In an article about how certain apps use ‘session replay’ technology to record how users interact with the app, Tech Crunch noted that many of these iPhone apps do not even ask for a user’s permission to do this.
The popular iPhone apps they mentioned include apps from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers such as Air Canada, Hollister, Expedia and even Singapore Airlines.
The worst part, says Tech Crunch, is that these ‘session replays’ inadvertently expose sensitive data.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines apparently use a customer experience analytics firm called Glassbox which allows developers to embed this ‘session replay’ technology into their apps. This technology essentially takes screenshots when you use their app and sends those back to the companies.
This allows developers to record your screen to see how you interact with the app – mainly used to detect errors and to enhance user experience. This technology allows every tap, button push, and keyboard entry to be recorded and sent back to the app developments.
Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”
The scary part is that a mobile expert, The App Analyst, found that certain apps weren’t properly masking the session replays, thus exposing sensitive information. The app that this expert looked at was Air Canada’s iPhone app. When masking of the replay session failed, information such as passport numbers and credit card were exposed. Air Canada said that its app experienced a data breach which exposed over 20,000 profiles.
The App Analyst said “This allows Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information.”
Tech Crunch subsequently asked the Analyst to look at a sample of apps that Glassbox had listed on its website to see if these other apps have the same problem.
Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher examined what data was going out of the device.
According to the expert, not every app was leaking masked data. So, not too bad. But none of the apps they examined made it clear that they were recording a user’s screen or that they were relaying those recordings to each company or to Glassbox’s cloud.
This, the expert said, could be a problem if there was inadequate masking of data. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.
He found that apps like Expedia and Hotels.com which opted to send the data back to a server on their own domain mostly obfuscated the data but there were some instances where email addresses and postal codes were exposed.
The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.
Importantly, Tech Crunch noted that it’s impossible to know if an app is recording your screens when you use their app. In fact, they didn’t find any mention of that in fine print of their privacy policies.
While apps that are submitted to Apple’s App Store are required to have a privacy policy, Glassbox themselves doesn’t require any special permission from App or the User to record their screens. So really, there’s no way to know.
Tech Crunch noted that neither Expedia nor Hotels.com or even Air Canada mentioned recording screens in their policy. Neither did Singapore Airlines.
Tech Crunch reached out to these companies where in their privacy policy does it says that they recording this data but only one company responded.
Ambercrombie (sister company of Hollister) confirmed that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.”
They made no comments on session replays.
When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.
“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.
Scary, right?
So basically, with the help of Glassbox and other similar session replay services, companies are essentially monitoring every move you make on their app.
From a user experience perspective, this makes sense. Especially in high-revenue situations, this kind of data can help a company understand how and why their apps might not be working properly which could be costing them a hefty loss of profit.
On the other hand, the fact that most of these companies do not make it clear that they use this technology in the first place is an indication that even they know how dodgy it is to be recording their users’ every move. They’re also likely aware that masking isn’t always effective in protecting their users’ data, so of course they’d be reluctant to admit that they’re doing this.
Unfortunately, this isn’t something that’s going away any time soon – or probably ever. Companies rely on this kind of technology for their survival.
In which case, the App Analyst suggest that users take a more active role in how they share their data. The first step, he says, is having companies be more honest about how they collect their users’ data and who they share it with.
What does SIA do with your data?
We reached out to Singapore Airlines to ask if they can point us to the section in privacy policy that says they do this kind of data collection and they did.
An SIA spokesperson said, “The data we collect is in accordance with our privacy policy which includes the use of customer data for testing and troubleshooting issues. This is specified under Clause 3 of our privacy policy which is available on our website“.
So I checked it out has here’s what I found:
Clause 3 (How we use your customer data) says, “As it is in our legitimate interests to be responsive to you, to provide customised services and marketing and to ensure the proper functioning of our products, services and organisation, we will use your Customer Data to improve the Website and to ensure content from the Website is presented in the most effective manner for you and your device; and administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.”
Clause 3 also mentions monitoring and recording calls for training and quality improvement purposes, sending you surveys by email and more.
That’s not exactly clear, right? Plus there’s no mention of the mobile app in Clause 3.
So I checked out the other clauses and in Clause 2 (the types of customer data we collect), I found this paragraph:
“SIA also collects Customer Data from third parties which are located in various countries. This includes, but is not limited to, travel agents, our KrisFlyer partners (including, amongst others, airlines and non-airlines such as Hilton, Avis, Hertz, American Express, the Economist and Esso), our service providers, other airlines including our subsidiaries to facilitate travel on code share or multi-airline flights, or through our Website, mobile services, any posts on our SIA-specific pages on social media websites and other channels including our ticketing counters and airport operations.”
That’s a little clearer, perhaps? They do mention collecting data from third parties – in this case Glassbox – but they do not explicitly mention Glassbox nor do they specify that your every move on the app is being recorded.
