Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Developers must disclose screen recording analytics tools or face expulsion from App Store, Apple says

Field masking in Air Canada's iOS app is at times ephemeral. | Source: TechCrunch

Last updated

Following a report detailing the use of so-called "session replay" technology, Apple is informing developers that they need to disclose the implementation of analytics tools that enable screen recording or face a ban from the App Store.

On Wednesday, a report from TechCrunch revealed a handful of popular iOS apps are paying data analytics services like Glassbox for access to session replay technology that allows them to record and play back user interactions. These tools, which are embedded in native apps for troubleshooting and evaluation purposes, are often employed without first asking express permission from consumers.

"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," an Apple spokesperson told TechCrunch on Thursday. "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary."

Apple is informing offenders that their apps will be removed from the App Store if the monitoring code is not removed. One unnamed developer was given less than a day to strip the recording tool from its app, according to an email reviewed by TechCrunch.

"Your app uses analytics software to collect and send user or device data to a third party without the user's consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," Apple said, according to the publication.

The TechCrunch investigation discovered that a number of high-profile apps including Abercrombie & Fitch, Hollister, Hotels.com, Expedia, Air Canada and Singapore Airlines utilize Glassbox SDK, a platform that enables granular monitoring of user interactions. For example, the software can record on-screen taps, text box entries and more to provide companies a comprehensive account of user actions and software responses.

Apps found to incorporate Glassbox technology do not disclose the monitoring function in their respective privacy policies, seemingly in violation of Apple's App Store guidelines.

Though it does not require customers to inform end users that their data is being recorded, Glassbox in a statement to AppleInsider said it believes app makers should offer some form of disclosure.

"Glassbox and its customers are not interested in 'spying' on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," the company said, adding that its platform is secure, encrypted and meets high security and data privacy standards. Further, no consumer data is shared with third parties, the company said.

Still, end users are largely unaware that their actions are being so closely observed.

Perhaps more concerning are "data leaks" that can occur as a result of poor data handling practices. Glassbox provides tools to obfuscate sensitive user data before it is sent to servers owned by a customer or Glassbox itself, but in some cases information like credit card numbers, email addresses or zip codes are left unmasked.



14 Comments

stevenoz 16 Years · 317 comments

I thank Apple (and will continue to buy their products) for working to protect my, and my family's, privacy.

Kids apps are particularly insidious it seems. [Facebook! Shame!]

I don't want my life to be tracked for money in another man's pocket.

ivanh 12 Years · 596 comments

I bought a food scale with Bluetooth connection. It was made in China and the Modern Chef app was also developed by a mainland China company. Once installed, the app  goes beyond telling me the weigh of food. It immediately harvests all my personal and health data from the iPhone and send back to the server in China in seconds. All IoT apps can do the same.  The app should be pull of from the App Store immediately and installed users should be notified immediately and suggestions should be offered by Apple to those installed victims.

Asking for disclosure is only on paper for legal formality. Banning an app is “catch me if you can”, and 2 versions leap forward, the developer can reinsert the analytic codes again without being noticed. Once private data leaked, is leaked forever. 

iOS 13 should fix it, or not capable for Apple to do so?

dws-2 22 Years · 277 comments

stevenoz said:
I thank Apple (and will continue to buy their products) for working to protect my, and my family's, privacy.

Kids apps are particularly insidious it seems. [Facebook! Shame!]

I don't want my life to be tracked for money in another man's pocket.

Except they're not, really. When there's a big media story about something, Apple changes it, but this has been going on for a long time. It's a big company that makes no secret about what it does. Better than Android is not the same thing as protecting your privacy. Violating your privacy is the norm for both iOS and Android apps, and most of them don't get big media stories.

Side note: As a developer, replaying user actions is actually a great way to spot and fix bugs. I'm not sure it's reasonable to except that app developers aren't going to look at your actions as you use the app. Pretty much every website does it, too.

christopher126 16 Years · 4366 comments

stevenoz said:
I thank Apple (and will continue to buy their products) for working to protect my, and my family's, privacy.

Kids apps are particularly insidious it seems. [Facebook! Shame!]

I don't want my life to be tracked for money in another man's pocket.

Well said. I don't want any apps tracking/harvesting my family for profit either, Steve. :)

I also trust Apple. I'm happy to send Apple my device(s) information to help them better resolve problems. I know they won't sell it.

But I have to say, I don't trust Apple's App Store. Am I being naive?

I've turned off, "Share With App Developers..." in my settings (Analytics) of all my devices. iOS and MacOS! :)

I only use Apple first-party apps. No third-party apps. 

I use DuckDuckGo, AppleMaps, etc. No Google apps, FaceBook apps, eg., Instagram, WhatsApp, etc., or Twitter.
Happy Birthday, Facebook! This is pretty dense! I had to watch it a couple of times.  :)

https://www.youtube.com/watch?v=GDMYgzfLi5g

tjwolf 12 Years · 423 comments

ivanh said:
I bought a food scale with Bluetooth connection. It was made in China and the Modern Chef app was also developed by a mainland China company. Once installed, the app  goes beyond telling me the weigh of food. It immediately harvests all my personal and health data from the iPhone and send back to the server in China in seconds. All IoT apps can do the same.  The app should be pull of from the App Store immediately and installed users should be notified immediately and suggestions should be offered by Apple to those installed victims.

Asking for disclosure is only on paper for legal formality. Banning an app is “catch me if you can”, and 2 versions leap forward, the developer can reinsert the analytic codes again without being noticed. Once private data leaked, is leaked forever. 

iOS 13 should fix it, or not capable for Apple to do so?

Nonsense.  Access  to health and other user data is controlled by iOS, not the app - that app did not immediately harvest this data unless you gave it read permission via very clearly phrased dialog boxes.  It is more nonsense to declare that all IoT apps can do the same without user permission.

Maybe you'e confusing Android and iOS?