Apple plans to crack down on iOS apps that use so-called ‘session replay’, a technology that helps developers understand how people use an app, but also lets the developer see a replay of every tap and swipe users makes on their iPhones.
An investigation by TechCrunch identified a number of popular apps from well-known brands that use third-party session replay analytics tools, including Abercrombie & Fitch, Expedia, Hotels.com, and Singapore Airlines.
The technology, which is also used to analyze user actions on websites, poses a security and privacy risk if it doesn’t properly avoid capturing sensitive input fields in an app or site, such as payment and login pages.
The problem for Apple, following its crackdown on Facebook and Google apps last week, is that developers have once again been caught flouting its policies.
“2.5.14: Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. This includes any use of the device camera, microphone, or other user inputs,” Apple’s App Store guidelines state.
The apps called out for using session replay did not gain consent from iOS users.
Apple has now said it is informing developers of their violation and has given them one day to remove the tracking capability.
“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” an Apple spokesperson said in a statement to TechCrunch.
SEE: Apple iOS 12: An insider’s guide (free PDF)
The findings follow a report by The App Analyst that looked into Air Canada’s use of Glassbox Digital analytics software in its mobile app. The airline in August disclosed a data breach affecting 20,000 users of its mobile app.
The App Analyst found that black boxes used to cover sensitive fields for inputting credit card details, passwords and users’ billing addresses didn’t always hide them. For example, the black boxes were effective when an already-registered user logged in, but not during the initial registration process.
The same problem is likely to affect users who’ve installed apps from Google Play, since Glassbox’s screen-replay technology is also available for Android.
In a statement, Glassbox told MacRumors that neither it nor its customers is interested in spying on consumers. Consumers are aware their data is being recorded, and no data collected by Glassbox customers is shared with third parties.
“Our goals are to improve online customer experiences and to protect consumers from a compliance perspective,” the company said.
Previous and related coverage
Apple accused of not being transparent about its response to the Group FaceTime eavesdropping bug.
Google and Facebook have regained enterprise certificates to run internal iOS apps with employees.
Apple sued over FaceTime eavesdropping bug and faces criticism for not responding to bug reports.
Group FaceTime calls are currently disabled for all users through the server, and a software update will arrive next week to completely fix the issue.
The probe is focused on Apple’s response to the eavesdropping vulnerability.
The teen’s mother attempted to contact Apple with no success.
Apple iPhone users discovered a serious FaceTime bug that lets you hear audio from another iPhone or even view live video without the recipient’s knowledge.
The bug that allows people to listen in to other people’s phones and even see video hits Apple where it truly hurts — in its protestations of privacy protection.
An Apple FaceTime bug can let callers hear and see you, even if you don’t accept the call. Here’s how to protect yourself until there’s a permanent fix.
At WWDC, Apple announced a new feature for iOS 12 that will allow FaceTime to accommodate up to 32 people at once. This could make Apple a contender in the enterprise video conferencing realm.