The latest online privacy threat shows just how difficult it is to protect your personal information. Most of us know not to download apps from untrustworthy sources, but we probably wouldn't think twice about downloading an app from the Apple App Store, particularly if it were from a company you know.
Unfortunately, that trust may be misplaced, because apps from big brands including Abercombie & Fitch, Air Canada, Expedia, Hotels.com, and more have been quietly recording your actions. It's not for nefarious purposes: these apps use a piece of software called Glassbox to record your screen, providing developers with screenshots of their app in action. It lets app-makers see how you use the app so they can improve it and fix bugs. While that may sound like a good thing, it means developers could be collecting personal information on you.
Glassbox itself stresses that it supports users' privacy, providing developers with tools to hide personal information in screenshots. This mask hides fields that would contain personal data — like passwords, addresses, and credit card numbers — behind a black box. But while Glassbox provides these tools, developers don't always use them properly. For example, the Air Canada app blacks out your password when you log on, but not when you create an account or change your password. It also blocks out your credit card number in the first screenshot, but not in subsequent screenshots.
Even if you trust these apps to collect your personal information — after all, you're giving Air Canada your credit card number to make a purchase — providing a credit card number for payment is a different thing than letting developers see it in a screenshot. These unencrypted screenshots aren't a secure way to store private information, and they would be easy for hackers to snag them when they were uploaded to company servers. Last year hackers did get into Air Canada's mobile app data, and though the company said they didn't get any credit card data at the time, it suggests that this screenshot data may be there for the taking, too.
Not all apps collecting screenshots of your activity are as problematic as Air Canada's, but they're all harvesting your information without your permission. While some apps "inform" you of invasive data collection in convoluted privacy policies — like Google did when it let app developers access your Gmail account — these apps don't even do that. They all have a privacy policy, but none of those policies mention this kind of data collection.
That's a problem. The App Store requires apps to get explicit consent to record user data — and apps aren't supposed to record without a visual indication that they're doing it. None of these apps do, and now Apple is warning developers to remove recording features if they want their apps to remain in the App Store. It's good news for users because without Apple's intervention, we would have no way to tell if our information was being recorded or not — hopefully we can now assume that it won't be.
But the larger problem is that Glassbox isn't the only company that does this type of screen capture — and these apps may not be the only ones collecting data without notifying us. Glassbox and other services are also available on Android, so the problem probably isn't limited to Apple devices. Google's policy for Android apps is similar to Apple's policy for iOS apps: nothing should be collecting user data without notification. But because these apps made it on to Apple's App Store, there's a fair chance similar apps are on Google Play.
So is the problem fixed — or are we just starting to see the full extent of it? None of the affected apps have disappeared from the Apple App Store, and Google hasn't commented on the status of Android apps. While there's no sure way to tell if you're using an app that's recording your screen, follow smart privacy practices to keep yourself as safe as possible. Don't download unknown apps, or give apps any more personal information than they need. If you have to enter a credit card number in any of the affected apps, consider doing it from your computer instead.
[Image credit: privacy policy on phone via BigStockPhoto]
So, what am I supposed to do?
From Jim on February 14, 2019 :: 1:49 pm
I thought this was an article on how to stop this. Don’t use apps? Is this also a problem if you are using these companies’ web sites?
Reply