Many popular iPhone apps are recording user sessions without asking

A lot of people here are commenting that its no big deal that organizations are recording every screen, tap and swipe for their own apps. There are two problems with that:<p>1. As the article mentions, in some cases these apps end up leaking sensitive data like credit card detail and passwords. Generally, if you are taking snapshots of the user&#x27;s screen instead of sending text metrics, it becomes much harder to mask sensitive data at all times.<p>2. The bigger issue is that these services generally use third parties to record this, and their privacy policy is a big problem. For example, Glassbox explicitly mentions that it will share end user personal data with their &quot;enterprise&quot; clients (which I am guessing are basically ad companies):<p>&gt; From time to time, GLASSBOX grants certain of its enterprise clients a license or other rights to GLASSBOX’s proprietary software products and solutions (the “GLASSBOX Solutions”). Through their use of these GLASSBOX Solutions and&#x2F;or through other means, enterprise clients of GLASSBOX may get access to, collect and use: (i) End User non-personally identifiable information; and (ii) End User Personal Data.<p>&gt; There are also times when we will combine such information with additional non-personal or de-identified information we obtain from other companies as well as End User Personal Data, in order for our enterprise clients to market directly to a certain person subject to requirements of applicable law. We typically analyze this information and organize it into user groups and audiences, based on factors such as age, gender, geography, interests and online actions. We and our enterprise clients then use these user groups and audiences, along with information about the possible relationships among different browsers and devices, to design and deliver customized advertising campaigns or other relevant content.<p><a href="https:&#x2F;&#x2F;www.glassboxdigital.com&#x2F;privacy-policy&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.glassboxdigital.com&#x2F;privacy-policy&#x2F;</a>

I&#x27;m seeing lots of &quot;but this is super helpful to improve UI flow, and normally isn&#x27;t nefarious!&quot;<p>Well, as long as the app 1. lets me know and 2. lets me choose whether to have this feature on or not, I don&#x27;t have a problem with an app recording my usage of it in order to improve UI flow or what have you.<p>The issue here is that 1. sensitive data is being transmitted via automated screenshots and 2. the users are not even being made aware of this fact, let alone being given a choice.

One of the reasons why I switched from iPhone to Android is the firewall.<p>On my jailbroken i-devices (all of them) I was always installing &quot;Firewall IP&quot;, and when an app was running, for any connection not previously (or globally - meaning rule applies for all apps) approved I would get a pop-up message (screenshot of an earlier iOS Firewall IP)[1].<p>Now with the jailbreaks being less efficient, and the Firewall IP app not been updated for a few years, I switched to Android and I am using &quot;NoRoot Firewall&quot; [2] for the same exactly purpose. I globally block all FB, ads, trackers<p>There is always the extra option for rooter&#x2F;jailbroken phones to block things on the hosts file using host file selections from someonewhocares.org [3].<p>[1]: <a href="https:&#x2F;&#x2F;rdsbc.files.wordpress.com&#x2F;2011&#x2F;03&#x2F;wall1.png" rel="nofollow">https:&#x2F;&#x2F;rdsbc.files.wordpress.com&#x2F;2011&#x2F;03&#x2F;wall1.png</a><p>[2]: <a href="https:&#x2F;&#x2F;lh3.ggpht.com&#x2F;fXRZfgSmArBemdjABjUDu0ibP9Gis3GV5YXTVj_Ix5-967CtoSvZFXxAx0mQdOj0Klc=w1000-h800" rel="nofollow">https:&#x2F;&#x2F;lh3.ggpht.com&#x2F;fXRZfgSmArBemdjABjUDu0ibP9Gis3GV5YXTVj...</a><p>[3]: <a href="https:&#x2F;&#x2F;someonewhocares.org&#x2F;hosts&#x2F;" rel="nofollow">https:&#x2F;&#x2F;someonewhocares.org&#x2F;hosts&#x2F;</a>

I’ve worked with a similar library before: appsee. While it does have a little bit of value in helping trace crash reports and provide heat maps, we ultimately got rid of it and for the better. It can be hard to find and “cover up” every single place where sensitive information can be displayed. That’s really up to the developer to manually do most of it, though some of it is done automatically (e.g. password fields). Even the most well intentioned developer can miss out on a label that shows th user’s email or a text field with address data. And that’s just the developers who know about this challenge and try to do something about it. I’d venture many don’t. Just as bad is the performance hit. Taking screenshots utilizes the main thread (no way around it) and it just kills any attempts at making buttery smooth animations throughout the app. Suffice to say, such libraries are just not worth it for the perceived value they allegedly provide.

