Slashdot Mirror
Apple Tells App Developers To Disclose Or Remove Screen Recording Code (techcrunch.com)
An anonymous reader quotes a report from TechCrunch: Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps -- or face removal from the app store, TechCrunch can confirm. In an email, an Apple spokesperson said: "Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity." "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," the spokesperson added.
It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user's app activity. Even though sensitive data is supposed to be masked, some data -- like passport numbers and credit card numbers -- was leaking.
It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user's app activity. Even though sensitive data is supposed to be masked, some data -- like passport numbers and credit card numbers -- was leaking.
I'm sure that no one would ever misuse all that sweet sweet private information like password and account numbers and logins and private nude pics.
Just cruising through this digital world at 33 1/3 rpm...
comment
Ain't nobody want to see Jeff Bezo's semi-erect manhood!
This has got to be there fault somehow, amirite, my fellow slashditters?!
Corporate entities are heavily regulated by duh gubmint and there's no way duh gubmint would let them do that to the people. We had Obama for eight years and he fixed all that privacy stuff because real TV news says so. This might be Putin and Trump's fault though... lets investigate... for years and years and years. ae911truth dot org
And once again the misnomer "Screen recording" is being used inaccurately in the headline to draw more attention. "Screen recording" is a phrase that has a specific meaning, and there is no screen recording going on. I don't feel like typing it all again... https://slashdot.org/comments....
(I'm not condoning or defending this practice, but just clarifying that the screen is not literally being recorded and streamed as video)
Better known as 318230.
Did you know that every app in the App Store is required to link to a privacy policy if it records data? If you did, do you know how to find that link?
It's in the "information" box that is helpfully hidden way at the bottom - but not all the way at the bottom - of an app's page on the App Store. If you scroll to the bottom you won't see if because you'll have gone past it.
So all this is going to do is make the apps doing this add it to that privacy policy most people probably aren't aware even exists because it's hidden below the "app compatibility" and "supported languages" sections.
from PRISM?
Domestic spying is now "Benign Information Gathering"
No, nor did they bother to immediately disclose this even to their users. That would interfere with the effectiveness of the spying. Most people learned about this from Ed Snowden's disclosures (three cheers for Snowden!). So when Apple tells you "What happens on your iPhone stays on your iPhone" there's no reason to believe them. After all, I'll bet people running iTunes thought they were getting a media player, not opening a remotely-exploitable hole despite Apple knowing about this problem for years and licensing iTunes such that nobody else was allowed to fix it and distribute an improved version of the software. The power of proprietary software (non-free software, user-subjugating software) is what makes this entire story indistinguishable from one spy agency telling other competing spies to buzz off—on Apple's turf the users are exclusively Apple's to exploit.
Digital Citizen
I'm an app developer and years ago, started with an app in the App Store and included one of those free analytics libraries. It's quite useful, you get the crash reports coming in as they occur in the field. At some point, I was very proud to have solved nearly all crashes.
Then I felt like people needed to be able to opt out. So I built a screen with a simple checkmark, and looked at their API to turn off data collection. Turns out, it's not there. To opt out as a user you needed to go to a web page, and fill in your email adres. I thought to myself, what? What the fucking what? How can you relate crash reports with an email address? Then I realized that's what free means. I should never have started with it.
Note: this was in 2012/2013, and as a starting iOS developer, I was pretty naive. First of all I should've built my own light weight crash reporter. Second of all, it should've been opt-in.
I've tried Localytics, Crashlytics and Flurry. They all have severe privacy problems in my opinion. I have simply removed them from my app, because I kept feeling bad for my users.
8 of 13 people found this answer helpful. Did you?
How this slipped their review is beyond me, bur our fine paperless office applications, like ExactScan, they reject because they would "ask for an access the user's Contacs" (which we don't): https://www.youtube.com/watch?... And yet every other time they approve the updates, ..! And I swear we have no code to access the Contacts, ..! And they can't even answer with a backtrace where it would happen, ..! :-/ In the meantime I suspect our "crash reporter" optional "directly sending it to us" code accessing some "~/Library/Logs/CrashReporter/" to trigger this. But only time and more data points will show if disabling this avoid the every 2nd App Store review reject, https://exactscan.com/
Extract : "Air Canada is unsuccessful in obfuscating credit card and password information. As a result, sensitive data is being captured as images and potentially stored."
ref: http://theappanalyst.com/airca...
Will $CURRENT_YEAR be the year of the Linux Desktop?
The fact TechCrunch had to discover this is appalling. It strains credulity to think that Apple simply "missed" this. And if it did, that's almost worse than allowing apps that abuse consumer trust simply for the sake of the almighty dollar. Fuck you, Apple.
Protecting user privacy is paramount in the Apple ecosystem.
Oh really? Then how come Apple only takes action after these issues get exposed to the press? Surely someone at Apple knows each and every trick that app developers use to create and promote their apps.
I can't reconcile the two statements below, like I can't reconcile nearly everything Apple does. If you're so serious about privacy and an app (or apps) completely violated this in such a violent and litigious way - why wait to do something? Toss them off the store... for good!
What they captured without consent is so over the line, the response needs to be equally strong.
""Protecting user privacy is paramount in the Apple ecosystem."" ... ""and will take immediate action if necessary""