Editors' Note: Updated at 7:22 p.m. ET with Apple's warning to app makers.
A security researcher has been analyzing a tool developers can embed inside their iPhone apps that could allow them to see exactly how you use their apps. And Apple doesn't sound very pleased about the revelation.
Credit: Tom's Guide
That tool, called Glassbox, is embedded inside some popular apps, including those from Expedia, Hotels.com, Air Canada, and others. According to security research The App Analyst, whose work was earlier reported on by TechCrunch, Glassbox gives developers a "session replay" technology that allows them to see exactly how you used the app.
At first blush, that wouldn't necessarily be a problem, as long as all of the information in the app is masked. At that point, all they're really seeing is a map of your swiping. But according to The App Analyst and TechCrunch, in some cases, it's possible for the app developers to actually see the information you enter into a screen, including credit card information and other data.
To put the theory to the test, TechCrunch worked with The App Analyst to evaluate apps that used the Glassbox technology. The App Analyst found that in some cases, the data was masked and in some cases it wasn't. The App Analyst said that data was "mostly obfuscated."
In a subsequent TechCrunch article, Apple put out a statement noting that it requires apps to request user consent and clearly indicate when apps are recording and logging data. "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," an Apple spokesperson told TechCrunch.
Specifically, Apple has reportedly told app developers who've violated its guidelines to update their apps to either remove the tool or get user consent. The company is also threatening to remove apps from its App Store that don't comply.
The App Analyst findings could have profound implications on privacy. While swiping data might give developers insight into how you interact with their apps, allowing those developers to see what's on your screen while you swipe is a different story entirely.
Credit: TechCrunch/The App Analyst
For its part, Glassbox isn't shy about how its app works. Indeed, the company's Twitter profile description asks you to "imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it."
TechCrunch queried companies that employ Glassbox technology inside their apps about The App Analyst's reported findings. One of them, Abercrombie, said that Glassbox is used solely to help the company "support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience"
Air Canada told TechCrunch that the company "Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips." The company spokesperson added, however, that the airline "does not — and cannot — capture phone screens outside of the Air Canada app."
To be clear, session replays and other similar technologies, which are available from a host of companies in addition to Glassbox, are not illegal or necessarily a bad thing. In some cases, they can be used to address bugs and generally improve an app's user experience. It's when they can access your data that things go sour.