Popular iOS apps use Glassbox SDK to record user screens without permission [u]

Posted:
in iOS edited February 7
A number of popular iOS apps paying data analytics services for so-called "session replay" technology have the ability to record and play back user interactions, often without asking permission, according to a new report.

Glassbox
Field masking in Air Canada's iOS app is at times ephemeral. | Source: TechCrunch


According to an investigation conducted by TechCrunch, analytics firm Glassbox, and other companies like it, allow customers to embed session replay technology into their respective apps. These tools capture screenshots and user interactions, including on-screen taps and in some cases keyboard entries, which are sent back to app developers or Glassbox servers for further examination.

Though not as polished as the video-enabled screen recording function built into iOS 12, session replay technology effectively screenshots an app's user interface at key moments to determine whether it is functioning as designed, the report said.

"Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app," a Glassbox spokesperson told the publication. More specifically, when a keyboard overlay appears above the native app, "Glassbox does not have access to it."

Glassbox customers include big-name corporations like Abercrombie & Fitch and sister brand Hollister, Hotels.com, Expedia, Air Canada and Singapore Airlines.

While user monitoring is nothing new, and in many cases should be expected, mishandling of session replays can lead to leakage of sensitive information.

Citing a recent report from The App Analyst, TechCrunch notes Air Canada's app was found to be sending session replay data containing exposed passport and credit card numbers. This could be a problem, as some companies opt to send app data directly to Glassbox's cloud and not their own servers.

In its own study, which employed man-in-the-middle software to monitor data being sent from target apps, the publication discovered data transmitted to Glassbox was "mostly obfuscated," though some screenshots contained umasked email addresses and postal codes. Of the apps listed above, Abercrombie & Fitch, Hollister and Singapore Airlines passed session replay data on to Glassbox, while Hotels.com and Expedia siloed data on their own domains.

Further, none of the apps reviewed as part of the investigation make clear in their respective privacy policies that Glassbox technology is being employed to record users' screens.

In response to the TechCrunch report, Glassbox said it is a strong supporter of user privacy and provides customers with tools to obfuscate "every element" of personal data. The company believes that its customers should make users aware that their data is being recorded.

"Glassbox and its customers are not interested in "spying" on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," the company said in a statement provided to AppleInsider.

Glassbox went on to say that its platform is secure, encrypted and meets security and data privacy standards and regulations like SOC2 compliance and GDPR. No data is shared with third parties, the company said.

Still, as some Glassbox customers currently do not include mention of user monitoring in Apple-mandated disclosures, and with Glassbox itself lacking requirements of its own, end users are largely unaware that their actions are being so closely observed. More concerning, however, is that iOS app makers are in some cases funneling sensitive data to a third party without express user permission and absent of proper encryption protocols.

Updated with response from Glassbox

Comments

  • Reply 1 of 20
    MplsPMplsP Posts: 1,441member
    Is this legal under Apple’s App Store rules?
    jbdragon
  • Reply 2 of 20
    MplsP said:
    Is this legal under Apple’s App Store rules?
    The article seams to imply it is not. 
    watto_cobra
  • Reply 3 of 20
    genovelle said:
    MplsP said:
    Is this legal under Apple’s App Store rules?
    The article seams to imply it is not. 
    This comment has me in stitches!

    This sort of behavior should be clearly spelled out when someone installs the app. It’s not necessarily bad but a person should be able to make their own decision on whether to use an app that will be tracking and reporting their every on-screen action. 
    bonobobgilly33bb-15loopychewjbdragonwatto_cobra
  • Reply 4 of 20
    claire1claire1 Posts: 510unconfirmed, member
    I doubt Apple allows this.
    magman1979watto_cobra
  • Reply 5 of 20
    Zuckerberg currently kicking himself that he hadn’t thought of this. 
    StrangeDaysburnsidesvanstrommagman1979agilealtitudemacseekermuthuk_vanalingamaaronkalbbeowulfschmidtjbdragon
  • Reply 6 of 20
    There’s a huge misunderstanding here.

    If I install an App with this SDK, it can ONLY take screen shots of itself. It has no ability to take screen shots when you switch to another App or of iOS itself (like your Settings).

    And since everything you do in an App is already known the the App (like everything you type) they’re not getting any additional information.

