Following a Wednesday report from TechCrunch that popular iPhone apps are recording the in-app activity of users without their knowledge through analytics companies like Glassbox, Apple has reportedly responded by threatening “immediate action” if they don’t knock it off or inform their users that their activity is being recorded, the site reported Thursday.
In a statement to TechCrunch, a spokesperson for Apple reportedly said that failing to notify users that their screens or actions are being recorded violates its App Store Review Guidelines. The spokesperson said Apple had reached out to the developers about the breach of its terms, and an email it reportedly sent to a developer and was obtained by TechCrunch told them they had less than 24 hours to remove the code or their app would be pulled from its App Store.
In a statement to Gizmodo about the report, a spokesperson for Glassbox said the tool is used to weed out potential bugs or errors and improve overall user experiences. It added that “data collected by Glassbox customers is only captured via their apps, and is neither shared with any third parties, nor enriched through other external sources.” Glassbox also noted that it “restrict[s] access to recorded data to authorized users” and that it audits the individuals who do have access to that information.
But while Glassbox claims that its session replay service is used to improve user experiences, user data may be put at risk during screen recordings if clients fail to adequately mask user information, according to TechCrunch’s investigation as well as findings by mobile researcher the App Analyst. When asked by Gizmodo about those findings, the company shifted blame to its customers. While it Glassbox claims it can mask “everything,” it said that its clients sometimes make “mistakes.”
Air Canada is one such Glassbox client identified by the App Analyst as failing to properly mask data, but the company’s customers also include big brands like Expedia, Hotels.com, and Abercrombie and Fitch, among others—some of which are responsible for guarding sensitive user data.
As Glassbox is a cross-platform product, it’s also available for Android. TechCrunch reported Thursday that though the recordings appear to violate Google Play’s guidelines, it wasn’t immediately clear if Google would be taking action as well. We’ve reached out to Google and will update this report if we hear back.
Update 2/8/19 6:30 p.m. ET: A spokesperson for Expedia Group provided the following comment to Gizmodo by email:
“The protection of customer data and privacy is of the utmost priority to us. We can confirm that Expedia Group brands are not actively using Glassbox services on any of our native applications for iOS or Android. On select Expedia Group brands native applications for Android, Glassbox exists from a prior proof of concept in the codebase but it has been disabled for some time and has not been actively capturing information.”
The spokesperson did not respond to further questions about how long the Glassbox tool has been disabled on its apps.