Several popular apps on the Apple store — including the one made by Singapore Airlines (SIA) — may be tracking your taps and swipes without your permission, TechCrunch found out.
That’s because the apps employ the service of customer experience analytics firm Glassbox, which allows developers to bake something called “session replay” into their apps. They’re not even hiding the fact that their mobile apps could potentially spy on what users are doing — part of Glassbox’s assurance is “always watching, always learning”.
“Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility,” Glassbox tweeted last year.
Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility. This is Glassbox. Experience it for yourself: https://t.co/E3uXcr0Gjf pic.twitter.com/9cJ40xbSaI
— Glassbox (@GlassboxDigital) October 16, 2018
How the technology works is that developers will have the ability to record the screen and play them back to monitor how users interact with the app. It’s all done with good intentions, of course — the purpose is to optimize user experiences by identifying errors or blindspots for app developers to fix through updates. Perhaps there’s a button that refuses to register your taps. The tech records the buggy interaction for troubleshooting purposes.
The method of surveillance, however, opens up the chance for sensitive personal information to leak out if handled wrongly. If GlassBox’s customers aren’t properly masking data as they should, information such as credit card details and passwords could be intercepted.
Even worryingly, a leak has happened before according to The App Analyst. Air Canada’s mobile app — which tracks users through Glassbox — admitted last August that 20,000 of its user profiles may have been “improperly accessed”. Attackers could have accessed information including names, email addresses, phone numbers, and even passport details. Fortunately, credit card data had been encrypted.
Aside from SIA, TechCrunch identified other apps such as Abercrombie & Fitch, Hotels.com and Expedia using Glassbox’s tech.
Privacy concerns
Apple privacy ad at CES 2019 #apple #privacy #CES2019 pic.twitter.com/dAln5Z8fFn
— Sunil Karkera (@gluecode) January 5, 2019
Despite flexing on everyone else earlier this year, Apple’s concerning violations in privacy have been well-cataloged. Last month, a bug in Apple’s FaceTime software enabled users to eavesdrop on other people while waiting for a call to be picked up. Facebook was able to find a loophole in the Apple App Store and paid users to let the social media giant have root access to their phone activities.
The Glassbox issue would be yet another potential privacy concern for iOS users. Especially so when the privacy policy listed by the flag carrier airline of Singapore does not make it clear that its app could be recording the screens of its users. The App Analyst found out that the SIA app does collect session replay data, which gets stored on Glassbox’s cloud server.
When contacted by TechCrunch, SIA asserted that the data it collects is “in accordance with (their) privacy policy which includes the use of customer data for testing and troubleshooting issues”.
There is a section in SIA’s privacy policy that states customer data will be shared with “selected third parties” — including analytics and search engine providers that assist in the improvement and optimization of the website.
But the methods are undefined. One would certainly have some apprehension about phone screens being recorded without their knowledge. At least one person has already requested SIA to stop using Glassbox.
Reader Interactions