Just days after TechCrunch reported that a number of popular iPhone apps are recording users’ screens without their knowledge, Apple has sent a warning to developers threatening “immediate action” if they don’t remove the software that enables them to record user activity.
Apps that don’t remove the technology or start informing users that their activity is being recorded could risk being banned from the app store, the tech giant warned.
“App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” the company told TechCrunch.
Earlier this week, the tech website released the results of an investigation conducted with mobile security blog The App Analyst. The investigation revealed that companies including Air Canada, Hollister, Hotels.com, Abercrombie & Fitch, and Expedia are “recording every tap and swipe” that users make in their iOS apps and sending the information back to the app developers.
Use of a digital analytics tool
The apps named are able to record user activity using Glassbox, a customer experience analytics firm that allows developers to embed "session replay" technology into their apps. This enables developers to record users’ screens and play them back to glean information on how people use the app.
“Since this data is often sent back to Glassbox servers, I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” The App Analyst told TechCrunch.
In response to these findings, Apple reportedly reached out to the developers and threatened to pull the apps if they don’t cease these privacy-violating practices. Recording users screens or actions without informing them violates Apple’s App Store Review Guidelines, a spokesperson for the company said.
Apple gave the app developers a deadline of 24 hours to remove the code that allows them to record screen activity.
Potentially exposing sensitive data
In response to the report, Glassbox maintained that its software is intended to be used to spot potential bugs and improve overall user experience. A spokesperson for the company told Fortune that it’s not “spying on consumers.” Rather, it’s providing customers with “tools that record and analyze user activity on websites and apps.”
However, the App Analyst found that Air Canada, for example, wasn’t adequately masking sensitive information.
“While there may be value in documenting user activity through screenshots, there is also a large amount of risk that the screenshots may capture sensitive data. Air Canada has attempted to mitigate this risk by configuring black boxes to cover sensitive fields. However this attempt has failed, potentially condemning a user’s sensitive data to residing in various screenshots stored by Air Canada.”