. If you bury it in the ToS it doesn't count, you have to have a separate opt-in tickbox with clear explanation of what it allows.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:It's not always nefarious.... by stealth_finger · · Score: 1

      Oh right, fair enough then. Carry on.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    14. Re:It's not always nefarious.... by Minupla · · Score: 2

      In psychology there is a reason you need to clear your experiment with an ethics board prior to conducting it on a subject. If the subject is unaware you need to convince your board that there is no harm to come to the subject.

      I'd say potentially exposing information (Are you redacting appropriate things, what happens if a popup from another app comes up while you're doing a screen capture? Is the metadata your collecting potentially have uses that run contrary to the interests of the user - hey this user asked for directions to an HIV clinic...) is a harm that should be considered. Maybe detect interesting behavior and offer the user a discount on your app if they allow you to send the collected data?

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    15. Re:It's not always nefarious.... by CaptainDork · · Score: 1

      This is the "let the users beta the alpha before going gold" model that Microsoft has used since its inception.

      You can "blah blah" all you want, but goddammit, get your shit together.

      ASK FOR BETA TESTERS!

      --
      It little behooves the best of us to comment on the rest of us.
    16. Re:It's not always nefarious.... by froggyjojodaddy · · Score: 1

      Good lord man. You jumped to the assumption that we didn't ask the user to begin with. I'm glad you got downvoted because you're either a troll (and deserved it) or you're insane (in which case I hope the voting makes you inwardly reflect).

    17. Re:It's not always nefarious.... by froggyjojodaddy · · Score: 1

      You missed the part where I said we run through a beta phase to understand the customer experience and use internally best practice guidelines - which are derived from the results of beta testing (as all good best practices should be)

    18. Re:It's not always nefarious.... by froggyjojodaddy · · Score: 1

      This is exactly right. User bias in beta testing or customer experience testing is largely unavoidable. You can design around it but people change their behavior when they know they're being watched / recorded / monitored - even when they KNOW they're evaluating the experience of an app and should be unbiased. It cannot be helped and it cannot be 100% eliminated.

      We've done comparative analysis of internal staff who participated in a beta and later compared their actual usage of the app and I can tell you, it's extremely rare that the two match.

      The analogy I use is driving. When you're taking your driving test, you're doing everything by the book. Maybe even months after your test, you're still driving 10 to 2, using the indicator religiously etc. But after 2 years of driving? Not so much. When you ask folks to participate in a beta program or CX session, they just don't use the app as they would normally.

    19. Re:It's not always nefarious.... by CaptainDork · · Score: 1

      You are NOT missing the goddam part where you are rolling out an unfinished product. It's a lot cheaper to let people run the fucking thing into a ditch and THEN you do a front-end alignment.

      Your QA sucks.

      --
      It little behooves the best of us to comment on the rest of us.
    20. Re: It's not always nefarious.... by dgatwood · · Score: 1

      Sorry, I worded that badly. The point I was trying to make was that having the data is valuable for more than just pure design issues. It also helps when figuring out bugs. For example, you might discover through reproducing the exact steps that in some particular path through the app, some critical view never becomes visible for some reason, thus resolving a customer complaint in a way that wouldn't be possible without data. And, of course, it helps in reproducing crashes and other misbehavior.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    21. Re:It's not always nefarious.... by jezwel · · Score: 1

      I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.

      Does your screengrabbing/whatever software stop the instant your app is interrupted by a message notification or any other type of context/focus switch? Everything else is not "your app", and that sure isn't "your information" to do with as you please.
      When does your screengrabbing start up again?
      what about devices that can run multiple apps displayed simultaneously? My phone can have 2 apps running at half-screen at the same time. Is your app screengrabbing the lot, or just your applications' half? How do I know that for sure?

  2. But it usually is nefarious by sjbe · · Score: 4, Insightful

    However, I find usage analytics in apps and websites immensely useful.

    Don't give a shit unless you got informed consent in advance of the data collection. The "informed" bit of that is important and usually neglected by tech companies even if they do the "consent" part. And they usually don't bother with the consent. A 50 page legal click-through agreement does not equal informed consent.

    TL:DR: The intent isn't always evil behind user tracking.

    The road to hell is paved with good intentions. You might be honest but I have no way to know that and just because you might be honest doesn't mean the next guy is. And let's be honest, most user tracking does have intent that does not benefit the user and it is almost never restricted to just usability studies.

