iPhone apps like Air Canada and Expedia are secretly recording your activity and ‘replaying’ it

Many popular iPhone apps from airlines, clothing stores and travel sites may be recording your web activity without you knowing.

An investigation has revealed that this data is sent back to app developers but could inadvertently expose extremely sensitive data like credit card and passport details.

Major companies including Air Canada, Hollister and Expedia are secretly monitoring what you do in their apps.

The sensitive data is supposed to be sufficiently masked, or blacked out, to protect it from third parties but experts found that this was not always the case, putting data at risk of getting into the wrong hands.

Scroll down for video 

An investigation revealed that this data is sent back to app developers but could inadvertently expose extremely sensitive data like credit card and passport details. The sensitive data is supposed to be sufficiently masked, or blacked out, to protect it but the masking 'didn't always stick'

An investigation revealed that this data is sent back to app developers but could inadvertently expose extremely sensitive data like credit card and passport details. The sensitive data is supposed to be sufficiently masked, or blacked out, to protect it but the masking 'didn't always stick'

An investigation revealed that this data is sent back to app developers but could inadvertently expose extremely sensitive data like credit card and passport details. The sensitive data is supposed to be sufficiently masked, or blacked out, to protect it but the masking ‘didn’t always stick’

The investigation, by Zack Whittaker for TechCrunch, found several popular iPhone apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines were also involved.

The companies use Glassbox, a customer experience analytics firm, which lets developers embed ‘session replay’ technology into their apps. 

The company recently tweeted: ‘Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?’ 

App developers record the screen and play them back to see what people did in the app to see what people liked, disliked, or if an error occurred.

Major companies including Air Canada, Hollister and Expedia are secretly monitoring what you do in their apps, without your knowledge. The sensitive data is supposed to be sufficiently masked, or blacked out, to protect it but they found that this was not the case

Major companies including Air Canada, Hollister and Expedia are secretly monitoring what you do in their apps, without your knowledge. The sensitive data is supposed to be sufficiently masked, or blacked out, to protect it but they found that this was not the case

Major companies including Air Canada, Hollister and Expedia are secretly monitoring what you do in their apps, without your knowledge. The sensitive data is supposed to be sufficiently masked, or blacked out, to protect it but they found that this was not the case

This means that every tap, button push and keyboard entry is recorded,  screenshotted and sent back to the app developers. 

But some companies do not effectively mask the session replays when they send them which means that their payment information or passport, visa details can be clearly seen.

The App Analyst, a mobile expert who writes about app on his blog, found that Air Canada did not properly mask the session replays.

This may be the reason for the company’s iPhone app data breach which exposed 20,000 profiles last August.

‘This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,’ the app analyst told TechCrunch. 

The App Analyst looked at a sample of apps that Glassbox listed on its website as customers and ‘success stories’. 

Using Charles Proxy, a tool used to intercept the data sent from the app, the researcher could examine what data was being transmitted from the device.  

The companies use Glassbox, a customer experience analytics firm, which allows developers to embed 'session replay' technology into their apps

The companies use Glassbox, a customer experience analytics firm, which allows developers to embed 'session replay' technology into their apps

The companies use Glassbox, a customer experience analytics firm, which allows developers to embed ‘session replay’ technology into their apps

The company recently tweeted: 'Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?' App developers record the screen and play them back to see what people did in the app to see what people liked or disliked

The company recently tweeted: 'Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?' App developers record the screen and play them back to see what people did in the app to see what people liked or disliked

The company recently tweeted: ‘Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?’ App developers record the screen and play them back to see what people did in the app to see what people liked or disliked

The App Analyst found that some apps were not masking the data properly. They also found that none of them said they were recording the user’s activity or sending them another company’s cloud. 

‘Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,’ he said. 

Not every app was leaking masked data and companies like Expedia and Hotels.com were capturing the data but sending it back to a server on their own domain. 

The analyst said that the data was ‘mostly obfuscated,’meaning masked, but did see in some email addresses and postal codes. 

Hollister and Abercrombie & Fitch and Singapore Airlines have sent their session replays to Glassbox. 

The app analyst, a mobile expert who writes about app on his blog, found that Air Canada did not properly mask the session replays. This may be the reason for the company's iPhone app data breach which exposed 20,000 profiles last August

The app analyst, a mobile expert who writes about app on his blog, found that Air Canada did not properly mask the session replays. This may be the reason for the company's iPhone app data breach which exposed 20,000 profiles last August

The app analyst, a mobile expert who writes about app on his blog, found that Air Canada did not properly mask the session replays. This may be the reason for the company’s iPhone app data breach which exposed 20,000 profiles last August

Hollister and Abercrombie & Fitch and Singapore Airlines have sent their session replays to Glassbox. Both companies  and Singapore Airlines have sent their session replays to Glassbox

Hollister and Abercrombie & Fitch and Singapore Airlines have sent their session replays to Glassbox. Both companies  and Singapore Airlines have sent their session replays to Glassbox

Hollister and Abercrombie & Fitch and Singapore Airlines have sent their session replays to Glassbox. Both companies  and Singapore Airlines have sent their session replays to Glassbox

Apple has yet to crackdown on the use of this kind of activity.

The company have recently banned a Facebook ‘research app’ were they were found to pay people as young as thirteen to monitor their entire web activity. 

Mail Online have contacted Glassbox for comment which we did not receive at the time of publication.

The company told Techcrunch that it doesn’t enforce its customers to mention its usage in their privacy policy.

‘Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,’ the spokesperson said. 

‘When the system keyboard covers part of the native app, ‘Glassbox does not have access to it,’ they said. 

FACEBOOK FACES CLASS ACTION LAWSUIT IN WAKE OF ‘WORST EVER’ DATA BREACH

Facebook last week revealed that it had been hit by a data breach that gave hackers complete access to 50 million users’ profiles.

The firm then logged an additional 40 million users out of their accounts as a security measure, bringing the total number of users who were possibly affected to 90 million. 

It didn’t take long before the social media giant was hit with a class-action lawsuit.

Facebook has been hit with a lawsuit filed Sept. 28th in a California court on behalf of the 50 million users whose ‘PII,’ or personally identifiable information,’ was exposed as a result of the hack.

The lawsuit defines PII as names, birthdates, hometowns, addresses, locations, interests, relationships, email addresses, photos and videos – all of which is information commonly shared with Facebook.

Facebook is named in a lawsuit filed in California on behalf of the 50 million users whose ‘PII,’ or personally identifiable information,’ was exposed as a result of the hack

The plaintiffs, which are Carla Echavarria of California and Derrick Walker of Virginia, claim Facebook’s inability to safeguard user data left them vulnerable to identity theft and was an act of negligence.  

The lawsuit alleges Facebook ‘allowed hackers and other nefarious users to take over user accounts and siphon off Personal Information for unsavory and illegal purposes.’

They’re now suing for statutory damages and penalties. 

The lawsuit also seeks to represent ‘all persons who registered for Facebook accounts in the United States and whose PII was accessed, compromised, or stolen from Facebook in the September 2018 Data Breach.’

It’s likely that more plaintiffs will sign onto the class-action lawsuit in time. 

Plaintiffs say in the lawsuit that Facebook’s Cambridge Analytica scandal served as a precursor for its future ‘negligence’. 

‘[Facebook] knew its data security measures were grossly inadequate by, at the absolute latest, March 2018 when the Cambridge Analytica matter came to light, exposing Facebook’s lax and inadequate approach to data security,’ according to the court document. 

‘At that time, Facebook was on notice that its systems were extremely vulnerable to attack, facts [Facebook] already knew given its previous exposures and security problems.’ 

photo link

(Visited 30 times, 1 visits today)

Leave a Reply