Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.
You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.
Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.
Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.
Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”
The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.
“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.
We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.
Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.
That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.
The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.
Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.
We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.
“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.
“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.
Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.
It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.
But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.
Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
Former MoviePass execs are being sued by the SEC for lying to customers • TechCrunch
Ahead of the official relaunch of subscription-based movie ticketing service MoviePass, the Securities and Exchange Commission (SEC) filed a complaint against three of its former executives, claiming they lied to investors and the public.
The SEC filing targeted former MoviePass CEO Mitch Lowe and Ted Farnsworth, the former CEO of parent company Helios and Matheson Analytics (HMNY), claiming they lied about how it planned to be profitable and used “fraudulent tactics to prevent MoviePass’s heavy users from using the [unlimited subscription service],” the SEC wrote.
When under the rule of Lowe and Farnsworth, MoviePass promised users a $9.95 per month subscription that would give them an unlimited number of 2D movie tickets. However, MoviePass quickly kissed “unlimited” goodbye, ending the service that was likely losing a lot of money. The company filed for bankruptcy in 2020.
Last year, Farnsworth and Lowe settled with the Federal Trade Commission after MoviePass was accused of preventing users from using the subscription service they were paying for.
The original founder and owner of MoviePass, Stacy Spikes, hopefully won’t repeat the mistakes of its previous owners. Spikes is launching an updated version of MoviePass, which is currently beta testing in three markets: Chicago, Kansas City, and Dallas. However, there will be no such thing as unlimited viewing, and instead MoviePass will have three subscription price tiers with set limits ranging from $10, $20, and $30 per month.
Netflix shares trailer for Spotify series ‘The Playlist’ • TechCrunch
Netflix released the official trailer for “The Playlist” today, an upcoming limited series that loosely tells the story of how Spotify was created. The six-episode show will premiere on October 13.
“The Playlist” will center around Spotify founder and CEO Daniel Ek, played by “Vikings” star Edvin Endre and how the company became one of the top music streaming services.
The show will also feature other Spotify employees, such as Petra Hansson (played by Gizem Erdogan), Andreas Ehn (played by Joel Lützow), and Christian Hillborg will play the co-founder of Spotify, Martin Lorentzon.
However, it’s important to note that the show is “fictionalized,” Netflix writes in the caption, and is based on 6 “untold stories.”
There are many fictionalized movies and shows about big tech companies. For instance, Apple TV+ has a drama series “WeCrashed” based on WeWork; Showtime released “Super Pumped: The Battle for Uber” starring Joseph Gordon-Levitt, Hulu’s “The Dropout” is based on the health tech company Theranos, and no one can forget the 2010 Facebook movie “The Social Network.”
Spotify launched in 2006 as a small Swedish start-up and was a response to the growing piracy problem in the music industry. Now, the music streaming service has 433 million monthly active users.
• TechCrunch AmazeVR wants to scale its virtual concert platform with $17M funding
AmazeVR, a Los Angeles-based virtual concert platform, said Tuesday it has raised a $17 million funding round to create immersive music experiences through virtual reality (VR) concerts.
Like other industries, the entertainment sector was affected by the coronavirus lockdown. Many music artists had to cancel or push back their live events during the pandemic. Some artists and music agencies have shifted to virtual or online concerts to compensate for those canceled events. AmazeVR is betting that virtual shows, which have become popular among artists and fans since the pandemic, are going to take over the entertainment industry.
Mirae Asset Capital led the Series B round along with returning backers, including another Mirae Asset Financial Group subsidiary (Mirae Asset Venture Investment), CJ Investment, Smilegate Investment, GS Futures and LG Technology Ventures. New strategic investors — Korean entertainment giant CJ ENM and mobile game maker Krafton — participated in the latest round.
“The virtual reality entertainment industry is growing rapidly, and we believe that music and gaming are two of the most promising sectors for future development,” said a spokesperson at CJ ENM.
AmazeVR co-CEO Steve Lee said that his startup plans to use the financing to expand partnerships with artists and their management agencies, labels and publishers. He added that it is currently in talks with potential partners to work with top artists in the U.S.
The startup is preparing virtual concerts and a music metaverse service that would be available across all major VR app stores and work with next-generation headsets such as the Meta Quest Pro and Apple’s own rumored VR headset, Lee continued.
The Series B funding round comes in the wake of the startup’s joint venture announcement with K-pop agency SM Entertainment in July. Both companies plan to launch Studio A in South Korea and produce immersive VR concerts.
“We’re also preparing to produce virtual concerts with SM Entertainment artists and expand to other K-pop companies in South Korea,” Lee said. “We plan to hire more artificial intelligence engineers, [Epic Game’s] Unreal Engine engineers, and visual effects (VFX) artists” to continue the advancement of its technology and the development of premier virtual concerts.
The company’s goal is also to broaden content diversity in order to bring more VR concert fans around the world.
The AmazeVR team traveled to 15 U.S. cities this summer for its first commercial virtual concert, Enter Thee Hottieverse, a tour with rap icon Megan Thee Stallion through AMC Theaters. Lee told TechCrunch that the company had about 75% attendance rates for its concerts, about 4.3 times the average theater occupancy rate estimated at 15%-20%. The ticket prices were $20-$25, ~2.5times more expensive than the average movie theater ticket price (~$9.17).
“CJ ENM plans to convert concerts and music TV shows to VR music experiences with AmazeVR’s prime technology, and additional original content such as dramas and movies in the future to maximize their content value and business opportunities,” the spokesperson of CJ ENM said.
The last time TechCrunch covered AmazeVR was earlier this year when it secured $15 million. Its Series B round brings the startup’s total amount raised to approximately $47.8 million. The Los Angeles-headquartered startup with offices in Seoul now has 62 members on its team.
Nothing’s Ear (Stick) Teaser Tells Us A Whole Lot Of Nothing
The good news for fans of the relatively new company is that we know Nothing will be launching a new...
Intel Reveals Arc GPU Pricing As It Goes Head-To-Head With Nvidia
At $329, the Intel Arc A770 doesn’t directly compete with the RTX 3070, but it’s vying for a spot among...
Apple Stage Manager’s iPadOS 16 Surprise Could Save You From Buying A New One
Among the older Apple iPad models that have officially received the nod (via Engadget) for Stage Manager on iPadOS 16 include...
LG’s Rollable Phone Is Dead, But Samsung Will Give You A Slidable Screen Instead
Choi didn’t go into detail about the screen resolution figures and whether the slideable concept was an OLED panel or...
Intel’s 13th-gen “Raptor Lake” CPUs are official, launch October 20
Enlarge / An overview of the improvements coming to Intel’s 13th-gen desktop chips. Intel If there’s one thing Intel has...
Social6 months ago
Web.com website builder review
Social3 years ago
CrashPlan for Small Business Review
Gadgets4 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Cars4 years ago
What’s the best cloud storage for you?
Mobile4 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social4 years ago
iPhone XS priciest yet in South Korea
Security4 years ago
Google latest cloud to be Australian government certified
Social4 years ago
Apple’s new iPad Pro aims to keep enterprise momentum