However, many apps do not tell users that their activity is being monitored by screen-recording code. These "session replays" are created to help developers work out kinks, make informed UI decisions, and better inform them on how users are interacting with their apps in general.
TechCrunch reports that it would have to analyze all the data for each app to know for sure if an app is recording a user's screens.
The apps embed "session replay" software from a company called Glassbox, which enables developers to record the screen to see how people use the app. This technology essentially allows developers to record displays and review how users interacted with their app. Apple Again in Trouble?
The App Analyst says "If any user feels uncomfortable with the data collected via screenshots by Air Canada they should attempt to block connections to glassbox.aircanada.ca". And, these were recorded as sessions without users even being unaware and without their permission, and further wasn't mentioned in the apps' descriptions or policies for that matter.
While the software can prevent sensitive data like credit card information or passwords being recorded by blocking it out, the App Analyst found that this feature was not always successful, leading to personal information being displayed.
Masking sensitive data sometimes failed in Air Canada session replays.
In August of 2018, Air Canada reported that its mobile app suffered a data breach, resulting in the profile information of 20,000 users, including passport numbers and other sensitive data, being leaked. The session replays were potentially exposing passport numbers and credit card data in each replay session.
Android users aren't safe either; past year Gizmodo reported that some Android apps were also recording user's interactions with their apps.
While all of the companies that Techcrunch spoke to said the data they collect is in accordance with their privacy policies, none of the apps explicitly said they collected on-screen activity in this way.
Importantly, Tech Crunch noted that it's impossible to know if an app is recording your screens when you use their app. If any of Glassbox's customers are not correctly masking data, it could be problematic, The App Analyst told TechCrunch.
Among other companies, sending their "session replays" to Glassbox were Hollister and Abercrombie & Fitch, while Expedia and Hotels.com chose to send them to their own domain server. In addition, Glassbox said the data they capture is "highly secured, encrypted, and exclusively belongs to the customers" the company supports.