Multiple popular applications on iPhone are logging user's screen without permission


by Daniel Korpai

Some developers of the iPhone application have recorded the actions such as taps and swipes performed on the application and sold the information to obtain money . Such "act of collecting user information" is done mostly without telling the fact to the user. Overseas media TechCrunch reports that information gathering like betraying this kind of user is being done even on popular iPhone applications.

Many popular iPhone apps secretly record your screen without asking | TechCrunch
https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/



Fashion brand of Abercrombie & Fitch and hotel reservation service guest reviews , airlines Singapore Airlines official app is released, in order to record what was taking what action the user using the "session replay" technology " Glassbox "tool is incorporated in the application.

Session replay allows developers to see what actions the user was taking on the application and is usually used to check which functions of the application are not working well It will be. In session replay, the tap / button push / keyboard input information made on the application is recorded by shooting screenshot, and all these information are to be sent to the developer side.



Glassbox's official Twitter account "Imagine what your customers are doing in real time on your website and mobile apps, why they did it, this is no longer a hypothetical question, As it is tweeted , it's obvious that Glassbox is a tool to record the user's behavior on the application, as it is real possibility, that is Glassbox. .


Analyzing mobile apps The App Analyst discovers that Glassbox is also used in airline Canada's official iOS app. When The App Analyst analyzed Air Canada's iOS application, it is clear that Glassbox is taking many screenshots. In Glassbox, you can mask the parts where the user might enter confidential data, but this setting is not done well in air and Canadian applications, and the confidential information that should be hidden apparently appears It has been captured as it is.

The following movie is a series of screen shots captured by Glassbox in Air Canada's iOS application. Although some information is masked and hidden by black painting, it is clearly understood that information which should not be recorded originally, such as credit card information, is visible.

Air Canada Session Screenshots - YouTube


In addition, Air Canada suffered data breach in August 2018, personal information of about 20,000 users of the user was stolen via the mobile application.

The App Analyst says "All users who have access to Air Canada employees and screenshots database (because Glassbox was unintentionally shooting credit card information, etc.) received unencrypted credit card and password information It is now possible to see the sun. "



I checked what sort of data is being sent from the device in Charles Proxy, an intermediary tool used to intercept the data sent from the application, and found that the application using Glassbox Have not revealed the masked data like Air Canada is all about. However, it has also been found that not all applications use Glassbox to record the user's actions in a screenshot by the privacy policy or the like.

According to The App Analyst, Hollister, Abercrombie & Fitch, Singapore Airlines are sending screenshots of user's actions to Glassbox's server, services such as Expedia and Hotels.com send screenshots to their servers It is said that. Most of these data seems to be protected so as to be encrypted and not decryptable, but there seem to be cases in which it is possible to know the mail address and zip code.

If you do not analyze the data of each application, you can not know whether the application is recording the screen of the user. Also, TechCrunch wrote, "I could not find the details (it means that you are recording the user's screen) in details of each application's privacy policy." According to TechCrunch's survey, none of the analyzed apps stated in the privacy policy that "all the applications analyzed" are recorded in the privacy policy, though Apple's App Store required all privacy policies for all new applications and updates There is no thing.

Nothing in the Privacy Policy of Expedia, Privacy Policy of Hotels.com, Privacy Policy of Singapore Airlines Privacy Policy , Recording the User's Screen is mentioned at all. In the case of Air Canada, there is no sentence to that effect in the terms of service of the iOS application nor in the privacy policy .



When TechCrunch asked companies that are using Glassbox for comment, only Abercrombie & Fitch spokesperson asked, "By identifying problems that customers may encounter during digital experiences and enabling our response , It seems that there was a reply saying that (Glassbox is useful) to support a seamless shopping experience. However, with regard to Abercrombie & Fitch, the privacy policy states that "This policy stipulates that information collection and information gathering through existing or later developed applications, and use and sharing of information are prescribed in this policy" Although there is no mention of the existence of session replay tool like Glassbox at all.

"Glassbox has its own ability to rebuild mobile application's screen in visual format and is useful for analysis, though Glassbox SDK can only talk with your native application, technical It is impossible to go beyond the boundaries of the application ", and it seems that Glassbox can not access hidden information, for example if the mask is correctly placed on the part of the input screen.

Glassbox is one of the session replay tools on the market. There are multiple competing tools such as Appsee and UXCam . Companies firmly understand that problems will arise if they can not properly mask information with screenshots recorded by session replay like Air Canada and then that existence in the privacy policy etc. "It is very creepy" that TechCrunch wrote that it does not specify it.

in Mobile,   Software,   Video,   Security, Posted by logu_ii