Developers must disclose screen recording analytics tools or face expulsion from App Store...
Following a report detailing the use of so-called "session replay" technology, Apple is informing developers that they need to disclose the implementation of analytics tools that enable screen recording or face a ban from the App Store.
Field masking in Air Canada's iOS app is at times ephemeral. | Source: TechCrunch
On Wednesday, a report from TechCrunch revealed a handful of popular iOS apps are paying data analytics services like Glassbox for access to session replay technology that allows them to record and play back user interactions. These tools, which are embedded in native apps for troubleshooting and evaluation purposes, are often employed without first asking express permission from consumers.
"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," an Apple spokesperson told TechCrunch on Thursday. "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary."
Apple is informing offenders that their apps will be removed from the App Store if the monitoring code is not removed. One unnamed developer was given less than a day to strip the recording tool from its app, according to an email reviewed by TechCrunch.
"Your app uses analytics software to collect and send user or device data to a third party without the user's consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," Apple said, according to the publication.
The TechCrunch investigation discovered that a number of high-profile apps including Abercrombie & Fitch, Hollister, Hotels.com, Expedia, Air Canada and Singapore Airlines utilize Glassbox SDK, a platform that enables granular monitoring of user interactions. For example, the software can record on-screen taps, text box entries and more to provide companies a comprehensive account of user actions and software responses.
Apps found to incorporate Glassbox technology do not disclose the monitoring function in their respective privacy policies, seemingly in violation of Apple's App Store guidelines.
Though it does not require customers to inform end users that their data is being recorded, Glassbox in a statement to AppleInsider said it believes app makers should offer some form of disclosure.
"Glassbox and its customers are not interested in 'spying' on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," the company said, adding that its platform is secure, encrypted and meets high security and data privacy standards. Further, no consumer data is shared with third parties, the company said.
Still, end users are largely unaware that their actions are being so closely observed.
Perhaps more concerning are "data leaks" that can occur as a result of poor data handling practices. Glassbox provides tools to obfuscate sensitive user data before it is sent to servers owned by a customer or Glassbox itself, but in some cases information like credit card numbers, email addresses or zip codes are left unmasked.
Field masking in Air Canada's iOS app is at times ephemeral. | Source: TechCrunch
On Wednesday, a report from TechCrunch revealed a handful of popular iOS apps are paying data analytics services like Glassbox for access to session replay technology that allows them to record and play back user interactions. These tools, which are embedded in native apps for troubleshooting and evaluation purposes, are often employed without first asking express permission from consumers.
"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," an Apple spokesperson told TechCrunch on Thursday. "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary."
Apple is informing offenders that their apps will be removed from the App Store if the monitoring code is not removed. One unnamed developer was given less than a day to strip the recording tool from its app, according to an email reviewed by TechCrunch.
"Your app uses analytics software to collect and send user or device data to a third party without the user's consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," Apple said, according to the publication.
The TechCrunch investigation discovered that a number of high-profile apps including Abercrombie & Fitch, Hollister, Hotels.com, Expedia, Air Canada and Singapore Airlines utilize Glassbox SDK, a platform that enables granular monitoring of user interactions. For example, the software can record on-screen taps, text box entries and more to provide companies a comprehensive account of user actions and software responses.
Apps found to incorporate Glassbox technology do not disclose the monitoring function in their respective privacy policies, seemingly in violation of Apple's App Store guidelines.
Though it does not require customers to inform end users that their data is being recorded, Glassbox in a statement to AppleInsider said it believes app makers should offer some form of disclosure.
"Glassbox and its customers are not interested in 'spying' on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," the company said, adding that its platform is secure, encrypted and meets high security and data privacy standards. Further, no consumer data is shared with third parties, the company said.
Still, end users are largely unaware that their actions are being so closely observed.
Perhaps more concerning are "data leaks" that can occur as a result of poor data handling practices. Glassbox provides tools to obfuscate sensitive user data before it is sent to servers owned by a customer or Glassbox itself, but in some cases information like credit card numbers, email addresses or zip codes are left unmasked.
Comments
Kids apps are particularly insidious it seems. [Facebook! Shame!]
I don't want my life to be tracked for money in another man's pocket.
Asking for disclosure is only on paper for legal formality. Banning an app is “catch me if you can”, and 2 versions leap forward, the developer can reinsert the analytic codes again without being noticed. Once private data leaked, is leaked forever.
iOS 13 should fix it, or not capable for Apple to do so?
Side note: As a developer, replaying user actions is actually a great way to spot and fix bugs. I'm not sure it's reasonable to except that app developers aren't going to look at your actions as you use the app. Pretty much every website does it, too.
I also trust Apple. I'm happy to send Apple my device(s) information to help them better resolve problems. I know they won't sell it.
But I have to say, I don't trust Apple's App Store. Am I being naive?
I've turned off, "Share With App Developers..." in my settings (Analytics) of all my devices. iOS and MacOS!
I only use Apple first-party apps. No third-party apps.
I use DuckDuckGo, AppleMaps, etc. No Google apps, FaceBook apps, eg., Instagram, WhatsApp, etc., or Twitter.
Happy Birthday, Facebook! This is pretty dense! I had to watch it a couple of times.
Nonsense. Access to health and other user data is controlled by iOS, not the app - that app did not immediately harvest this data unless you gave it read permission via very clearly phrased dialog boxes. It is more nonsense to declare that all IoT apps can do the same without user permission.
Maybe you'e confusing Android and iOS?
”What is on your iPhone DOES NOT stay on your iPhone”
What you are proposing is basically like taking apart a car engine to make sure all the parts don't contain defects then putting it back together. Actually it would be more difficult.
this SDK is an open source and enables devs to create user consent dialogues and save their preferences.