  3. Secretly? by fortythirteen · · Score: 1

    This is an entire analytics SaaS sub-genre. TechCrunch is just figuring this out? Have they never heard of IBM's Tealeaf?

  4. Block outbound requests,deny internet access by Stan92057 · · Score: 2

    We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure

    --
    Jack of all trades,master of none
    1. Re:Block outbound requests,deny internet access by Freischutz · · Score: 2

      We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure

      There is a bunch of them for MacOS, like Little Snitch for example which works fine for me. I'd be surprised if such apps don't exist on Windows and Linux. iOS on the other hand forbids that kind of app although you can block apps from accessing the cellular connection (not Wifi it seems). There used to be an app for Android called NetGuard that did this but I don't use Android so I'm not qualified to judge it's effectiveness. These things taking screenshot and sending them to some server out on the net seems pretty outrageous to me. The thing is though, that with a net connected app it's kind of hard to distinguish between legitimate data and UI analysis data.

    2. Re:Block outbound requests,deny internet access by Gilgaron · · Score: 1

      For most of these sorts of apps you'd whitelist it through the firewall anyway, if it was granular enough to only block parts of the app it'd be very frustrating to use.

    3. Re:Block outbound requests,deny internet access by Actually,+I+do+RTFA · · Score: 1

      I'd be surprised if such apps don't exist on Windows

      I'd be surprised if it existed for Windows (at least at the basic level GP is talking about), but only because the OS has had it built in since at least Windows 7.

      iOS isn't gating permissions with the cell connection, it's allocating your data cap. I don't think it's possible to keep apps from calling home.

      As you pointed out, it's impossible to tell the difference between legit data and UI analysis data (well, can be made very difficult to the point of being functionally impossible).

      --
      Your ad here. Ask me how!
    4. Re:Block outbound requests,deny internet access by antdude · · Score: 1

      Did Norton products really change it as of 2014? That's dumb/lame. I remember telling to NOT automatically create rules and to ask me what to do first. I currently use PC Tools Firewall Plus v7.0 in my decade old, updated 64-bit W7 HPE SP1 PC.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    5. Re:Block outbound requests,deny internet access by Stan92057 · · Score: 1

      Their default setting is auto create rules. they also at one time asked if you wanted to allow outbound traffic for programs today it allow all connections,To other computers or from other computers and a bevy of other non security garbage that's doesn't belong is security software.

      --
      Jack of all trades,master of none
  5. GDPR only works by Anonymous Coward · · Score: 1

    IF you know where to send your request.

  6. Re:Its called analytics by Fly+Swatter · · Score: 2

    Pff, if that actually worked no app would have advertisements because people always use the close button on them.

  7. We're concerned about instrumentation? by Anonymous Coward · · Score: 1

    If you're a developer and you're not instrumenting your code, you're one cocky SOB. And obviously, if you use an application to e.g. book a flight, sensitive data will be sent to the agent or airline. It's up to developers and administrators to ensure that data doesn't find its way into application performance management data stores--but only if it's not allowed to be there.

    Replay is also common. If you're hitting a web app in someone's data center, why on earth would believe the traffic isn't being monitored, up to an including being fully decrypted and store for later retrieval?

  8. So it's like HotJar for websites? by fons · · Score: 1

    How is this different from HotJar, which lets you record all website visits and replay? (https://www.hotjar.com/tour check the recording tab). Pretty creepy too, but I think all websites use it and nobody asks beforehand. Opened my eyes when I had to use it for the first time for UI improvements. A true added value for the UI job, but a bit voyeuristic to watch people browse your website without them knowing...

  9. Hypersensationalize much? by Anonymous Coward · · Score: 1

    Recording inputs and clicks in an app is hardly the same thing as recording your screen.
    God Im sick of this sensationalistic crap /.

  10. Glassdoor website explains how invasive they are by bagofbeans · · Score: 2

    https://www.glassboxdigital.co...

    Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility. This is Glassbox, an innovative customer experience solution to help your organization manage the results of big data analytics. Glassbox is the first Enterprise analytics platform that analyses every digital customer interaction. Can your website afford not to have a brain?

  11. LOL by Anonymous Coward · · Score: 1

    Play a game and ruin all the thumb guess data.

