Nothing is quite as unnerving as learning that the things we do on our phones aren’t private—even if we are regularly reminded that nothing is really sacred. On Wednesday, a TechCrunch investigation revealed that apps using analytics companies called Glassbox are not only recording the minutiae of how you use those apps, but also potentially jeopardizing sensitive data in the process.
TechCrunch reported that several popular iOS apps including Hotels.com, Expedia, and Abercrombie & Fitch are surreptitiously collecting information about exactly what users are doing using Glassbox’s “session replay” technology. This allows developers scour for potential issues users are experiencing in-app by recording what the user is doing on a granular level, TechCrunch wrote, but it also puts user information at risk of being obtained by bad actors if sensitive information contained in session replays isn’t effectively masked.
The issue was flagged by a researcher known as the App Analyst, who reported that screenshots taken by Air Canada—which uses Glassbox for analytics—were capturing passwords and other sensitive user information while failing to properly redact the data. TechCrunch worked with the App Analyst on auditing the apps of some of Glassbox’s known clients, and the findings weren’t very reassuring:
Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.
That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.
As the App Analyst noted in his write-up of the Air Canada mobile app, it does attempt use black boxes to conceal sensitive user information, meaning it “implicitly acknowledges that various fields within their app will contain sensitive data and that this data should not be captured in screenshots.” But those systems sometimes failed, and passwords, payment, and other information were captured in screen recordings. If those screenshots were stored, it could be a serious security issue.
As 9to5Mac noted, services like Glassbox have been around for a while, but Apple has yet to bring down the hammer; other companies that provide similar services named by TechCrunch included UXCam and Appsee. While they may provide a useful service to app makers by helping fine-tune their products, it isn’t a great look that those apps aren’t disclosing to their users that they’re snapping screenshots of their every move.
Update 2/7/19 11:00 a.m. ET: Reached for comment by email, Glassbox told Gizmodo in a statement:
“Glassbox customers use our solution to capture data in order to improve their respective online customer experiences and protect their customers from a compliance perspective. The data collected by Glassbox customers is only captured via their apps, and is neither shared with any third parties, nor enriched through other external sources.” Glassbox added that it “restrict[s] access to recorded data to authorized users.”
Additionally, the company said that “captured data via our solution is highly secured, encrypted, and solely belongs to the customers we support.” Asked about findings by the App Analyst and TechCrunch that masking systems were failing in some cases, the company pointed the finger at its clients by claiming that the masking configuration “isn’t properly done” and that it “has the ability to mask everything.”