The latest online privacy threat shows just how difficult it is to protect your personal information. Most of us know not to download apps from untrustworthy sources, but we probably wouldn’t think twice about downloading an app from the Apple App Store, particularly if it were from a company you know.
Unfortunately, that trust may be misplaced, because apps from big brands including Abercombie & Fitch, Air Canada, Expedia, Hotels.com, and more have been quietly recording your actions. It’s not for nefarious purposes: these apps use a piece of software called Glassbox to record your screen, providing developers with screenshots of their app in action. It lets app-makers see how you use the app so they can improve it and fix bugs. While that may sound like a good thing, it means developers could be collecting personal information on you.
Glassbox itself stresses that it supports users’ privacy, providing developers with tools to hide personal information in screenshots. This mask hides fields that would contain personal data — like passwords, addresses, and credit card numbers — behind a black box. But while Glassbox provides these tools, developers don’t always use them properly. For example, the Air Canada app blacks out your password when you log on, but not when you create an account or change your password. It also blocks out your credit card number in the first screenshot, but not in subsequent screenshots.
Even if you trust these apps to collect your personal information — after all, you’re giving Air Canada your credit card number to make a purchase — providing a credit card number for payment is a different thing than letting developers see it in a screenshot. These unencrypted screenshots aren’t a secure way to store private information, and they would be easy for hackers to snag them when they were uploaded to company servers. Last year hackers did get into Air Canada’s mobile app data, and though the company said they didn’t get any credit card data at the time, it suggests that this screenshot data may be there for the taking, too.
That’s a problem. The App Store requires apps to get explicit consent to record user data — and apps aren’t supposed to record without a visual indication that they’re doing it. None of these apps do, and now Apple is warning developers to remove recording features if they want their apps to remain in the App Store. It’s good news for users because without Apple’s intervention, we would have no way to tell if our information was being recorded or not — hopefully we can now assume that it won’t be.
But the larger problem is that Glassbox isn’t the only company that does this type of screen capture — and these apps may not be the only ones collecting data without notifying us. Glassbox and other services are also available on Android, so the problem probably isn’t limited to Apple devices. Google’s policy for Android apps is similar to Apple’s policy for iOS apps: nothing should be collecting user data without notification. But because these apps made it on to Apple’s App Store, there’s a fair chance similar apps are on Google Play.