What would you call it if your iOS apps were tracking your every tap and your every swipe, then sending what amounts to a running series of screen captures off to servers to scrutinize – sometimes to their own servers, sometimes to those at a third-party customer experience analytics firm?
… sometimes masking personal data such as passport numbers and credit card data, sometimes not, leading to at least one data breach?
… and not bothering to mention any of this in their privacy policies, hence not informing users what they’re up to and obviously offering no user opt-in?
Well, welcome to session replay services
Following Air Canada having leaked the personal data of up to 20,000 users of its mobile app – including passport numbers and expiration dates, passport country of issuance, NEXUS numbers for trusted travelers, gender, dates of birth, nationality and country of residence – a mobile app expert took a look at that mobile app to see how it dropped all of those sensitive details.
The expert, who goes by the name The App Analyst, uses a man-in-the-middle tool called Charles Proxy to intercept data sent, and possibly spilled, by apps. In so doing, his analysis found that Air Canada’s mobile app, which allows customers to book and manage flights, tracks users with analytics from a company called Glassbox Digital.
The ‘oops!’ that shed light on these apps
As TechCrunch reports, Glassbox is one of many session replay services on the market. These services help companies to determine their users’ device characteristics, to collect precise location information, and to take screenshots of the devices so they can replay entire user sessions.
Other companies that market “user recording” technology include Appsee, which promises to let app developers “see your app through your user’s eyes,” while another, UXCam, says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.”
The dangers inherent in scraping user data became apparent a year ago, when one of the website analytics firms – Mixpanel – admitted to accidentally slurping up user passwords in its efforts to help web publishers improve user engagement with their apps.
Mind you, online sites have long been recording our keystrokes
That’s not intrinsically bad. Without the abilities to track the position of your cursor, track your keystrokes and call “home” without refreshing the page or making any kind of visual display, sites like Facebook and Gmail would be almost unusable, searches wouldn’t auto-suggest, and Google Docs wouldn’t save our bacon in the background.
‘Transparent black boxes’
Mobile apps need to be optimized, too. But when you’re talking about what mobile apps get up to when they want to analyze user interaction, tracking is one thing. Users might not like the notion of having one or more companies look over their shoulders as they type, but that’s not what’s leading to data spillage. Rather, it’s what The App Analyst calls “transparent black boxes.”
Glassbox captures many screenshots during a user session on the Air Canada mobile app. Some of those are of fields into which users enter sensitive data, including the passport numbers and other pieces of personal information that were breached in August. In order to shield that sensitive data from being captured in screen shots and stored in a screenshot database, Glassbox obfuscates them with black boxes. …
… that can be inappropriately configured. From The App Analyst’s analysis:
The configuration which Air Canada uses to specify placement of black boxes is not extensive enough and almost every black box used to cover sensitive data is captured in screenshots.
In early January, he posted this YouTube video, which steps through the Air Canada app’s Glassbox-enabled screen captures:
The App Analyst told TechCrunch that the misconfigured, not-thoroughly-tested obfuscation means that Air Canada employees – and anyone else capable of accessing the screenshot database – can see unencrypted credit card and password information.
Air Canada attempts to cover the password form when logging in. However they do not obfuscate the initial setting of the password during account creation or resetting the password when forgotten.
Passwords and credit cards were not, however, involved in the August breach. The App Analyst said that he saw them when he used the “show password” functionality, which leads him to believe that users’ passwords may in fact be captured in screenshots, in plain text, which goes against industry standards.
Five months after the Air Canada breach in late August, TechCrunch asked The App Analyst to analyze some of the popular iPhone apps that use Glassbox’s session replay technology. Its clientele includes hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, with such names as Abercrombie & Fitch, Hotels.com and Singapore Airlines.
Some of the apps he looked at sent session replays to Glassbox, while some sent them back to a server on their own domains. The App Analyst didn’t find a lack of obfuscation on par with the Air Canada app, though he did discover some instances of non-obfuscated email addresses and postal codes.
Not even a whisper in teeny-tiny type
As TechCrunch notes, it’s impossible to know if a mobile app is recording screen sessions as you use it. These companies certainly don’t seem to be disclosing it if they are. From Zack Whittaker’s TechCrunch article:
We didn’t even find it in the small print of their privacy policies.
A few examples of the privacy policies he squinted at in vain:
Out of the companies that responded to TechCrunch, none of them addressed the fact that their privacy policies don’t mention session replays. This is what Air Canada had to say after the TechCrunch article was posted on Wednesday:
Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips. … This includes user information entered in, and collected on, the Air Canada mobile app. However, Air Canada does not – and cannot – capture phone screens outside of the Air Canada app.
Tell users what you’re doing, or face expulsion
TechCrunch had a response from Apple, in which a spokesperson said that Apple had notified developers that are in violation of the “strict privacy terms and guidelines” around recording user activity, and would be removing offending apps from the store if developers don’t properly disclose their antics to users:
Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.
We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary.