Connect with us

Mobile

Many popular iPhone apps secretly record your screen without asking – TechCrunch

Published

on

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either.

We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Mobile

TikTok introduces a strike system for violations, tests a feature to “refresh” the For You feed • TechCrunch

Published

on

TikTok today is announcing several changes to its service, including what it claims will be increased enforcement against bad actors as well as tests of new user-facing tools that will force a refresh of the app’s main algorithmic feed, known as the For You feed. The company said the changes are focused on keeping the platform both safe and entertaining for its users and creators alike.

While all major social media companies have content guidelines, their enforcement varies. As is often the case, people who violate the rules and are subject to takedowns of their content or bans, don’t always learn from their mistakes — they just become repeat violators. Today, TikTok’s enforcement system includes a variety of penalties, like temporary bans on posting or commenting, designed to reduce harmful content on the platform.

However, admits TikTok’s Global Head of Product Policy, Julie de Bailliencourt, in an announcement, creators complain that the current system can be confusing to navigate — especially if they don’t typically break TikTok’s rules or have unknowingly violated policy, and aren’t sure why they’ve been penalized. What’s more, this system is not efficient at deterring repeat violators, the exec explained

“Repeat violators tend to follow a pattern – our analysis has found that almost 90% violate using the same feature consistently, and over 75% violate the same policy category repeatedly,” de Bailliencourt wrote.

As a result, TikTok will move instead to a strike system, similar to YouTube. In all but the most severe cases, creators will accrue strikes as their content is removed. If they then reach a threshold of strikes within either a product feature (like comments or TikTok LIVE), or policy (like bullying or harassment), they will be permanently banned. The company said the threshold will vary depending on the violation and its potential to harm community members. It said, for instance, there may be a lower threshold for violating hateful content policies than there would be for posting low-harm spam.

TikTok will still issue permanent bans for severe violations, like videos that are “promoting or threatening violence, showing or facilitating child sexual abuse material (CSAM), or showing real-world violence or torture,” the post said.

The accumulated strikes will expire from an account’s record after 90 days, but accounts that “accrue a high number of cumulative strikes across policies and features” will be permanently banned. TikTok did not detail what a “high number” would be, nor did it share more information about what the thresholds are in the various areas. That could potentially cause more confusion among creators as they try to reverse engineer the system based on which accounts received strikes and why.

Creators will soon be able to track their own strikes and their account’s standing in the app, TikTok said, through an update to the Safety Center for creators. Here, they can view their own status and the status of the reports they’ve made on other videos or accounts. They’ll also be able to appeal strikes from this Safety Center if they feel they were given out in error. If the creator is close to a permanent ban, TikTok will notify them.

Related to this, the company said it will also begin to test a new feature in select markets that will inform creators which videos of theirs have been marked as ineligible for recommendation to users’ For You feeds, and why.

For end users, however, another new test may be more interesting.

Soon, TikTok will allow some users to tap a new “Refresh” button to receive an updated set of For You feed recommendations. Though TikTok’s feed is highly personalized and fairly addictive, many complain the content becomes stale as it doesn’t add enough variety after some time. With the new refresh button, which will be available in account settings, users will be able to force the app to bring “new, diversified content not based on previous activity or interactions” to their For You feed.

After hitting the button, users will then begin to see content that’s based on their new interactions, a TikTok spokesperson told TechCrunch. In addition to providing a refreshed feed, the company noted that the feature could serve as a way to support potentially vulnerable users who want to distance themselves from their current content experience.

The changes to TikTok’s policies and product come on the heels of increased concern over the app’s ties to China and the risks it poses. Across the U.S., TikTok has been banned on government devices after executive orders from governors prohibited the app. Several universities have banned the app on their Wi-Fi networks as well. And the Biden administration banned TikTok from government devices in a bill signed at the end of December. In response, TikTok has been taking meetings with officials, think tanks, and public interest groups in Washington, The New York Times reported, and this week invited media to tour its Transparency and Accountability Center in L.A.

Amid the increasing calls for a nationwide ban in the U.S., TikTok has been working to convince the public of its platform safety and rolling out new transparency tools that inform users why videos were recommended or allow them to filter out specific content. However, with every new announcement, there comes a bit of bad press, too. For instance, it was revealed last month the company had a secret heating button to make videos go viral, and just before that, Forbes reported TikTok had spied on its journalists. These reveals have tarnished the company’s image further at a time when it’s trying to increase trust.

TikTok says the refresh button will roll out in the “coming days” while the policy update is currently rolling out globally and users will be notified as it’s available to them.

Continue Reading

Mobile

Roblox to host a free virtual Super Bowl concert featuring Saweetie • TechCrunch

Published

on

Hip-hop artist Saweetie is performing exclusively in Roblox for the NFL’s Super Bowl LVII pregame on February 10, the National Football League announced today.

The virtual concert will take place at 7:00 pm ET in Warner Music Group’s Rhythm City, a new destination on Roblox that was announced earlier this week. Rhythm City is set to launch on February 4 and offers mini-games and social roleplaying experiences like becoming a musician and owning a house and car.

The NFL claims that Saweetie will give a “family-friendly,” fully motion-captured performance and sing her hit songs like “Tap-In.” The concert will re-air every hour until Sunday, February 12.

Fans that virtually attend the Saweetie Super Bowl Concert can also get digital items on the Roblox marketplace or win items by finishing challenges. The digital collection includes wearable hairstyles, hats, boots, headphones, and sweatsuits, which are based on Saweetie’s merchandise and her album looks.

“I’m really excited to bring this iconic moment to the metaverse and share my music with a whole new audience in such a unique way! As an artist, innovator, and football fan, to be able to perform during Super Bowl LVII weekend in this new world – Rhythm City on Roblox – is something I never imagined that I would be involved in. I am very grateful and happy about this opportunity,” Saweetie said in a statement.

Image Credits: Roblox/NFL

The NFL is also launching Super NFL Tycoon within Roblox. The metaverse experience allows users to pretend that they’re NFL team owners, draft a team, and build a stadium. Super NFL Tycoon will launch on February 4 to coincide with the virtual Super Bowl concert. Users can move between Super NFL Tycoon and Rhythm City through a designated portal.

Interestingly, the experience–which is presented by the global financial technology platform Intuit—is also an attempt to teach younger users “important financial concepts in a fun and engaging manner,” said Lara Balazs, Intuit’s Chief Marketing Officer and General Manager of Strategic Partner Group. So, while users fantasize about owning an NFL team, they can also learn how to manage cash flow, payroll, taxes, and customer acquisition (because that’s supposed to be fun somehow).

The concert, Super NFL Tycoon, and Rhythm City are also developed in partnership with Gamefam, a gaming company across metaverse platforms.

“Bringing a cultural moment like the Super Bowl to the metaverse with such innovative partners marks a shift in how brands are coming together to create the next generation of metaverse gaming experiences,” said Ricardo Briceno, Chief Business Officer of Gamefam.

This is the second year in a row that NFL and Roblox are offering the NFL Tycoon experience. For the 2022 Super Bowl, Roblox users could attend an interactive event called “Destruction House,” inspired by the Super Bowl LVI commercial. Also, in 2021, Roblox launched a virtual NFL storefront, giving users NFL-themed digital items to dress up their Roblox avatars.

The NFL’s foray into the metaverse points how the league tries to cater to a younger demographic.

“Working with Roblox has enabled us to create interactive shared experiences and with the virtual concert and Super NFL Tycoon, we will unlock deeper fan engagement,” said Ed Kiang, VP of Video Gaming at the NFL.

Roblox reported that its third quarter saw the fastest year-over-year growth in daily active users that range from 17 to 24 years old, which saw an increase of 41%. Roblox’s daily active users that are older than 13 years old grew by 34% year-over-year and accounted for 54% of all daily active users.

The streaming rights deal with Amazon has proven to attract a younger audience for the NFL. Amazon reported that Thursday Night Football (TNF) on Prime Video delivered an audience eight years younger than last year’s average TNF audience. The NFL also recently struck a deal with YouTube for the Sunday Ticket.

Super Bowl LVII will take place next Sunday, February 12, with the Kansas City Chiefs playing against the Philadelphia Eagles.

In September, Apple Music announced it is the official sponsor of the Super Bowl Halftime Show.

Continue Reading

Mobile

Netflix to include more EVs in its TV shows and movies as part of new partnership with GM • TechCrunch

Published

on

Netflix and General Motors announced today that the streaming service will join the automaker’s “Everybody In” campaign that aims to accelerate mass adoption of electric vehicles. As part of the partnership, Netflix says it will increase the presence of EVs in Netflix-produced shows and films, where relevant over the course of the next year, while also taking steps to enable more sustainable productions.

To kick off the new alliance, the two companies will air a new commercial during the Super Bowl on February 12 that will see Will Ferrell enter the world of some of Netflix’s popular shows and films, including “Army of the Dead” andSquid Game,” in various GM EVs.  

The automaker’s EVs will be also seen in select Netflix shows and films, including “Love Is Blind,” “Queer Eye” and “Unstable,” which will feature the Chevrolet Bolt EUV, GMC HUMMER EV Pickup and Cadillac LYRIQ, respectively.

A spokesperson for GM told TechCrunch that the company is not paying Netflix for placement of its vehicles in the streaming service’s content. While GM is a partner on Netflix’s ad-supported tier, the company said that the strategic alliance between the two companies is separate from any advertising deal. The goal of the alliance is to expose people to EVs in a natural way.

GM says the two companies don’t have an end date in mind for the alliance, and that the automaker is looking forward to working with Netflix as it builds up its advertising business. As for the Super Bowl ad, GM says it’s unclear if the two will partner on another similar ad in the future.

The automaker says it will educate show runners about EVs so that they can find a way to integrate them naturally into storylines in a way that doesn’t make them feel out of place when they appear in TV shows and movies.

Netflix has been incorporating EVs into the TV shows and movies that it produces over the past year. The streaming service included EVs from Hyundai and Audi in its content, along with EVs from GM, as well. Now, Netflix will have access to even more EVs as part of its new alliance with GM.

“Entertainment has a huge impact on culture. We want to make EVs famous on streaming, small and silver screens to build an EV culture through storytelling that incorporates the experiences of driving and owning an EV,” said GM Global Chief Marketing Officer Deborah Wahl in a press release. “Netflix is a great partner because of the company’s compelling storytelling, commitment to sustainability and track record of sparking conversations that shape cultural trends. We are united in creating a better, more sustainable future for our world as we bring everybody in on EVs.”

Netflix says it’s also planning to become more sustainable behind the camera within its productions by optimizing energy use, then electrifying it, and decarbonizing the rest.

Continue Reading

Trending