Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Popular iPhone Apps Secretly Record Your Screen Without Asking (techcrunch.com)

Posted by BeauHD on from the sneaky-bastards dept.

An anonymous reader quotes a report from TechCrunch: Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won't even realize it. And they don't need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don't ask or make it clear -- if at all -- that they know exactly how you're using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed "session replay" technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn't work or if there was an error. Every tap, button push and keyboard entry is recorded -- effectively screenshotted -- and sent back to the app developers. [...] Apps that are submitted to Apple's App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user's screen. Glassbox doesn't require any special permission from Apple or from the user, so there's no way a user would know. When asked, Glassbox said it doesn't enforce its customers to mention its usage in their privacy policy. A mobile expert known as The App Analyst recently found Air Canada's iPhone app to be improperly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

16 of 97 comments (clear)

  1. It's not always nefarious.... by froggyjojodaddy · · Score: 4, Insightful

    ..let me start by saying if your app is sending credit card/payment info, screen grabs, passport data etc. without the express and explicit knowledge of the user, that's just plain wrong.

    However, I find usage analytics in apps and websites immensely useful. For example, if I find that users are swiping around an app aimlessly or take 15 clicks across multiple pages to get to a certain form or feature, it tells me I need to reconsider the workflow or design of the UI. Without the ability to track what a user is doing in the app, I would have to rely exclusively on user feedback which is infrequent and often unactionable.

    I don't need to see screen grabs, but knowing that a user went from Page 1 to Page 8 and the clicks or journey they took is invaluable user experience information. Using the hotel booking system (screen grabs aside), I can immediately see why it would be helpful for the developer to see the entire journey a customer took in their app from logging in to completing a booking. A user that spends 40 minutes and 50+ clicks is most likely having issues navigating and the developer would want to minimize that.

    TL:DR: The intent isn't always evil behind user tracking.

    1. Re:It's not always nefarious.... by MadKeithV · · Score: 5, Insightful
      You can sort that kind of stuff out in UX testing: you can see what they are doing if you're there, in the room with them, while they are doing it, and your tester knows you are watching them. Instead of this surreptitious "it's for UX reasons, honest, and we buried it on page 24 of the EULA in a locked filing cabinet in a disused lavatory behind a sign that says "beware of the leopard"*. Can we please start putting users' rights above our own damn convenience as developers? Thanks.

      (*Not that it is even IN the EULA in this case, so there's that.)

    2. Re:It's not always nefarious.... by Moskit · · Score: 3, Informative

      Yes, but in a beta or an instrumented version, with explicit user consent.

    3. Re: It's not always nefarious.... by froggyjojodaddy · · Score: 2

      Just to be clear, our apps don't have any advertising, large white space etc. We do user experience testing but there's no way it can cover the needs of 1M+ users. Apps are launched based on what customer beta testing and internal best practices tell us, but after a couple of months, you quickly realize people are using the app very differently and some people are clearly struggling with it (calls to help desk etc.)

      There are certain things you cannot anticipate, regardless of how well you design your user experience sessions or beta program. Those you only discover once the app is released and people start using it.

    4. Re:It's not always nefarious.... by AmiMoJo · · Score: 4, Insightful

      While that information may be of great use to you, if you want it then you need to do two things:

      1. Get explicit, opt-in permission from the user.

      2. Make sure that any personal information like passport number, name, credit card details, travel plans etc. is obscured.

      These apps appear to have failed on both counts.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:It's not always nefarious.... by Anonymous Coward · · Score: 3, Informative

      Not exactly. We do UX testing all the time (as in our research lab is running these kinds of tests daily). The results you get are valuable and can lead you to making some good decisions.

      Unfortunatly, when the user knows you’re watching they become biased. When they’re coming in for an explicit test session, they’re not using the app “realistically” (i.e. as they normally would) which also biases things.

      It’s very common for something that tests well to hit the field and then we get real world feedback that tells us we didn’t get things right. But you don’t need screen recording to do this, any of the “normal” analytics systems out there (Omniture, Google Analytics, Localytics, New Relic to a degree) can show you this in a much less intrusive way.

    6. Re:It's not always nefarious.... by olau · · Score: 3, Insightful

      I disagree with this point. It's my app/website/whatever. If I want to use information that your browser or operating system sends to my server, I don't have to tell you what I'm collecting or how I'm using that information.

      And that, my friend, is the reason the EU made the GDPR and will slap a fine on you if you ever practice that kind of thinking towards consumers in the EU.

      When people do not expect to be spied on, it's not legal to spy on them.

      Just like it's not legal to hide a camera in a public restroom and take a snapshot of your private parts.

