Following a report detailing the use of so-called "session replay" technology, Apple is informing developers that they need to disclose the implementation of analytics tools that enable screen recording or face a ban from the App Store.
On Wednesday, a report from TechCrunch revealed a handful of popular iOS apps are paying data analytics services like Glassbox for access to session replay technology that allows them to record and play back user interactions. These tools, which are embedded in native apps for troubleshooting and evaluation purposes, are often employed without first asking express permission from consumers.
"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," an Apple spokesperson told TechCrunch on Thursday. "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary."
Apple is informing offenders that their apps will be removed from the App Store if the monitoring code is not removed. One unnamed developer was given less than a day to strip the recording tool from its app, according to an email reviewed by TechCrunch.
"Your app uses analytics software to collect and send user or device data to a third party without the user's consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," Apple said, according to the publication.
The TechCrunch investigation discovered that a number of high-profile apps including Abercrombie & Fitch, Hollister, Hotels.com, Expedia, Air Canada and Singapore Airlines utilize Glassbox SDK, a platform that enables granular monitoring of user interactions. For example, the software can record on-screen taps, text box entries and more to provide companies a comprehensive account of user actions and software responses.
Apps found to incorporate Glassbox technology do not disclose the monitoring function in their respective privacy policies, seemingly in violation of Apple's App Store guidelines.
Though it does not require customers to inform end users that their data is being recorded, Glassbox in a statement to AppleInsider said it believes app makers should offer some form of disclosure.
"Glassbox and its customers are not interested in 'spying' on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," the company said, adding that its platform is secure, encrypted and meets high security and data privacy standards. Further, no consumer data is shared with third parties, the company said.
Still, end users are largely unaware that their actions are being so closely observed.
Perhaps more concerning are "data leaks" that can occur as a result of poor data handling practices. Glassbox provides tools to obfuscate sensitive user data before it is sent to servers owned by a customer or Glassbox itself, but in some cases information like credit card numbers, email addresses or zip codes are left unmasked.