A two&#x2F;three years ago I noticed that inspectlet (similar tech for the web) was happily sending the passwords in clear text to their servers, even though on their website they mentioned that passwords are never sent. I sent them an email and they eventually fixed it, but I wonder how many passwords and credit card CVC data did they collect before that?

Why does this article specifically single out iPhones? This happens on all platforms, even web apps.

I guess I&#x27;m not SUPER concerned about a given app reporting on what I do <i>in that app</i> back to the publisher. It might even be possible to convince me it&#x27;s a reasonable way to figure out what the app does well and what it needs to improve.<p>We could never get away with doing this for our (Windows) app, but sometimes I have conversations with people in my user base and I really, really wish I had some idea of how they got into some $random_weird_state.<p>But yeah, it oughta be in the T&amp;C if nothing else.

Not sure how long it&#x27;s been there, but found this in Inspectlet&#x27;s terms of service:<p>7. Disclosure. As soon as you begin to use Our Service, You agree to add a disclosure to either Your terms of use, user agreement and&#x2F;or privacy policy to inform Your end-users and customers of Inspectlet’s access to their Personal Information through Your website, and adding a link to Our Privacy Policy which governs Our use of all such Personal Information accessed by Inspectlet through Your website or through Your use of Our Services.

Acquiring end-user telemetry by recording inputs and sending them to the app developer is not great especially if they don&#x27;t ask for your permission.<p>This is quite different than the sensational headline. update: fixed wording

Reminds me of this research from Princeton, on the exfiltration of personal data via equivalent session-replay services for web:<p><a href="https:&#x2F;&#x2F;freedom-to-tinker.com&#x2F;2017&#x2F;11&#x2F;15&#x2F;no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts&#x2F;" rel="nofollow">https:&#x2F;&#x2F;freedom-to-tinker.com&#x2F;2017&#x2F;11&#x2F;15&#x2F;no-boundaries-exfil...</a>

Anyone have an idea for how to block this on your iphone? Perhaps content filtering glassboxdigital.com? Not sure if that would stop however it is that they&#x27;re transmitting back to their servers.

Long ago a company I worked for had an iOS app and use some IBM product for the web version (Leaf? or something) and they forced us to use it in the app as well, it recorded the contents of each page basically (some fields were blanked out). It also crashed so much it was worthless. I never found it remotely useful to have such detailed info. Tagging service calls with a GUID was much more useful, as well as recording service errors and exceptions in Google Analytics. While we of course knew who the tag belonged to (after all they were our customer&#x27;s orders) it was of no use to anyone listening in or watching the tags go by.

So if I&#x27;m understanding this right, the big issue they have is that they&#x27;re not telling the customers that they&#x27;re doing it. Can&#x27;t any website do exactly the same thing in recording every keystroke written into it without a customer knowing?<p>Does it really even matter if you&#x27;re sending them your credit card details anyway?

This has been done for many years on the web. The first one I can recall was Hotjar, which offered both heat maps and session replay.<p>I have no comment regarding the ethical implications of this technology, but I can see why it is useful practically.

I was in charge of building this kind of product for another analytics company, this technology is called session replay, and it is used for many use cases, like : UX improvement&#x2F; support&#x2F; bug detections ...<p>Most of vendors record keyboard inputs and thus can record password as well as credit card information, there was an affair about it a few years ago [1]. To not have this issue, most of vendors provide a way to not record those information. It requires manual tagging of the website on the element that contains critical content.<p>But many of session replays vendors have many clients, and don&#x27;t force or don&#x27;t verify that all the critical information are masked. This is not GDPR compliant, because when the GDPR apply you need to consent of the user to record his PII, and you are not even allowed to record information like password, sexual orientation, credit card even if you have the consent.<p>Two things: - Nowadays on the web most of payment pages are not hosted on the client website, so those analytics tools are not included (but we still have many websites that don&#x27;t use third party for that) - This data is not (most of the time) recorded in a structured way, data of inputs is recorded as some element of an HTML, and thus it is not super easy to extract the information at scale<p>[1] <a href="https:&#x2F;&#x2F;freedom-to-tinker.com&#x2F;2018&#x2F;02&#x2F;26&#x2F;no-boundaries-for-credentials-password-leaks-to-mixpanel-and-session-replay-companies&#x2F;" rel="nofollow">https:&#x2F;&#x2F;freedom-to-tinker.com&#x2F;2018&#x2F;02&#x2F;26&#x2F;no-boundaries-for-c...</a>

&gt; Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.<p>The key phrases here are &quot;recording every tap and swipe&quot; and &quot;on their iPhone apps&quot;. I&#x27;m not saying it is okay, but the sensationalist headline takes away from the real issue.

