TIM COOK AND PALS MAY EXTOL Apple's love of privacy, but it turns out some iPhone apps might be recording users' screens without them knowing it.
After the issue was flagged by a researcher known as the App Analyst, the folks over at TechCrunch conducted an investigation that confirmed there are iPhone apps that are using an analytics company called Glassbox, which alongside collecting granular data on how the apps are used also record screen activity without the consent of users.
The probe found that apps such as Hotels.com and Abercrombie & Fitch make use of Glassbox's services, which allows developers to embed a feature called "session replay" that lets devs record and playback screen activity to supposedly see how people have interacted with their app.
According to TechCrunch, the feature allows for every tap, keyboard entry and button press to be recorded in a way that's essentially like taking a screenshot of the phone's display. And that info gets piped back to developers to supposedly work on improving the user experience of their apps.
Of course, such recording could lead to all manner of personal user information getting effectively leaked to someone who shouldn't have their peepers on it; we're talking anything from contacts and emails to saucy texts and pics.
Such data collection isn't necessarily unusual providing the user has consented to it and the company collecting it puts in the effort to anonymise or obfuscate sensitive data that might be collected in the process.
But that doesn't seem to be the case with the apps TechCrunch and the App Analyst looked at: "Not every app was leaking masked data; none of the apps we examined said they were recording a user's screen — let alone sending them back to each company or directly to Glassbox's cloud."
As such, the apps that use Glassbox's tech could be privy to some rather sensitive data according to the App Analyst in an email to TechCrunch: "Since this data is often sent back to Glassbox servers I wouldn't be shocked if they have already had instances of them capturing sensitive banking information and passwords."
TechCrunch noted it's "impossible" to know if an app is recording a user's screen without analysing the data of each app and there was no mention of such activity in the apps' small print.
"Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app," Glassbox told TechCrunch, adding that it doesn't have access to the data on the situation when the keyboard in iOS covers part of the app its tools are being used in.
In some ways, this comes across as Glassbox ashing its hands of responsibility and throwing attention back on the developers who use and disclose the use of, its tech.
We imagine that once Apple gets its teeth stuck into such screen recording tools and their use in apps, it will clamp down on them. But for the time being, it looks like Glassbox and others are flying under the radar of Cupertino's privacy bods. µ
Someone could be in for a NASty surpise
An assault course on the senses
Boasting Bionic boosting