Several popular iOS apps found recording screens without user permission
Modern-day apps are known to collect user data to improve their services or to show ads; it is a fairly common practice. But, in a recent investigation, TechCrunch discovered a bunch of iOS apps that even recorded screens of their users. They captured every action from iPhones, and that too, without proper permission of the users involved. Here's more about them.
Using the information found by App Analyst, a mobile security blog, TechCrunch learned that popular companies like Expedia, Canada Airlines, Hotels.com, and Singapore Airlines used a tech called session replay on their apps. With this system, they captured everything that happened on their iPhone/iPad programs, from every single swipe and keyboard entry to a button press, via screenshots and recording measures.
In some cases, companies used Glassbox, a third-party analytics platform, to implement 'session replay' and monitor how users interacted with their apps.
After recording a session, the app transmitted it to the companies' servers for the purpose of analysis. Notably, this includes every piece of information captured on the app, even your personal and financial information like where you live or your credit card numbers. As per the firms, session replays help developers understand how users interacted with their app to fix or improve it.
Mining data, as we said, is a common practice, but such level of recording can raise security concerns among iPhone users. Also, it is important to note that none of the programs involved in this case mention anything about recording screens in their privacy policy. They don't take any kind of permission from the users and keep recording real-time activity.
Using a system like this and not taking consent isn't the only issue. TechCrunch even found that some apps inadvertently exposed captured information while sending it to their servers. In one case, they found Air Canada wasn't properly masking the recorded sessions, exposing details like passport numbers and credit card data in each replay session. This, naturally, opens gates for a third-party attack.
Apple has not commented on the matter, but going by its standards, we soon expect some sort of clarity (even privacy policy changes) on how this information is being collected from iPhones and iPads and how the companies are protecting it from potential attackers.
