A gadgets site discovered that several popular iPhone apps are recording the user's screen without their permission. Some of these applications are from popular fashion brands and airline companies.
TechCrunch found out that iPhone apps like Abercrombie & Fitch, Hotels.com, and Singapore Airlines are using Glassbox to get some information from users through recording the screen. Glassbox is a customer experience analytics firm.
Glassbox is also one of the companies that allow iPhone apps developers to have "session replay" technology so that they can record the screen and play them back. This is on order for them to see how the users interacted with their app.
These iPhone apps are also meant to mask certain fields that may inadvertently expose some of the user's sensitive data. In an article published by NDTV, it was found out by mobile expert App Analyst that Air Canada's i{hone was not properly masking the session replays when they were sent.
So how is it going to affect the user? This certain action found in iPhone apps could actually expose some highly sensitive personal data like passport numbers and credit card data in each replay data.
Air Cana previously announced that they had a data breach as 20,000 profiles were exposed. The usage of their iPhone app is currently seen as one of the reasons for the data breach.
"This gives Air Canada employees - and anyone else capable of accessing the screenshot database - to see unencrypted credit card and password information," the App Analyst said. He also said that Air Canada's iPhone app may have masked the fields but it did not always stick properly.
"Since this data is often sent back to Glassbox servers I wouldn't be shocked if they have already had instances of them capturing sensitive banking information and passwords," the App Analyst added. He said iPhone apps like Abercrombie & Fitch and Hollister send their session replays to Glassbox.
However, other iPhone apps like Expedia and Hotels.com choose to capture and send session replay data back to a server. The App Analyst said the data was obfuscated.
iPhone apps are required to have a privacy policy as part of their protocol. Apps such as Abercrombie & Fitch, Singapore Airlines, and Air Canada did not indicate their policies about recording a user's screen.
Glassbox's spokesperson admitted in their statement that they don't enforce their customers, who are mostly iPhone app developers, to mention them in their privacy policy. The spokesperson added they don't have access to the recorded screen of their customers.
