Following revelations yesterday regarding the use of session replay tech among big-name travel apps that recode iPhone users’ screens, Apple is now telling developers to either remove the code responsible or disclose it to users, according to a new report from TechCrunch. The punishment for failing to do so could be as severe as having the offending app forcibly removed from the App Store.
Apple confirmed to the publication that its App Store Review Guidelines prohibit this kind of activity without first gaining proper consent from a user. “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” an Apple spokesperson tells TechCrunch. “We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary.”
The practice, known as session replaying, involves using a third-party company, in this case analytics firm Glassbox, to embed code in a mobile app that records user activity. The goal is ostensibly to inform an app maker about certain features, interface design decisions, and other parts of the app that might be tripping users up or causing issues. And there’s no indication that Glassbox is doing anything nefarious with the data whatsoever.
However, as TechCrunch pointed out, the issue is less with Glassbox and more with the travel and hotel companies, none of which disclose the use of this technology to users. In one case, Air Canada’s mobile app was even failing to mask sensitive user data, and mobile expert App Analyst was able to intercept that data using a pretty standard man-in-the-middle attack. Other companies that used Glassbox and were mentioned in the TechCrunch article include Abercrombie & Fitch and its Hollister subsidiary, Expedia, Hotels.com, and Singapore Airlines. None of them appear to disclose session replay technology to users in their privacy policies.
In a statement given to The Verge, Glassbox downplayed session replaying and said it takes user privacy seriously:
TechCrunch’s piece was interesting but also misleading. Glassbox and its customers are not interested in ‘spying’ on consumers,” the company said. “Our goals are to improve online customer experiences and to protect consumers from a compliance perspective. Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on web sites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling.
We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded — just as contact centers inform users that their calls are being recorded.
Yet it’s less about using Glassbox’s technology, which appears to be the case for most companies except Air Canada, and more about the proper disclosure of screen recoding software. Notably, Glassbox told TechCrunch it doesn’t require that its customers disclose the use of its technology to users. But as we’ve seen with Apple’s recent crackdown on Google and Facebook’s misuse of enterprise app certificates, it looks like the iPhone maker is more willing than ever to take action against those abusing the App Store and iOS platform.