When’s the last time you read an application’s privacy policy? Well, here’s to say that you didn’t really miss much because some of the applications you use in fact forgot to mention the most crippling invasion of privacy in their application’s privacy policy. Yes, it wasn’t even in the finest of prints at the bottom. Big-league travel and retail applications like Air Canada, Singapore Airlines, Hotels.com, Expedia, Abercrombie & Fitch (including Hollister) and others are recording your iPhone screen (every last pixel of it) including sensitive data fields in the name of data analytics and session replaying.
Tech Crunch revealed through an investigation that several travel and retail applications were found to record the iPhone’s screen without the user knowing or providing any consent, be it an accidental ‘yes’ click. The idea behind this is session replaying, where companies can revisit the activities of a session for troubleshooting and improvement analysis. Usually third-party applications are brought on board to design such aspects of mobile applications. In Tech Crunch’s investigation, it was revealed that these applications were relying on an analytics provider named GlassBox.
It seems that the software solution that GlassBox was providing these companies didn’t have any sort of privacy filter. This means that as it set out to take screenshots of every little thing you do on the screen (which already, without your consent, is a massive invasion of privacy), the mechanism was also taking screenshots of sensitive data fields: everything from your name and phone number to credit card information, expiry, code, and passport details.
This is an especially worse case in the travel applications found guilty as they require more sensitive user data to begin with. If it doesn’t seem bad already that these applications are spying on your sensitive information, what’s worse is that some of these applications, Air Canada’s application in particular, have very poor encryption and security when these screenshots are sent from your device to their storage servers and as they’re kept their for the long run as well.
This means that even if you turn a blind eye and supposedly trust these companies with your information, there’s no stopping an interception of this data as it is being sent to the server. There is also no prevention of it being stolen from the server as there weren’t any particular extra security encryption measures being taken to secure these sensitive images.
Remember when Air Canada went through a big security hijacking which exposed the private information of 20 thousand Air Canada travelers? You didn’t pay attention when that news came out? Well, guess what, you really should now. Air Canada has already been subject to such a large-scale security breach. This only goes to show that the data that is being recorded from your cellphone can be put out for malintent and you can face theft, identity fraud, and more. Air Canada is still particularly clumsy about how they collect data for feedback or advertising purposes. The App Analyst came out with a report on the faults of the Air Canada Application which actually sparked Tech Crunch’s investigation into the app and more.
Aside from these applications which have been caught in a detailed investigation by Tech Crunch, numerous other applications are suspected of doing the same. Session replaying is a very common practice and just as these applications didn’t disclose a hint of it in any of their license agreements or privacy policies, we can’t expect that other applications that use it must have either.
We can’t end our use of technology from the fear of having our information recorded but these applications violating our privacy should be held accountable and our internet privacy standards should be maintained. Tech Crunch’s investigation report serves as a detailed first account report on the matter and we hope that security and law firms will take this up to ensure that applications abide by privacy requirements.