  12. Really? by TRRosen · · Score: 3, Insightful

    We're getting paranoid now because programs know what buttons we pushed? That is sort of integral to how they work. What's next "researchers reveal Word records what you type"

    1. Re:Really? by ItsJustAPseudonym · · Score: 1

      It would be closer to "researchers reveal Word sends what you type to Microsoft without your knowledge or consent."

    2. Re:Really? by TRRosen · · Score: 1

      Were talking about web based apps here. if you can't figure out there is data exchanged that is your issue.

  13. Overblown FUD by Dan+East · · Score: 4, Interesting

    No, they are not literally recording your screen. Phrasing it in that way is FUD. iOS requires special permissions for that. What they are doing (which I have long suspected FB of doing) is to simply report all your user input within the app. By knowing the state of the app, coupled with your exact actions, they can potentially replay what you would have seen. This allows them to know what you spent the most time looking at. If a customer zooms in on a photo of an item they're selling, then what specifically were they zooming in on? If they see a common pattern there then they can provide closeups of the parts of the product people are most interested in by default.

    This is really no different than having 5 buttons in an app, and tracking which buttons are clicked most, and removing the buttons that no one ever uses. That's been going on in UI design for ages. This is more precise and can involve tools that allow the "replay" of sessions allowing someone to see what the user would have seen as they interacted. Going back 20 years, my software tracked which widgets the user interacted with. I could then do the same set of actions they did and *gasp* I would be seeing the same thing they must have seen as they used the software. That's not "secretly recording your screen". I guess by that definition the undo / redo history of thousands of apps mean they also secretly record the screen as well.

    In the case of FB I have long suspected that FB tracks the time you "hover" over a post, or more simply, the points at which users momentarily halt their incessant and never-ending scrolling when they finally see something that catches their eye. Then FB will start showing you more related posts, even though you didn't like or interact with the post - they simply know you stopped scrolling and spent time looking at it for some reason. You better believe they infer meaning from that.

    --
    Better known as 318230.
    1. Re:Overblown FUD by Anonymous Coward · · Score: 1

      Glassbox does also send screenshots back to the developer: http://theappanalyst.com/aircanada.html

  14. iOS app is possible by SuperKendall · · Score: 1

    iOS on the other hand forbids that kind of app

    If Charles as an iOS app is possible (which it is), then you could have that kind of blocking application for iOS as well.

    The way it works is that it acts as a local VPN, through which all traffic is routed.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  15. Re: OMG Analytics! by Altus · · Score: 1

    There is a huge difference between what the google and facebook enterprise apps were tracking and tracking user actions within your own app.

    --

    "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

  16. Every Big Website Does this by Anonymous Coward · · Score: 1

    The site I work on, and the last two I worked on recorded every user session. This is super common. The tools typically block out form fields. Lot's of companies offer this service, they include Inspectlet, Clicktale, hotjar. This is a standard analytics package feature. Every site and app is doing this.

    Worrying about this is silly. Consider does your app know how many users clicked button x? Of course, Does it track conversion? Of course. Does it track the number of type xxx errors users encountered? Of Course. All this is just basic analytics.

    Here is what is new. They track finger and mouse movements with timing. They are not sending back video or your session. They send back data that can be played back over screens that can be regenerated.

    Typical data sent is just a normal analytics log. Imagine it looks like this Product page x, customer ip:x, swipe left on image starting at position x, ending at position y, at time t to t1. The video's are recreations from the log over pages from the app being loaded in realtime.

    It seems creepy, but honestly you can do everything but the timing stuff with basic analytics logs. Nothing to see here.

  17. words by Falos · · Score: 1

    >apps know exactly what you accessed, what you clicked, what you wrote, what you bought, what you gazed at

    BUT MUH IPHONE = PRIVACY

    See also: Incognito mode keeps Amazon from knowing what I like

  18. Websites do this all the time by Anonymous Coward · · Score: 1

    There a number of technologies that do this on websites all the time. IBM Tealeaf is great example of this. It has been used in replaced of eye tracking analysis for years. Allows for improvements to the UI based on customer behavior.

  19. Essentially screenshotted. - Um no. by dimmthewitted · · Score: 1

    I'm certain it's recording every interaction, no not through screenshots.
    It is merely logging actions on the site through special events.

    Recording the screen inplies the logging extends beyond their app. Which in many case of malicious activity outside of GlassBox holds true.

    #yellowjournalism

  20. Re:LOL by Altus · · Score: 1

    Yeah, I can't believe they let apps receive tap events and they even let them call services on the internet! The gall of these people.

    --

    "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson