Connect with us

Mobile

Many popular iPhone apps secretly record your screen without asking – TechCrunch

Published

on

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either.

We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Mobile

Former MoviePass execs are being sued by the SEC for lying to customers • TechCrunch

Published

on

Ahead of the official relaunch of subscription-based movie ticketing service MoviePass, the Securities and Exchange Commission (SEC) filed a complaint against three of its former executives, claiming they lied to investors and the public.

The SEC filing targeted former MoviePass CEO Mitch Lowe and Ted Farnsworth, the former CEO of parent company Helios and Matheson Analytics (HMNY), claiming they lied about how it planned to be profitable and used “fraudulent tactics to prevent MoviePass’s heavy users from using the [unlimited subscription service],” the SEC wrote.

When under the rule of Lowe and Farnsworth, MoviePass promised users a $9.95 per month subscription that would give them an unlimited number of 2D movie tickets. However, MoviePass quickly kissed “unlimited” goodbye, ending the service that was likely losing a lot of money. The company filed for bankruptcy in 2020.

Last year, Farnsworth and Lowe settled with the Federal Trade Commission after MoviePass was accused of preventing users from using the subscription service they were paying for.

The original founder and owner of MoviePass, Stacy Spikes, hopefully won’t repeat the mistakes of its previous owners. Spikes is launching an updated version of MoviePass, which is currently beta testing in three markets: Chicago, Kansas City, and Dallas. However, there will be no such thing as unlimited viewing, and instead MoviePass will have three subscription price tiers with set limits ranging from $10, $20, and $30 per month.

Continue Reading

Mobile

Netflix shares trailer for Spotify series ‘The Playlist’ • TechCrunch

Published

on

Netflix released the official trailer for “The Playlist” today, an upcoming limited series that loosely tells the story of how Spotify was created. The six-episode show will premiere on October 13.

“The Playlist” will center around Spotify founder and CEO Daniel Ek, played by “Vikings” star Edvin Endre and how the company became one of the top music streaming services.

The show will also feature other Spotify employees, such as Petra Hansson (played by Gizem Erdogan), Andreas Ehn (played by Joel Lützow), and Christian Hillborg will play the co-founder of Spotify, Martin Lorentzon.

However, it’s important to note that the show is “fictionalized,” Netflix writes in the caption, and is based on 6 “untold stories.”

There are many fictionalized movies and shows about big tech companies. For instance, Apple TV+ has a drama series “WeCrashed” based on WeWork; Showtime released “Super Pumped: The Battle for Uber” starring Joseph Gordon-Levitt, Hulu’s “The Dropout” is based on the health tech company Theranos, and no one can forget the 2010 Facebook movie “The Social Network.”

Spotify launched in 2006 as a small Swedish start-up and was a response to the growing piracy problem in the music industry. Now, the music streaming service has 433 million monthly active users.

Continue Reading

Mobile

• TechCrunch AmazeVR wants to scale its virtual concert platform with $17M funding

Published

on

AmazeVR, a Los Angeles-based virtual concert platform, said Tuesday it has raised a $17 million funding round to create immersive music experiences through virtual reality (VR) concerts.

Like other industries, the entertainment sector was affected by the coronavirus lockdown. Many music artists had to cancel or push back their live events during the pandemic. Some artists and music agencies have shifted to virtual or online concerts to compensate for those canceled events. AmazeVR is betting that virtual shows, which have become popular among artists and fans since the pandemic, are going to take over the entertainment industry.

Mirae Asset Capital led the Series B round along with returning backers, including another Mirae Asset Financial Group subsidiary (Mirae Asset Venture Investment), CJ Investment, Smilegate Investment, GS Futures and LG Technology Ventures. New strategic investors — Korean entertainment giant CJ ENM and mobile game maker Krafton — participated in the latest round.

“The virtual reality entertainment industry is growing rapidly, and we believe that music and gaming are two of the most promising sectors for future development,” said a spokesperson at CJ ENM.

AmazeVR co-CEO Steve Lee said that his startup plans to use the financing to expand partnerships with artists and their management agencies, labels and publishers. He added that it is currently in talks with potential partners to work with top artists in the U.S.

The startup is preparing virtual concerts and a music metaverse service that would be available across all major VR app stores and work with next-generation headsets such as the Meta Quest Pro and Apple’s own rumored VR headset, Lee continued.

The Series B funding round comes in the wake of the startup’s joint venture announcement with K-pop agency SM Entertainment in July. Both companies plan to launch Studio A in South Korea and produce immersive VR concerts.

“We’re also preparing to produce virtual concerts with SM Entertainment artists and expand to other K-pop companies in South Korea,” Lee said. “We plan to hire more artificial intelligence engineers, [Epic Game’s] Unreal Engine engineers, and visual effects (VFX) artists” to continue the advancement of its technology and the development of premier virtual concerts.

The company’s goal is also to broaden content diversity in order to bring more VR concert fans around the world.

The AmazeVR team traveled to 15 U.S. cities this summer for its first commercial virtual concert, Enter Thee Hottieverse, a tour with rap icon Megan Thee Stallion through AMC Theaters. Lee told TechCrunch that the company had about 75% attendance rates for its concerts, about 4.3 times the average theater occupancy rate estimated at 15%-20%. The ticket prices were $20-$25, ~2.5times more expensive than the average movie theater ticket price (~$9.17).

“CJ ENM plans to convert concerts and music TV shows to VR music experiences with AmazeVR’s prime technology, and additional original content such as dramas and movies in the future to maximize their content value and business opportunities,” the spokesperson of CJ ENM said.

The last time TechCrunch covered AmazeVR was earlier this year when it secured $15 million. Its Series B round brings the startup’s total amount raised to approximately $47.8 million. The Los Angeles-headquartered startup with offices in Seoul now has 62 members on its team.

Continue Reading

Trending