&quot;Record the screen&quot; could be more precise. I assumed the article was saying apps were literally recording a video of the screen, complete with alert popups etc (like the Screen Recorder app).<p>I realize there isn&#x27;t functionally much difference <i>within</i> an app. But unless I&#x27;m reading it incorrectly, it&#x27;s not recording the screen it&#x27;s just the UI of the app. That&#x27;s not nothing, but I always assumed (sadly?) that a lot of apps have been doing that for years to hone their UX dark arts.

&gt; Apps like Abercrombie &amp; Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps.<p>&gt; These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

This is horrible reporting if by “record” they mean “log meta data like swipe coordinates and recreate it.” That is not the same as record.

sensationalist bs. how is ability to watch a screen recording of you using their app and typing in your credit card into THEIR app is different from the same app developer just pulling up your credit card info from their database? if you give the info to the app, the app owner will see your info. as discussed as that. the fact that its in a form of screen recording doesn&#x27;t make it scary or dangerous.

Watching users via tracking and telemetry is very useful in order to learn about your users. But I also think it&#x27;s also unethical. With the mindset that users are &quot;lemings&quot; ¹ where your job as a developer is to optimize profits from these &quot;dumb fucks&quot;².<p>1: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Lemmings_(video_game)" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Lemmings_(video_game)</a> 2: <a href="https:&#x2F;&#x2F;en.wikiquote.org&#x2F;wiki&#x2F;Mark_Zuckerberg" rel="nofollow">https:&#x2F;&#x2F;en.wikiquote.org&#x2F;wiki&#x2F;Mark_Zuckerberg</a>

Screen recording apps are fine if you want to go over how a small group of people use your website however the data is hard to analyse.<p>Plain old Google Analytics is a bigger deal when you think about it. Anyone that has this configured half decently where the IDs are provided by some backend server really has got the low down on how you use the website. Every aspect of &#x27;engagement&#x27; can be recorded and reports made that don&#x27;t entail watching through untold hours of &#x27;user engagement&#x27;.<p>It is a bit like spying in the modern age. In the olden days any intelligence agency could throw resources at tracking one individual of interest. However if you need a team of twenty people to stalk someone then getting the budget can be hard. They would have to be the &#x27;Chairman of the Communist Leadership&#x27; or the leader of a striking union for that to be approved. In the modern era we all know how NSA et al. do it, surveillance on everyone and able to do a report on anyone deemed &#x27;Communist&#x27; (or whatever).<p>It isn&#x27;t the &#x27;everything on screen&#x27; you need to worry about as nobody except an intern is going to be looking at that. It is the half decent Google Analytics setups that are a far greater concern if you are terrified of marketing people. Yet nobody bats an eyelid to Google Analytics, the cookie notices say it is mostly harmless and just there for your own good.<p>Luckily though very few companies are really that competent at Google Analytics. They may have people adding ever more bloat to Google Tag Manager for this to feed various things such as affiliate marketing schemes, however the people doing SEO are rarely familiar with web development and, not understanding the &#x27;problem space&#x27;, don&#x27;t realise the possibilities.

Users are very bad at describing what they did when an app crashed. Recording application state and logging it is a wonderful aid to debugging. I did this routinely when deploying in-house applications.

Would be cool to see a non-TechCrunch link. TechCrunch shows blank pages on mobile for me

Ok. So what? Software and services have kept usage metrics and clickstream data for decades. They have privacy policies saying that they may collect data about how you use their product. This is that data. So, is this a surprise?<p>If you don&#x27;t want Abercrombie to know which items you looked at, don&#x27;t look at them on the Abercrombie app, or at the Abercrombie store, or on the Abercrombie website.

Replaying user behaviour is not a privacy issue. Pretty much every mobile&#x2F;web app connected to the internet is doing this with varying granularity.<p>AFAIK it&#x27;s a pretty standard practice in UX and product design. A&amp;F might have analysed hours of your finger gesture activity, but I doubt they&#x27;re gonna know what brand of toilet paper you wiped with this morning.

People that complain about this stuff obviously have never launched an app before. If you don&#x27;t record what people are doing with your app, then you&#x27;re not going to have any idea if anyone is actually using it, or if it is any good, or if there is anything you need to fix.