The apps and online services you use sometimes gather your data and use it for analytics or advertising purposes. There’s no question about that. It’s a fact of life at this point. And it’s only a matter of whether you’ve been asked permission, whether your data is used fairly and in accordance with the law, and whether it’s transferred and stored securely.
But a recent report claims some popular iPhone apps fail on at least two counts. Apps from companies like Air Canada, Hollister, Expedia and Hotels.com record everything you do on your phone’s screen while you use them — often without asking for permission.
These apps has found (with the help of analytics company App Analyst), use technology from a company called Glassbox, which creates so called “session replays,” letting app owners see exactly how their customers behave while using the app.
App Analyst’s experts took a peak at how some of these apps are sending this data, and found that not all of them properly masked sensitive data such as passwords. In the case of Air Canada’s app, there was an instance in which the app sent the customer’s credit card information completely unencrypted. none of these apps ever warned the user it’s even recording their actions in the first place, nor do they mention it in their privacy policies.
Glassbox doesn’t exactly hide what it does. The company’s Twitter bio states the following: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is Glassbox.”
Air Canada told that it is indeed collecting “user information entered in, and collected on, the Air Canada mobile app.” The company does this, its spokesperson said, to “ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips.”
A Glassbox spokesperson pointed out to us that it “cannot break the boundary of the app,” but it did say it has a “unique capability to reconstruct the mobile application view in a visual format,” which it calls “another view of analytics.”
It’s not the first nor the only company to provide a similar service; Android-focused Appsee does something similar. and it, too, was found to be used in a way that’s not always transparent for users.
In an email, a Glassbox spokesperson told us that the company’s goals are “to improve online customer experiences and to protect consumers from a compliance perspective.” The company says it’s a strong supporter of user privacy and security, that it “meets the highest security and data privacy standards” and that it provides its customers (the app developers) with tools to mask “every element” of personal data. Furthermore, Glassbox says it believes its customers should have “clear policies in place so that consumers are aware that their data is being recorded.”
Most companies will say, when asked, that they’re only using your data to improve your experience. But even if their intentions are pure, they should still disclose exactly what they’re doing and take every measure to protect your data. This does not appear to be the case here.