Since the introduction of native screen recording on iOS 11, iPhone owners began to realize that it is a great perk if it’s utilized properly. It can be used for tutorials and for showing specific steps visually for others to follow. Here at komando.com, we actually use screen recordings often in our Flash Tip videos.
It’s also great for troubleshooting purposes. For example, if you’re having a specific issue with an app, instead of explaining the problem to your tech guru for support, you can simply replicate the issue, record your screen as it happens and then share it.
But what if this feature is being used by apps without your knowledge? Will you feel violated, your trust betrayed? Will it feel like a massive breach of your privacy?
This is exactly what was discovered with some iOS apps – not only are they recording the phone’s screen while a user is using the app, they could be leaking out your personal information too!
Smile! Your screen is being recorded
Popular iPhone apps, including those from Air Canada, Hotels.com, Expedia, Abercrombie & Fitch, Hollister and Singapore Airlines have the ability to record your screen while you’re using them.
According to a report by The App Analyst and TechCrunch, these apps are using analytics software from a company called Glassbox that uses a feature called “session replay.”
Session replay is typically used by developers and support techs to record a screen and replay the footage for troubleshooting and to see how users interact with the app.
When it’s enabled, every tap, swipe, button and keystroke is recorded and sent back to the developers, too.
Normally, text inputs captured by “session replays” are masked and hidden when entering sensitive information like credit card numbers or passport numbers.
However, the App Analyst discovered that at least one app, the one from Air Canada, was not properly masking its session replays, exposing its users’ credit card data and passport numbers in each session replay.
This is troubling since it could potentially allow Air Canada employees and anyone who has access to the session replay database to see unencrypted credit card, password and passport information.
This data is also susceptible to man-in-the-middle attacks (for example, in public Wi-Fi spots or guest networks) that could allow a hacker to intercept the sensitive data before it even reaches Glassbox’s or Air Canada’s servers.
The App Analyst said that while other apps sent their session replays to Glassbox as well, the sensitive data is mostly hidden, but it did see email addresses and postal codes in some cases.
Not disclosed in privacy policies
Another alarming discovery is that for the user, it’s impossible to know if an app that uses “session replay” is actively recording your screen. And worse, the activity is not even disclosed in their privacy policies.
Adding insult to injury, Glassbox doesn’t require any special permissions from Apple nor from the user to enable session replay recordings.
“Session replay” may be recording strictly while a user is in the app’s screen itself, but this lack of clear disclosures and user permission does feel like a big violation of privacy.
Glassbox is not the only one
Although Glassbox’s session replay feature was the subject of The App Analyst and TechCrunch’s report, it’s not the only screen recording game in town.
Companies like Appsee and UXCam advertise a similar technology to developers that allows them to see their apps from the user’s perspective, recording not just the screens, but also touch gestures and other triggered events. This makes me wonder, what other apps are doing this without our knowledge?
So what can we do about it? Well, right now, since there’s no clear way of knowing if an app is secretly recording you, it’s up to Apple (and Google) to lay more guidelines and policies to force app developers to properly disclose their screen recording technologies.
Additionally, on the operating system level, a privacy setting for allowing “screen recordings” from apps is needed. We all have toggles for microphone, camera, and location access for apps, so why not screen recording? Hopefully, with all these reports coming out, we’ll see big changes soon.