iPhone snooping: Apple cracks down on apps that secretly record taps, keystrokes

iOS app developers have been capturing how users interact with screens without gaining user consent.
Written by Liam Tung, Contributing Writer

Apple plans to crack down on iOS apps that use so-called 'session replay', a technology that helps developers understand how people use an app, but also lets the developer see a replay of every tap and swipe users makes on their iPhones. 

An investigation by TechCrunch identified a number of popular apps from well-known brands that use third-party session replay analytics tools, including Abercrombie & Fitch, Expedia, Hotels.com, and Singapore Airlines.

The technology, which is also used to analyze user actions on websites, poses a security and privacy risk if it doesn't properly avoid capturing sensitive input fields in an app or site, such as payment and login pages.      

The problem for Apple, following its crackdown on Facebook and Google apps last week, is that developers have once again been caught flouting its policies. 

"2.5.14:Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. This includes any use of the device camera, microphone, or other user inputs," Apple's App Store guidelines state

The apps called out for using session replay did not gain consent from iOS users. 

Apple has now said it is informing developers of their violation and has given them one day to remove the tracking capability. 

"We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," an Apple spokesperson said in a statement to TechCrunch

SEE: Apple iOS 12: An insider's guide (free PDF)    

The findings follow a report by The App Analyst that looked into Air Canada's use of Glassbox Digital analytics software in its mobile app. The airline in August disclosed a data breach affecting 20,000 users of its mobile app. 

The App Analyst found that black boxes used to cover sensitive fields for inputting credit card details, passwords and users' billing addresses didn't always hide them. For example, the black boxes were effective when an already-registered user logged in, but not during the initial registration process.    

The same problem is likely to affect users who've installed apps from Google Play, since Glassbox's screen-replay technology is also available for Android.  

In a statement, Glassbox told MacRumors that neither it nor its customers is interested in spying on consumers. Consumers are aware their data is being recorded, and no data collected by Glassbox customers is shared with third parties.

"Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," the company said. 

Previous and related coverage

iPhone Facetime eavesdrop bug: Now lawmakers demand answers from Apple

Apple accused of not being transparent about its response to the Group FaceTime eavesdropping bug.

iPhone data row: Now Apple clears Google, Facebook to run private iOS apps again

Google and Facebook have regained enterprise certificates to run internal iOS apps with employees.

iPhone FaceTime bug: Now Apple sued over eavesdrop on lawyer's client phone call

Apple sued over FaceTime eavesdropping bug and faces criticism for not responding to bug reports.

Apple apologizes for FaceTime eavesdropping bug, update coming next week

Group FaceTime calls are currently disabled for all users through the server, and a software update will arrive next week to completely fix the issue.

Apple FaceTime bug prompts investigation from NY attorney general CNET

 The probe is focused on Apple's response to the eavesdropping vulnerability.

Severe vulnerability in Apple FaceTime found by Fortnite player

The teen's mother attempted to contact Apple with no success.

Apple disables Group FaceTime function that was allowing callers to listen and view without your consent

Apple iPhone users discovered a serious FaceTime bug that lets you hear audio from another iPhone or even view live video without the recipient's knowledge.

Apple gets egg all over its FaceTime

The bug that allows people to listen in to other people's phones and even see video hits Apple where it truly hurts -- in its protestations of privacy protection.

How to disable FaceTime (so no one can eavesdrop on your iPhone or Mac) CNET

An Apple FaceTime bug can let callers hear and see you, even if you don't accept the call. Here's how to protect yourself until there's a permanent fix.

How Apple Group FaceTime could replace Google Hangouts Chat and Skype for Business TechRepublic

At WWDC, Apple announced a new feature for iOS 12 that will allow FaceTime to accommodate up to 32 people at once. This could make Apple a contender in the enterprise video conferencing realm.

Editorial standards