Following a report detailing the use of so-called "session replay" technology, Apple is informing developers that they need to disclose the implementation of analytics tools that enable screen recording or face a ban from the App Store.
On Wednesday, a report from TechCrunch revealed a handful of popular iOS apps are paying data analytics services like Glassbox for access to session replay technology that allows them to record and play back user interactions. These tools, which are embedded in native apps for troubleshooting and evaluation purposes, are often employed without first asking express permission from consumers.
"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," an Apple spokesperson told TechCrunch on Thursday. "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary."
Apple is informing offenders that their apps will be removed from the App Store if the monitoring code is not removed. One unnamed developer was given less than a day to strip the recording tool from its app, according to an email reviewed by TechCrunch.
"Your app uses analytics software to collect and send user or device data to a third party without the user's consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," Apple said, according to the publication.
The TechCrunch investigation discovered that a number of high-profile apps including Abercrombie & Fitch, Hollister, Hotels.com, Expedia, Air Canada and Singapore Airlines utilize Glassbox SDK, a platform that enables granular monitoring of user interactions. For example, the software can record on-screen taps, text box entries and more to provide companies a comprehensive account of user actions and software responses.
Apps found to incorporate Glassbox technology do not disclose the monitoring function in their respective privacy policies, seemingly in violation of Apple's App Store guidelines.
Though it does not require customers to inform end users that their data is being recorded, Glassbox in a statement to AppleInsider said it believes app makers should offer some form of disclosure.
"Glassbox and its customers are not interested in 'spying' on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," the company said, adding that its platform is secure, encrypted and meets high security and data privacy standards. Further, no consumer data is shared with third parties, the company said.
Still, end users are largely unaware that their actions are being so closely observed.
Perhaps more concerning are "data leaks" that can occur as a result of poor data handling practices. Glassbox provides tools to obfuscate sensitive user data before it is sent to servers owned by a customer or Glassbox itself, but in some cases information like credit card numbers, email addresses or zip codes are left unmasked.
14 Comments
I thank Apple (and will continue to buy their products) for working to protect my, and my family's, privacy.
Kids apps are particularly insidious it seems. [Facebook! Shame!]
I don't want my life to be tracked for money in another man's pocket.
I bought a food scale with Bluetooth connection. It was made in China and the Modern Chef app was also developed by a mainland China company. Once installed, the app goes beyond telling me the weigh of food. It immediately harvests all my personal and health data from the iPhone and send back to the server in China in seconds. All IoT apps can do the same. The app should be pull of from the App Store immediately and installed users should be notified immediately and suggestions should be offered by Apple to those installed victims.
Asking for disclosure is only on paper for legal formality. Banning an app is “catch me if you can”, and 2 versions leap forward, the developer can reinsert the analytic codes again without being noticed. Once private data leaked, is leaked forever.
iOS 13 should fix it, or not capable for Apple to do so?