Friday, February 08, 2019

Popular iPhone Apps Secretly Record Your Phone Sessions With "Session Replay" for Analytics Purposes, Without Much Care For Security.

http://snapvoip.blogspot.com/

iPhone Apps are taking your data without telling you and there is basically nothing you can do about it. Part of the iOS app development, "Session replays" allows app developers to take screenshot or record a user's screen and then play back those recordings to see how users interact with their apps. Taps, button pushes, and keyboard entries are all captured and provided to app developers. Those include usernames and passwords as well, in most cases.

Abercrombie & Fitch, Hotels.com, Air Canada, Hollister, Expedia, and Singapore Airlines are using Glassbox, a customer experience analytics firm that lets developers use "session replay" screen recording technology within their apps.


Some apps, such as Air Canada iOS app go beyond. Air Canada app does not properly mask data that's recorded, exposing information including sensitive information like passport numbers and credit card information. Air Canada employees with access to the screenshot database can readily see this data.
Also these data is shared with the Glassbox, the developer of Session Replays. Apple does not approve this behavior unless you consent to do so;

There’s no App Store guideline that prohibits collecting usage information. To the contrary, Apple permits collection of usage information if the user consents. Consent is generally satisfied by providing a terms of service link and consent is basically continuing to use the app after being afforded the opportunity to review the terms.

TechCrunch had mobile app expert The App Analyst look at some of the apps that Glassbox lists as a customers. Not all apps leaked masked data, and most appeared to be obfuscated, but there were instances where email addresses and postal codes were visible.

"Since this data is often sent back to Glassbox servers I wouldn't be shocked if they have already had instances of them capturing sensitive banking information and passwords," The App Analyst told TechCrunch. 

0 comments:

Blog Widget by LinkWithin