Following revelations yesterday regarding the use of session replay tech among big-name travel apps that recode iPhone users’ screens, Apple is instructing developers to either remove the code responsible or disclose it to users.
Failure to do so could lead to the offending app being forcibly removed from the App Store.
Apple’s App Store Review Guidelines prohibit this kind of activity without first gaining proper consent from a user.
“Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” an Apple spokesperson said.
“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary.”
The practice, known as session replaying, involves using a third-party company, in this case analytics firm Glassbox, to embed code in a mobile app that records user activity. The goal is supposedly to inform an app maker about certain features, interface design decisions, and other parts of the app that might be tripping users up or causing issues. And there’s no indication that Glassbox is doing anything illegal with data.
However, the issue is less with Glassbox and more with the travel and hotel companies, none of which disclose the use of this technology to users. In one case, Air Canada’s mobile app was even failing to mask sensitive user data, and mobile expert App Analyst was able to intercept that data using a pretty standard man-in-the-middle attack. Other companies that used Glassbox include Abercrombie & Fitch and its Hollister subsidiary, Expedia, Hotels.com, and Singapore Airlines. None appear to disclose session replay technology to users in their privacy policies.
Glassbox has said it takes user privacy seriously:
“TechCrunch’s piece was interesting but also misleading. Glassbox and its customers are not interested in ‘spying’ on consumers,” the company said. “Our goals are to improve online customer experiences and to protect consumers from a compliance perspective. Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on web sites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling.
“We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded — just as contact centers inform users that their calls are being recorded.”
Glassbox told TechCrunch it doesn’t require that its customers disclose the use of its technology to users. But given Apple’s recent crackdown on Google and Facebook’s misuse of enterprise app certificates, it seems that Apple is more than willing to punish those found abusing its platforms.