Tech Made Simple

Hot Topics: How to Fix Bluetooth Problems | Browse the Web Anonymously | Complete Guide to Facebook Privacy | How to Block Spam Calls

Top News Stories

author photo

These Popular Mobile Apps Are Secretly Tracking Everything You Do

by on February 12, 2019
in Privacy, News, Phones and Mobile, Mobile Apps, iPhone/iPad Apps, Blog :: 6 comments

The latest online privacy threat shows just how difficult it is to protect your personal information. Most of us know not to download apps from untrustworthy sources, but we probably wouldn't think twice about downloading an app from the Apple App Store, particularly if it were from a company you know.

Unfortunately, that trust may be misplaced, because apps from big brands including Abercombie & Fitch, Air Canada, Expedia, Hotels.com, and more have been quietly recording your actions. It's not for nefarious purposes: these apps use a piece of software called Glassbox to record your screen, providing developers with screenshots of their app in action. It lets app-makers see how you use the app so they can improve it and fix bugs. While that may sound like a good thing, it means developers could be collecting personal information on you.

Glassbox itself stresses that it supports users' privacy, providing developers with tools to hide personal information in screenshots. This mask hides fields that would contain personal data — like passwords, addresses, and credit card numbers — behind a black box. But while Glassbox provides these tools, developers don't always use them properly. For example, the Air Canada app blacks out your password when you log on, but not when you create an account or change your password. It also blocks out your credit card number in the first screenshot, but not in subsequent screenshots.

Even if you trust these apps to collect your personal information — after all, you're giving Air Canada your credit card number to make a purchase — providing a credit card number for payment is a different thing than letting developers see it in a screenshot. These unencrypted screenshots aren't a secure way to store private information, and they would be easy for hackers to snag them when they were uploaded to company servers. Last year hackers did get into Air Canada's mobile app data, and though the company said they didn't get any credit card data at the time, it suggests that this screenshot data may be there for the taking, too.

Not all apps collecting screenshots of your activity are as problematic as Air Canada's, but they're all harvesting your information without your permission. While some apps "inform" you of invasive data collection in convoluted privacy policies — like Google did when it let app developers access your Gmail account — these apps don't even do that. They all have a privacy policy, but none of those policies mention this kind of data collection.

That's a problem. The App Store requires apps to get explicit consent to record user data — and apps aren't supposed to record without a visual indication that they're doing it. None of these apps do, and now Apple is warning developers to remove recording features if they want their apps to remain in the App Store. It's good news for users because without Apple's intervention, we would have no way to tell if our information was being recorded or not — hopefully we can now assume that it won't be.

But the larger problem is that Glassbox isn't the only company that does this type of screen capture — and these apps may not be the only ones collecting data without notifying us. Glassbox and other services are also available on Android, so the problem probably isn't limited to Apple devices. Google's policy for Android apps is similar to Apple's policy for iOS apps: nothing should be collecting user data without notification. But because these apps made it on to Apple's App Store, there's a fair chance similar apps are on Google Play.

So is the problem fixed — or are we just starting to see the full extent of it? None of the affected apps have disappeared from the Apple App Store, and Google hasn't commented on the status of Android apps. While there's no sure way to tell if you're using an app that's recording your screen, follow smart privacy practices to keep yourself as safe as possible. Don't download unknown apps, or give apps any more personal information than they need. If you have to enter a credit card number in any of the affected apps, consider doing it from your computer instead. 

[Image credit: privacy policy on phone via BigStockPhoto]



Discussion loading

gravatar

So, what am I supposed to do?

From Jim on February 14, 2019 :: 12:49 pm

I thought this was an article on how to stop this. Don’t use apps? Is this also a problem if you are using these companies’ web sites?

Reply

gravatar

Take action?

From Michelle on February 14, 2019 :: 3:37 pm

I’m with Jim, what should we do? Don’t store CC on any app?

Reply

avatar

We are not suggesting that

From Suzanne Kantra on February 14, 2019 :: 4:12 pm

We are not suggesting that you don’t use apps. Just that you input your credit card information on your computer and then access your account via the app. Your credit card information can only be screen captured when you input it into the app. So if your credit card information is already stored in your account, there is no problem using the app.

Reply

gravatar

Account

From Lanier Gray on February 14, 2019 :: 8:22 pm

What account are you talking about?

Reply

avatar

I'm talking about any app

From Suzanne Kantra on February 15, 2019 :: 10:05 am

I’m talking about any app that requires you to set up an account AND input credit card information. If you’re just logging into your account, you’re fine. It’s just when you type in credit card information that there could be an issue.

To be on the safe side, I’d recommend any credit card information be input into your accounts on your computer or select Apple Pay, if the app supports it.

Reply

gravatar

Or use Apple Pay features with any apps, if they support it

From D on February 15, 2019 :: 1:34 am

Most phones with touch sensors or faceID have credit card support built in.  You can use apps that use the platform-stored credit card and not the app-stored credit card.

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships
Newsletter Archive
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.

site design: Juxtaprose