iOS app developers have been capturing how users interact with screens without gaining user consent.
This article originally appeared on ZDNet.
Apple plans to crack down on iOS apps that use so-called 'session replay', a technology that helps developers understand how people use an app, but also lets the developer see a replay of every tap and swipe users makes on their iPhones.
An investigation by TechCrunch identified a number of popular apps from well-known brands that use third-party session replay analytics tools, including Abercrombie & Fitch, Expedia, Hotels.com, and Singapore Airlines.
The technology, which is also used to analyze user actions on websites, poses a security and privacy risk if it doesn't properly avoid capturing sensitive input fields in an app or site, such as payment and login pages.
SEE: Intrusion detection policy (Tech Pro Research)
The problem for Apple, following its crackdown on Facebook and Google apps last week, is that developers have once again been caught flouting its policies.
"2.5.14:Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. This includes any use of the device camera, microphone, or other user inputs," Apple's App Store guidelines state.
The apps called out for using session replay did not gain consent from iOS users.
Apple has now said it is informing developers of their violation and has given them one day to remove the tracking capability.
"We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," an Apple spokesperson said in a statement to TechCrunch.
SEE: Apple iOS 12: An insider's guide (free PDF)
The findings follow a report by The App Analyst that looked into Air Canada's use of Glassbox Digital analytics software in its mobile app. The airline in August disclosed a data breach affecting 20,000 users of its mobile app.
The App Analyst found that black boxes used to cover sensitive fields for inputting credit card details, passwords and users' billing addresses didn't always hide them. For example, the black boxes were effective when an already-registered user logged in, but not during the initial registration process.
The same problem is likely to affect users who've installed apps from Google Play, since Glassbox's screen-replay technology is also available for Android.
In a statement, Glassbox told MacRumors that neither it nor its customers is interested in spying on consumers. Consumers are aware their data is being recorded, and no data collected by Glassbox customers is shared with third parties.
"Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," the company said.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy template download (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)