Did You Know Every Swipe You Make can be Recorded?

It’s estimated that almost 90 million people in the US have an iPhone and in Canada it’s close to 16 million. Are you one of them? If so, keep reading.

Apple prides itself on its security policies. But is their privacy up to par? Security researcher, App Analyst, released new information that some iOS applications are able to record everything you do on your phone screen without your consent.

Think about all the things you do on your phone – news, banking, emails, games.

What’s the risk?

These applications record everything you do on them and sell the information to third party advertisers to sell to you better and improve their user interface. However, some of the technical measures they use leave you vulnerable to data breaches.

Sound familiar? It reminded us of keystroke logging or keylogging. This is when someone is recording the keys you type on your computer in real-time. This surveillance is covert so the victim doesn’t know they’re being recorded. This feature isn’t inherently bad. Keylogging can improve the way we use the Internet, like suggesting search engine results, and advising developers on how to improve their software so it’s easier to use.

Another way your actions can be tracked is through screen recording or session replay technology. Glassbox Digital is a marketing company that uses this technology in their code, it effectively allows developers and marketers to see how users are interacting with their platform.

In other words, it can take a picture and send exactly what you’re doing on your screen back to the company.

For example, a few months ago 20,000 users had their passport numbers and credit card data exposed in an Air Canada leak. The Air Canada app is actually a client of Glassbox Digital. Glassbox tracks users’ screens when they’re on the application to monitor its efficacy.

Turns out the session replays weren’t properly encrypted and ended up exposing information through transparent black boxes. You can see how this went wrong in screenshots from the video App Analyst posted on Youtube here.

Some applications send the collected data to Glassbox Digital’s server. Others send it directly back to their own domains. Popular retailers and booking sites who currently use Glassbox Digital to process their payments are Expedia, Singapore Airlines, Hotels.com, and Abercrombie & Fitch. Either way as a user you want to ensure your data is kept private.

How can I tell if they’re recording my screen?

The scary part? These applications do not disclose when they are using session replay technology on your device. Regarding the applications named above, Zack Whittaker from TechCrunch confirms, “we don’t even find it in the small print of their privacy policies.”

This goes against the security restrictions of the App Store and Google Play Store. Thanks to the App Analyst, Apple now requires App Store applications to either be transparent about session replay technology or stop using it. Google is also expected to send a similar message to applications in the Android equivalent, Google Play Store.

Session replay will not go away. It is too central to these application’s services. It lets developers know when something breaks and lets marketers know what features are working and which ones aren’t.

So what do I do?

We suggest reading up on application privacy policies and use an antivirus like McAfee. To minimize keylogging use a Windows on-screen keyboard when entering sensitive information.

Like us on Facebook or comment if you have questions.