Many popular apps are recording your every move

Many tech startups rely on user testing and observing customer behavior in order to make changes to their product. But how are they conducting that user testing? And how are they making those observations. Well, a new investigation from TechCrunch found that some popular companies are employing the analytics company Glassbox to record every move — including personal information like credit card and passport numbers — users are making on their iPhone apps. Additionally, many of them are not informing customers of the fact that they’re recording.

Glassbox’s customers include Abercrombie & Fitch, Hotels.com, Singapore Airlines, Hollister, Air Canada, and Expedia, among others. They offer their clients the ability to record every move customers make — from keyboard strokes to taps to button pushes — in a service they call “session replay.”

While the session replays were supposed to redact sensitive information some (including Air Canada) didn’t always do so, further opening customers up to exposure and theft. Additionally, some of the companies who pay for this service send the session replays back to Glassbox, while others send them to their own servers. This potentially puts sensitive data at risk of theft during a data breach, either on the Glassbox server or on ill-protected corporate servers. Corporate data breaches are, after all, becoming increasingly common and at least one company on the Glassbox client list — Air Canada — has already had one.

Apple requires that any app submitted to their App Store have a clear privacy policy, but the TechCrunch reporters couldn’t find any mention of screen recording in the policies of Expedia, Hotels.com, Air Canada, Singapore Airlines, Abercrombie, or Hollister. It’s fairly clear that these apps have been collecting sensitive data and recordings of their customers without informing them and some have been improperly encrypting the information.

Glassbox appears to have taken the position of many tech companies when faced with misuse of their product: denying any responsibility. In a statement to TechCrunch about this investigation, their spokesperson said that they don’t require Glassbox customers to tell their customers about the recordings. They also said, “Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app.” Additionally, they insisted that they are not able to see outside the boundaries of their own app, even when it’s layered on top of another app.

It remains to be seen what Apple will do with this information, but they’ve recently hit back fairly hard at companies that violate privacy in their iOS apps, including at much bigger names than the ones in this case. But Glassbox isn’t the only company offering session recordings and, as this is a tool that helps companies make more money, it’s unlikely that this type of behavior will disappear any time soon.

Share this post

About Tenta

Tenta is a next generation browser designed for privacy and security. Built-in true VPN, full data encryption, video downloader, secure medai vault, HTTPS Everywhere, Tenta DNS, and more.

View all posts by Tenta >

Install Tenta Browser Free!

Start protecting your online privacy today with Tenta Browser.

Download Tenta Browser Google Play Button