At some point every single thing, every little piece of data, will become public knowledge. At least that’s the direction we’re heading with our smartphones, tablets, contact lenses with computers built right into them.
So is anyone at all surprised that several of the more popular iPhone apps many of us have on our phones are recording things like our screens without, you know, asking for our permission? I’m not. That doesn’t mean it doesn’t piss me off though. Especially when I discover that these apps are not even required to ask their users for permission to do so.
So if you currently have apps for companies like Abercrombie & Fitch, Air Canada, Expedia, Hollister, Hotels.com, Singapore Airlines or any other app that utlitizes the services of customer experience analytics firm Glassbox, then there’s a pretty good chance your screen is being recorded, whether you like it or not.
Heck, it says right on the home page of Glassbox’s website, “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility.”
The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
“This lets Air Canada employees — and anyone else capable of accessing the screenshot database — see unencrypted credit card and password information,” he told TechCrunch.
When TechCrunch asked The App Analyst to look at some of the apps Glassbox has listed as customers on its website, none of the apps stated that they were recording a user’s screen.
That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.
The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes.
Sound creepy? Well… it is. As the author of the TechCrunch article, Zack Whittaker, said when he closed out his piece, “…the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.”