    The only real issue I see is if they send this data to someone else in a form that lets them see something they shouldn’t.
    burnsidetobianksecwatto_cobra
  • Reply 7 of 20
    Since it is intentionally being done by the programmers for their companies, I will stop using Air Canada and start using Westjet. 
    chasmmagman1979agilealtitudeaaronkalbwatto_cobra
  • Reply 8 of 20
    Am I being an alarmist?

    I don't have any third-party apps on my devices. 

    I think the App Store should have a Russian flag icon for all those apps designed in Russia and a Chinese flag for all those designed in China. 

    There needs to be a 'Good Housekeeping' seal of approval, where all apps that don't harvest, refine and sell your data get a little logo next to it!

    I use DuckDuckGo (which Apple should buy). No Google, FaceBook or Twitter apps.

    Apple should put out a Beta, FaceBook-like App, a YouTube-like App, Twitter-like app and just let them grow organically. And advertise/market the Privacy aspect of their offerings! :)
    montrosemacsmacseekeraaronkalbpujones1watto_cobra
  • Reply 9 of 20
    While it can seem irksome for an app to log UI usage in order to reconstruct the screen, this shouldn't normally be a concern for the user, and can have significant benefits in eliminating bugs. However to extend this logging to capturing keystrokes/entered data is reprehensible. A user that enters details such as banking information, passport numbers or other personal information does so in the understanding that this data can only be viewed and used by the intended recipient. To further learn that the data is not being properly managed into a 3rd party analytics firm in an oversight that no amount of privacy-policy stipulations can counter.

    Arguably any instance of private information should not be transmitted to a 3rd party for any other purpose other than to conduct the requested service.
    watto_cobra
  • Reply 10 of 20
    magman1979magman1979 Posts: 1,135member
    There’s a huge misunderstanding here.

    If I install an App with this SDK, it can ONLY take screen shots of itself. It has no ability to take screen shots when you switch to another App or of iOS itself (like your Settings).

    And since everything you do in an App is already known the the App (like everything you type) they’re not getting any additional information.

    The only real issue I see is if they send this data to someone else in a form that lets them see something they shouldn’t.
    Yeah, I'm sorry, and where did I agree to this functionality? That's right, NO WHERE!

    And how secure is this system? Oh yes, that's right, it's not, since even things like my PASSPORT data get bled to third-parties and their untrusted and insecure cloud infrastructures.

    This is HUGE, even though it's confined to just the app in question!
    aaronkalbjbdragonwatto_cobra
  • Reply 11 of 20
    Rayz2016Rayz2016 Posts: 4,627member
    TechCrunch is absolutely nailing it this year, and it’s only February. 

    Good job. 
    muthuk_vanalingamaaronkalbbeowulfschmidtwatto_cobra
  • Reply 12 of 20
    rcfarcfa Posts: 772member
    And that’s why “walled gardens” suck: you can’t monitor app activity, the data they send and receive, spyware, etc.
    The system would have to perfect (doesn’t exist), the software developers trustworthy (which they aren’t), the hardware to be perfect (which it isn’t), for a closed system to make sense.
    muthuk_vanalingam
  • Reply 13 of 20
    rcfa said:
    And that’s why “walled gardens” suck: you can’t monitor app activity, the data they send and receive, spyware, etc.
    The system would have to perfect (doesn’t exist), the software developers trustworthy (which they aren’t), the hardware to be perfect (which it isn’t), for a closed system to make sense.
    This is entirely, patently false. This style of monitoring is present in Android apps (factually it’s worse) and websites. However the key difference is that the “walled garden” approach can actually force these developers to change their apps. Those other platforms: nope.

    This is why Facebook and google’s marketing apps required side loading (to get around the “walled garden”) and were still able to be remotely disabled by cancelling the enterprise certificate. 

    Also your statement about ability to monitor traffic is also false, which should have been obvious to you as the article was able to be written in the first place. 
    mwhiteaaronkalbcommand_fjason leavittjbdragonwatto_cobra
  • Reply 14 of 20
    jimh2jimh2 Posts: 149member
    The tired “Walled Garden is bad” is the go to whenever someone needs a crutch to support their argument. Anyone who thinks that not having a wall for apps is out of their mind. If you want the freedom it provides, but accept the risk, then move on. No reason to even traffic these forums. 
    command_fosmartormenajrjason leavittjbdragonwatto_cobra
  • Reply 15 of 20
    This sort of monitoring has no place after Beta testing: leaving it in production code is an obvious breach of trust. I expect it also breaches Apple's App Store rules; if it doesn't, I'm sure it soon will. It is simply unacceptable to covertly collect such data and reckless to send it to who knows what server controlled by goodness knows who and to send it in clear (unencrypted). It's not even clear that the tool can't collect data that would otherwise be on-device only. The only excuse can be rank amateurism in the companies responsible. Whatever happened to respect and responsibility?

    As to the walled gardens comment that "you can’t monitor app activity, the data they send and receive, spyware, etc", I presume the writer didn't read the article. It clearly says "...study, which employed man-in-the-middle software to monitor data". For the avoidance of doubt, "man-in-the-middle" means inserting an entity into the communication path to monitor or otherwise interact with the data.

    Apple's walled garden cannot be perfect (of course) but it has two big things going for it:
    * It is continually improving as Apple blocks attempts at exploitation - individual exploits won't happen again. This makes future malpractice that bit harder.
    * Its sole-provider status gives Apple a very big stick with which to beat transgressors. This in turn gives a big deterrent effect that reduces the number of misbehaving apps being created.

    I don't see that sort of benefit for the apps running on Apple's biggest competitor.
    jbdragonwatto_cobra
  • Reply 16 of 20
    Every time there’s pushback about the “huge” amount of control Apple exercises over their platform, and ultimately, their users, we get wind of information that it is not controlling it enough.
    How could an app be approved with so blatant a privacy violation. To monitor and report back on keyboard input and screen content!?!?
    command_fwatto_cobra
  • Reply 17 of 20
    gatorguygatorguy Posts: 20,712member
    command_f said:
    This sort of monitoring has no place after Beta testing...
    Its sole-provider status gives Apple a very big stick with which to beat transgressors. This in turn gives a big deterrent effect that reduces the number of misbehaving apps being created.

    I don't see that sort of benefit for the apps running on Apple's biggest competitor.
    Do you use apps running on Apple's biggest competitor? If you had been following that "other platform" you'd have been reading a LOT about the permissions and controls that Google is taking firmer hold of in order to better limit the stuff developers can do, tightening up rules and banning a whole lot of apps in the process. Some devs not happy of course...
    edited February 7
  • Reply 18 of 20
    Every time there’s pushback about the “huge” amount of control Apple exercises over their platform, and ultimately, their users, we get wind of information that it is not controlling it enough.
    How could an app be approved with so blatant a privacy violation. To monitor and report back on keyboard input and screen content!?!?
    I agree that this is egregious!
    However, most apps need information from the user to be sent back to an apps server (especially travel sites) and it is extremely difficult for a third party (Apple) to discern what is valid data an what is not valid data in thousands of apps. Most of the information that is sent (passport numbers, CC numbers, user selected options...) are valid data to be transferred back to the apps servers in some form. It's only in the context of the data not being used for the transactions itself or that the data is being transmitted in the clear, that there are privacy issues. Apple cannot control the data once it is outside it's device except through contractual agreements (and we have seen how companies ignore these agreements).
    If these apps are using the data outside the bounds of their agreement with Apple and/or the customer, then Apple should ban the offending company from selling apps in the app store for a year. Putting one medium profile company on-the-ropes for a year will end the practice pretty quick I would imagine!. The problem is Apple is not hard enough on the apps that do violate their terms of use. A day or two for Facebook and a few hours for Google!! barley a slap on the wrist since these were only for internal apps. They should have shutdown their public facing apps for an entire day! I would gladly go without any app that I use for a day to punish an app company for abusing my data.
    jason leavittjbdragon
  • Reply 19 of 20
    "What happens on iPhone stays on iPhone"

    Except when it doesn't. 
  • Reply 20 of 20
    volcanvolcan Posts: 1,789member
    This is BS. Aside from the undisclosed privacy concerns, so now I’m paying for the data to send them my screen shots. My LTE data charges are already too high. I don’t need a secret third party stealing my data allocation.
    command_fwatto_cobra
Sign In or Register to comment.