Air Canada’s iOS app and other travel apps secretly record your iPhone screen [Update]

Air Canada

Update 08/02/2019 9:57pm: Glassbox, the analytics firm that TechCrunch cites in its story, reached out to MobileSyrup with the following statement:

“TechCrunch’s piece raised valid concerns. Yet we believe it is partial and doesn’t adequately convey the many benefits for our customers and their users; or reflect the security and privacy capabilities inherent in Glassbox.

Glassbox and its customers are not interested in ‘spying’ on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective.  Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on websites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling.

We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded — just as contact centers inform users that their calls are being recorded.” 

Update 08/02/2019 8:50pm: In an email statement to TechCrunch, an Apple spokesperson made the following statement:

“Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary.”

This statement is a direct aim at Air Canada and other hotel, airline and retail apps that secretly record the iPhone’s screen when the app is being used.

Many notable hotel, airline and retail iOS apps record users’ iPhone screens without first seeking consent, according to a recent TechCrunch investigation that cites security expert The App Analyst.

The process in question usually involves a third-party analytics gathering company that embeds its technology in the app’s code. TechCrunch’s comprehensive investigation mentions a specific analytics firm called Glassbox as being used by most travel apps for this purpose.

Glassbox’s technology records every action the user takes while navigating through an app, including any screenshots that are snapped. The report specifically mentions that Air Canada’s app, as well as other travel apps, record sensitive data, such as passport numbers, credit card information and other personal data.

In the case of Air Canada’s app, the airline also isn’t masking Glassbox’s files when they’re sent from the user’s mobile device to the analytics firm’s servers, according to TechCrunch’s report. This means that the transfer process is potentially susceptible to a man-in-the-middle style security threat.

In August of 2018, Air Canada reported that its mobile app suffered a data breach, resulting in the profile information of 20,000 users, including passport numbers and other sensitive data, being leaked. It’s unclear if the use of Glassbox’s analytics tracking tool is the cause of this security breach but there is a possibility it could have been.

TechCrunch says most of the travel apps that implement Glassbox’s technology do not disclose that they are doing so in their privacy policy. Further, the apps also don’t seek user consent regarding screen recording.

Some of the other apps mentioned in the publication’s report include Abercrombie & Fitch, Expedia, Hotels.com, Singapore Airlines and more.

Source: TechCrunch, The App Analyst