‘Apps on iPhone make recordings of usage and forward them to servers’

Apps on iOS that use recordings and forward them to their developers don’t always successfully disguise the sensitive information a user enters. In addition, they do not always mention this activity in their privacy policy.

TechCrunch and an expert toured applications that use Glassbox, an analytics service that builds recording technology into apps for their customers. These were hotel chains, travel agencies, airlines, telcos and banks. The expert used Charles Proxy to intercept and extract the data sent by the apps.

An example of the findings is that Air Canada’s app fails to provide sensitive information with black bars; Passport and credit card information are forwarded unencrypted. Air Canada needs access to this data, but must protect this data properly and may not, for example, store a password in this way. Some companies had the recordings sent to Glassbox, others chose to have them sent to their own servers.

TechCrunch does not state how many apps the site has reviewed, but does state that no app has a privacy policy that records and sends users’ actions within the app. Glassbox does not oblige its customers to report these recordings. Users also cannot find out that their usage is being recorded through a permissions dialog box, as there is no window for that permission in iOS.

Also on Android it is possible for apps to record interactions between user and application and send them to a server. This does not fall within the selection of permissions for which an app must request permission from the user.

Companies have users’ interactions with their apps recorded primarily for quality purposes. It makes it easier to see where bugs are occurring or where an application could be more user-friendly. In addition, this type of information has value for advertisers, who can use it to create profiles of users and advertise in a more targeted manner.