A bunch of popular iOS apps may be recording every move you make on their app. These apps have been found to literally record your iPhone screen, without asking for your permission or notifying you about it. According to TechCrunch, several popular iOS apps use Glassbox, an analytics company, to deploy session replaying into their apps. The technology can record every action a user takes on an app, including entering sensitive financial information. None of these apps need user permission to record users' screens.
Popular iOS apps such as Air Canada and Expedia were found to be recording user actions via Glassbox analytics. TechCrunch claims it found several apps from hotels, travel websites, airlines, banks, and others that didn't clarify if they were collecting such data and what they were going to do with it.
The session replay technology enables app developers to record users' every single tap, keyboard entry, button push, etc. However, the data is captured only while a user is within the app.
Apps like Singapore Airlines and Hotels.com also use Glassbox's session replay technology in their apps. These replays allow app developers to record their users' screens and play them back to see how they interacted with the app. On the surface, it seems like a useful developer feature but not all apps were found to be masking users' data, exposing sensitive financial information.
Once a user's session is recorded on the device, it is sent back to the app developer. In the case of Air Canada's iOS app, The App Analyst - a mobile expert cited by TechCrunch - found that the company was clearly exposing passport numbers and credit card information in each session replay being sent back. This means anyone with access to these replays can access sensitive information.
Air Canada had earlier reported that its mobile app had suffered a data breach which affected 20,000 users. The breach leaked passport numbers and other sensitive data.
TechCrunch further added that none of the apps involved in capturing all this data discloses it to their users, even if they're doing it simply for analytics purposes. There may be several other apps that do the same.
App developers use tools from a number of analytics companies and Glassbox isn't the only company that offers session replaying. While collecting user data purely for creating better apps makes sense, it's also important that users are aware how much of their sensitive data could be escaping their device.