These apps utilize analytics software that embeds ‘session replay’ tech to show them exactly what users are doing.
2 min read
This story originally appeared on Engadget
When an app says it’s collecting data for technical support or analytics purposes, it seems innocuous but a report by TechCrunch and The App Analyst found a number of iOS applications that went much further without informing users. The apps mentioned, including Air Canada, Abercrombie & Fitch, Expedia, Hotels.com and others used analytics software from a company called Glassbox that embeds “session replay” tech to show them exactly what users are doing.
Whatever buttons are pushed or information is entered is recorded, and worse, while the feature can be configured to prevent recording of sensitive data like credit card numbers, they didn’t always block it out fully. By using man-in-the-middle software to intercept data going to Glassbox’s servers, The App Analyst showed how this happens in Air Canada’s app, where it could screenshot credit card info and user passwords.
The companies do only get recordings of activity that happens within their apps, but the potential for a data leak or misuse of information that users don’t even know they’re giving out is worrying. Glassbox isn’t the only analytics company with such software running in iOS apps, and a report last year by Gizmodo uncovered a number of Android apps with similar screen recording capabilities built-in. The company in that case, AppSee, like Glassbox, openly advertises its capture abilities to developers, but for users it’s just another thing to think about every time you pick up your phone.