Your mobile screens are being recorded.
At a time when user experience can make or break a business, app developers are turning more and more to third-party app analytics tools to help them get insight on how customers interact with their apps. Glassbox, Appsee, TestFairy, and UXCam are a handful of popular analytics SDKs used by app developers to track in-app user behavior, crashes, bugs, and other issues that may impact the business. Many of these SDKs collect data by recording mobile device screens – at best, these recordings can be useful for understanding user behavior; at worst, they can be leaked, exposing sensitive data if information is not concealed properly.
This is what happened recently in several widely-used iPhone apps of hotels, airlines, cell phone carriers, banks, and others, using analytics SDKs to record their users’ screens. According to the TechCrunch blog post that first broke the story, popular travel apps used the Glassbox analytics SDK for “session replays” and screen-recording of user behavior, but failed to explicitly mention this in their privacy policies leaving their customers with no idea their actions were being captured. Since SDKs like Glassbox do not require app developers to mask sensitive data captured from screen recordings or to securely store and transfer session replay files, anyone who has access to the recording files can see the sensitive data.
In the aftermath of the TechCrunch report, Apple issued a warning to app developers, ordering them to remove the analytics code from their apps or properly inform users of the screen recordings. Failing to comply, Apple said, would result in the app being removed from the company’s App Store.