Many of the major companies, such as Air Canada, Hollister and Expedia, are recording every touch and hit you make on your iPhone applications. In most cases you do not even realize it. And they do not need to ask for permission.
You can assume that most applications collect our data. Some even monetize your data without your knowledge. But TechCrunch has found several popular applications for the iPhone, hoteliers, travel sites, airlines, cell phone operators, banks and financiers. These applications do not ask or clarify the use of this information.
Worse, although these applications are intended to mask certain fields, some expose confidential data inadvertently.
Glassbox records everything in the cloud
Applications such as Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox. It’s an analytics company that focuses on the customer experience. One of the few companies that allows developers to integrate “session playback” technology into their applications. . These session reps allow application developers to record the screen. And then play them back to see how their users interact with the application. So to find out if something did not work or if there was an error. Each touch of button and keyboard input is recorded, captured effectively, and sent to application developers.
As mentioned by Glassbox himself in a recent tweet. “Imagine that your website or mobile application can see exactly what your customers do in real time and why they did it”.
Air Canada first on the list
The App Analyst is a mobile expert who writes about his analysis of popular applications on his blog of the same name. He recently discovered that the Air Canada iPhone application did not correctly hide the repetitions of the session when they were sent. Thus exposing the numbers of passports and Credit card data in each repetition session. Just weeks before, Air Canada said its application had a data breach. That breach exposed 20,000 profiles.
“This allows Air Canada employees, and anyone else able to access the screen capture database. And to see the credit card information and password unencrypted”. He told TechCrunch.
In the case of the Air Canada application, although the fields are masked, the mask was not always maintained (Image: The App Analyst / supplied)
We asked The App Analyst to examine a sample of applications that Glassbox had included on its website as customers. Using Charles Proxy, a tool that is used to intercept the data sent from each application. So the researcher could examine what data was coming out of the device.
Not all applications filtered masked data. None of the applications we examined said they were recording a user’s screen. Much less sending them to each company or directly to the Glassbox cloud.
Bank information and passwords are exposed
That could be a problem if any of the Glassbox customers are not hiding the data correctly. He said in an email. “Since these data are often sent back to the Glassbox servers. I would not be surprised if they had already had instances of them capturing confidential bank information and passwords,” he said.
The applications analyst said that Hollister and Abercrombie & Fitch sent their session reps to Glassbox. Meanwhile, others like Expedia and Hotels.com opted to capture and send session replay data to a server in their own domain. He said the data were “mostly confusing”. But in some cases he saw email addresses and zip codes. The researcher said that Singapore Airlines also collected repeat session data. But they sent it to the Glassbox cloud.
Without analyzing the data of each application, it is impossible to know if an application is recording a user’s screens of how they are using it. We do not even find it in the fine print of their privacy policies.
An average user will hardly know that they record their screen
We ask all companies to tell us exactly where their privacy policies allow each application to capture what a user does on their phone.
Recommended: Louis Vuitton enters the luxury earphone market
Air Canada uses the information for the benefit of its customers
After this story was published, Air Canada responded. “Air Canada uses the information provided by the customer to ensure that we can meet their travel needs. And that we can resolve any problems that may affect their travel,” said a spokesman. “This includes the user information entered in, and collected in, the Air Canada mobile application. However, Air Canada can not, and can not, capture phone screens outside of the Air Canada application”.
Expedia, which owns Hotels.com, did not return a request for comment.
“I think that users should take an active role in the way they share their data. And the first step is for companies to directly share how they collect data from their users and with whom they share it,” The App said. Analyst.
Companies rely on repeat session technology
“Glassbox has a unique ability to reconstruct the view of the mobile application in a visual format. This is another view of the analyzes. It can interact only with the native application of our clients. And, technically, it can not break the limit of the application, “the spokesperson said. As when the system keyboard covers part of the native application, “Glassbox does not have access to it,” the spokesman said.
Glassbox is one of the many session playback services on the market. It actively markets its “user recording” technology. It allows developers to “see their application through the eyes of the user”. While UXCam says it allows developers to “view recordings of their users’ sessions. This includes all his gestures and events unchained”.
It is not an industry that is likely to disappear soon. Companies rely on this type of repeat session data to understand why things are broken. That can be costly in high-income situations.