    7. Re:It's not always nefarious.... by AmiMoJo · · Score: 2

      GDPR mandates that you have to ask specifically and clearly for permission to do that. If you bury it in the ToS it doesn't count, you have to have a separate opt-in tickbox with clear explanation of what it allows.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:It's not always nefarious.... by Minupla · · Score: 2

      In psychology there is a reason you need to clear your experiment with an ethics board prior to conducting it on a subject. If the subject is unaware you need to convince your board that there is no harm to come to the subject.

      I'd say potentially exposing information (Are you redacting appropriate things, what happens if a popup from another app comes up while you're doing a screen capture? Is the metadata your collecting potentially have uses that run contrary to the interests of the user - hey this user asked for directions to an HIV clinic...) is a harm that should be considered. Maybe detect interesting behavior and offer the user a discount on your app if they allow you to send the collected data?

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  2. But it usually is nefarious by sjbe · · Score: 4, Insightful

    However, I find usage analytics in apps and websites immensely useful.

    Don't give a shit unless you got informed consent in advance of the data collection. The "informed" bit of that is important and usually neglected by tech companies even if they do the "consent" part. And they usually don't bother with the consent. A 50 page legal click-through agreement does not equal informed consent.

    TL:DR: The intent isn't always evil behind user tracking.

    The road to hell is paved with good intentions. You might be honest but I have no way to know that and just because you might be honest doesn't mean the next guy is. And let's be honest, most user tracking does have intent that does not benefit the user and it is almost never restricted to just usability studies.

  3. Block outbound requests,deny internet access by Stan92057 · · Score: 2

    We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure

    --
    Jack of all trades,master of none
    1. Re:Block outbound requests,deny internet access by Freischutz · · Score: 2

      We need an firewall that ALSO blocks OUTBOUND requests..And why doesn't security software already do that? Norton did at one time they stopped. Someone out their is smart enough to do this..i will buy a copy for sure

      There is a bunch of them for MacOS, like Little Snitch for example which works fine for me. I'd be surprised if such apps don't exist on Windows and Linux. iOS on the other hand forbids that kind of app although you can block apps from accessing the cellular connection (not Wifi it seems). There used to be an app for Android called NetGuard that did this but I don't use Android so I'm not qualified to judge it's effectiveness. These things taking screenshot and sending them to some server out on the net seems pretty outrageous to me. The thing is though, that with a net connected app it's kind of hard to distinguish between legitimate data and UI analysis data.

  4. Re:Its called analytics by Fly+Swatter · · Score: 2

    Pff, if that actually worked no app would have advertisements because people always use the close button on them.

  5. Glassdoor website explains how invasive they are by bagofbeans · · Score: 2

    https://www.glassboxdigital.co...

    Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility. This is Glassbox, an innovative customer experience solution to help your organization manage the results of big data analytics. Glassbox is the first Enterprise analytics platform that analyses every digital customer interaction. Can your website afford not to have a brain?

  6. Really? by TRRosen · · Score: 3, Insightful

    We're getting paranoid now because programs know what buttons we pushed? That is sort of integral to how they work. What's next "researchers reveal Word records what you type"

  7. Overblown FUD by Dan+East · · Score: 4, Interesting

    No, they are not literally recording your screen. Phrasing it in that way is FUD. iOS requires special permissions for that. What they are doing (which I have long suspected FB of doing) is to simply report all your user input within the app. By knowing the state of the app, coupled with your exact actions, they can potentially replay what you would have seen. This allows them to know what you spent the most time looking at. If a customer zooms in on a photo of an item they're selling, then what specifically were they zooming in on? If they see a common pattern there then they can provide closeups of the parts of the product people are most interested in by default.

    This is really no different than having 5 buttons in an app, and tracking which buttons are clicked most, and removing the buttons that no one ever uses. That's been going on in UI design for ages. This is more precise and can involve tools that allow the "replay" of sessions allowing someone to see what the user would have seen as they interacted. Going back 20 years, my software tracked which widgets the user interacted with. I could then do the same set of actions they did and *gasp* I would be seeing the same thing they must have seen as they used the software. That's not "secretly recording your screen". I guess by that definition the undo / redo history of thousands of apps mean they also secretly record the screen as well.

    In the case of FB I have long suspected that FB tracks the time you "hover" over a post, or more simply, the points at which users momentarily halt their incessant and never-ending scrolling when they finally see something that catches their eye. Then FB will start showing you more related posts, even though you didn't like or interact with the post - they simply know you stopped scrolling and spent time looking at it for some reason. You better believe they infer meaning from that.

    --
    Better known as 318230.