Pages Navigation Menu

The blog of DataDiggers

Categories Navigation Menu

Apple tells app developers to disclose or remove screen recording code

Posted by on Feb 7, 2019 in app developer, app developers, app-store, apple inc, Apps, E-Commerce, Google Play, iOS, iPhone, iTunes, mobile app, online marketplaces, operating systems, Privacy, Security, Smartphones, Software | 0 comments

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm.

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.

Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking.

Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it provides the technology, among many reasons, to help reduce app error rates. But the company “doesn’t enforce its customers” to mention that they use Glassbox’s screen recording tools in their privacy policies.

But Apple expressly forbids apps that covertly collect data without a user’s permission.

TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen afoul of Apple’s rules. One app developer was told by Apple to remove code that recorded app activities, citing the company’s app store guidelines.

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.

Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.

When asked if Glassbox was aware of the app store removals, a spokesperson for Glassbox said that “the communication with Apple is through our customers.”

Glassbox is also available to Android app developers. Google did not immediately comment if it would also ban the screen recording code. Google Play also expressly prohibits apps from secretly collecting device usage. “Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality,” the developer rules state. We’ll update if and when we hear back.

It’s the latest privacy debacle that has forced Apple to wade in to protect its customers after apps were caught misbehaving.

Last week, TechCrunch reported that Apple banned Facebook’s “research” app that the social media giant paid teenagers to collect all of their data.

It followed another investigation by TechCrunch that revealed Facebook misused its Apple-issued enterprise developer certificate to build and provide apps for consumers outside Apple’s App Store. Apple temporarily revoked Facebook’s enterprise developer certificate, knocking all of the company’s internal iOS apps offline for close to a day.


Source: The Tech Crunch

Read More

Many popular iPhone apps secretly record your screen without asking

Posted by on Feb 6, 2019 in analyst, app-store, apple inc, Banking, iOS, iPhone, iTunes, Mobile, mobile app, mobile software, operating systems, Privacy, Security, Smartphones, terms of service, travel sites | 0 comments

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either.

We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.


Source: The Tech Crunch

Read More

Equifax, Western Union, Priceline settle with New York attorney general over insecure mobile apps

Posted by on Dec 18, 2018 in Bank, Banking, computer security, computing, credit scoring, E-Commerce, mobile app, New York, Priceline, Security, wi-fi | 0 comments

New York’s attorney general has settled with five tech and financial giants, requiring each company to implement basic security on their mobile apps.

The settlements force Credit Sesame, Equifax (yes, that Equifax), Priceline, Spark Networks and Western Union to ensure data sent between the app and their servers are encrypted. Specifically, the attorney general said their apps “could have allowed sensitive information entered by users — such as passwords, social security numbers, credit card numbers, and bank account numbers — to be intercepted by eavesdroppers employing simple and well-publicized techniques.”

In other words, their mobile apps “all failed” to properly roll out and implement HTTPS, one of the barest minimum security measures in any modern app’s security.

HTTPS certificates (also known as SSL/TLS certificates) encrypt data between a device, like your phone or computer, and a website or app server, ensuring any sensitive data, like credit card numbers or passwords, can’t be intercepted as it travels over the internet — whether that’s someone on the same coffee shop Wi-Fi network or your nearest federal intelligence agency.

These certificates are more common than ever, not least because when they’re not incredibly cheap, they’re completely free — and most modern browsers these days will bluntly tell you when a website is “not secure.” Apps are no different, but without a green padlock in your browser window, there’s often very little to know for sure on the face of it that your data is traversing the internet securely.

At least, with financial, banking and dating apps — you’d just assume, right? Bzzt, wrong.

“Although each company represented to users that it used reasonable security measures to protect their information, the companies failed to sufficiently test whether their mobile apps had this vulnerability,” the office of attorney general Barbara Underwood said in a statement. “Today’s settlements require each company to implement comprehensive security programs to protect user information.”

The apps were picked out after an extensive batch of app testing in an effort to find security issues before incidents happen. Underwood’s office follows in the footsteps of federal enforcement in recent years by the Federal Trade Commission, which brought action against several app makers — including Credit Karma and Fandango — for failing to properly implement HTTPS certificates.

In taking action, the attorney general gets to keep closer tabs on the companies going forward to make sure they’re not flouting their data security responsibilities.


Source: The Tech Crunch

Read More

InVision mobile app updates include studio features and desktop to mobile mirroring

Posted by on Jul 10, 2018 in Adobe, adobe systems, android, app-store, apple inc, Atlassian, ceo, clark valberg, designer, InVision, mobile app, mobile device, mobile devices, Software, TC | 0 comments

InVision, the software a service challenger to Adobe’s design dominance, has just released a new version of its mobile app for iOS and is beta-testing new features for Android users as it tries to bring additional functionality to designers on-the-go.

The new app tools feature “studio mirroring” for reviews of new designs directly on mobile devices, so that designers can see design changes to applications made on the desktop display on mobile in real time.

The mirroring feature works by scanning a QR code on a mobile device which lets users view design changes and test user experiences immediately.

The company is also bringing its Freehand support — which allows for collaborative commenting on design prototypes to tablets so teams can comment on the fly, the company said.

The tools will give InVision another arrow in its quiver as it tries to take on other design platforms (notably the 100 pound gorilla known as Adobe) and are a useful addition to a service that’s trying to woo the notoriously fickle design community with an entire toolkit.

As we wrote in May when the company launched its app store:

While collaboration is the bread and butter of InVision’s business, and the only revenue stream for the company, CEO and founder Clark Valberg feels that it isn’t enough to be complementary to the current design tool ecosystem. Which is why InVision launched Studio in late 2017, hoping to take on Adobe and Sketch head-on with its own design tool.

Studio differentiates itself by focusing on the designer’s real-life workflow, which often involves mocking up designs in one app, pulling assets from another, working on animations and transitions in another, and then stitching the whole thing together to share for collaboration across InVision Cloud. Studio aims to bring all those various services into a single product, and a critical piece of that mission is building out an app store and asset store with the services too sticky for InVision to rebuild from Scratch, such as Slack or Atlassian .


Source: The Tech Crunch

Read More