It’s a foregone conclusion that app makers will get at least some data on how you use their product. How much data do you really expect, though? Maybe which buttons you tap or the length of sessions? According to TechCrunch and analytics company App Analyst, some popular iPhone apps are getting much more. They basically see everything you do in real time, even sensitive information like passwords and credit card numbers.
The offending apps include Air Canada, Hollister, Expedia, Hotels.com, and many more. These apps use technology from a customer experience analytics firm called Glassbox. It pushes a product called “session replay,” allowing app makers to see what users do in the app. This is supposed to help developers address user experience issues to improve, but it also gives them a tremendous amount of user data.
The Glassbox session replays are essentially real-time videos of how you interact with the app. Each tap, swipe, and text entry becomes part of the replay record. The app then beams the reply back to the Glassbox servers. Data like your password or payment details that are usually transmitted over secure means can get caught up in there. As “The App Analyst” recently discovered, Air Canada wasn’t properly masking these replays before transmitting, putting customer data at risk.
Not all apps using Glassbox are including these sensitive pieces of information in replays, but even those that are attempting to mask data can run into errors and leak secure content. This data all ends up on the Glassbox servers, and it’s generally considered inappropriate for apps to send user data to third parties without consent. When that data is a complete record of how you use an app, the privacy implications are rather serious. None of the apps in question mention session replays in their privacy policies, either.
When contacted for comment, Glassbox merely said that it cannot “break the boundary of the app.” So, the Glassbox SDK can’t watch what you do elsewhere on the phone, but that’s not addressing the issues. Glassbox isn’t the only company offering services of this sort, and while none of them are seemingly malicious, we don’t know if they’re trustworthy. Are their servers secure? Will they use your data for any other purposes? Who knows? You’re relying on app developers to do their homework.
- Apple Kills Facebook’s Internal iOS Apps After Latest Privacy Blunder
- App Developers Can Stalk You Around the Web if You Uninstall Their App
- Google’s Voice Access App Lets You Control Your Phone Entirely Hands-Free