Popular iOS apps found to record user screens for analytics, sometimes exposing sensitive data

A new investigation from TechCrunch today reveals that some iPhone apps are using services like Glassbox, a “customer experience analytics firm” to track the taps and swipes you make. Apps such as Hollister, Air Canada, Expedia, and Hotels.com are using this framework, and in some cases they inadvertently reveal sensitive information.

Author Ad Placeholder
Will only appear on redesign env.

Glassbox is one of the so-called analytics firms that employ “session replay technology.” This allows developers to record displays and review how users interacted with their app. “Every tap, button push, and keyboard entry is recorded,” TechCrunch says.

These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

In a recent tweet, Glassbox said: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

Further, The App Analyst recently discovered that the Air Canada iPhone app doesn’t properly mask session replays. This means sensitive information like passport numbers and credit card information is easily viewable to Air Canada employees. While this isn’t the case for all of the apps, Air Canada recently suffered a data breach affecting 20,000 user profiles, which doesn’t bode well for its security practices.

In some cases, apps send session replay data directly back to Glassbox servers, while some companies send it back to their own servers. In both cases, some data was found unmasked and easily accessible with man-in-the-middle tools:

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

TechCrunch points to apps including Air Canada, Hollister, Expedia, Abercrombie & Fitch, Hotels.com, and Singapore Airlines as offenders. None of them mention using session replay technology in their privacy policy and only Abercrombie responded when asked for more details. Abercrombie said that using Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.”

Use of screen recording analytics frameworks on iOS isn’t necessarily a new thing. Developers who use them can only see within their apps, not the entire operating system. Apple has yet to crackdown on the use of such frameworks, but we wouldn’t be surprised if that happened soon.

The full investigation from TechCrunch can be read here.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Subscribe to 9to5Mac on YouTube for more Apple news:



Avatar for Chance Miller Chance Miller

Chance is an editor for the entire 9to5 network and covers the latest Apple news for 9to5Mac.

Tips, questions, typos to chance@9to5mac.com