Some of them use third-party services like Glassbox, which takes advantage of the Session Replay functionality in iOS to record your touches, swipes, and keyboard inputs, and sends them back to developers.
In some cases, these recordings did not adequately mask sensitive user data, which included passport numbers, credit cards and other data.
Air Canada, Expedia, Hotels.com, Singapore Airlines and Abercrombie & Fitch are among the companies mentioned in the probe. And, these were recorded as sessions without users even being unaware and without their permission, and further wasn't mentioned in the apps' descriptions or policies for that matter. They found that none of the apps tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user's app activity.
After the issue was flagged by a researcher known as the App Analyst, the folks over at TechCrunch conducted an investigation that confirmed there are iPhone apps that are using an analytics company called Glassbox, which alongside collecting granular data on how the apps are used also record screen activity without the consent of users.
One of the developers told TechCrunch that such action would include removing their app from the App Store if it isn't following the guidelines.
The App Analyst said "This allows Air Canada employees - and anyone else capable of accessing the screenshot database - to see unencrypted credit card and password information". These aren't fake apps, but legit ones representing some of the most popular businesses in the hotel, travel, banks and airlines industries, which makes this matter even more concerning. "Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?"
UPDATE: Feb. 8, 2019, 9:41 a.m. CET "Glassbox and its customers are not interested in "spying" on consumers. Now, my personal assessment is that Apple takes this pretty seriously and I think that they will continue to, if for no other reason than to be very cynical, come down hard on app makers that do this type of thing".
According to TechCrunch, developers have already been contacted by Apple and told to remove the recording software, disclose that it's there or risk facing immediate action. Screenshots are sent back either directly to the company's servers or Glassbox's cloud.
Capturing user analytics isn't anything new Apple themselves do it. The same analyst looked at other apps for TechCrunch and found that not every app was leaking data, and that none of the apps revealed this practice to customers - not that too many people do read the terms of conditions of any apps.
The idea is that by playing back user sessions, the developers can figure out if something on the app isn't working or if there was an error of any sort.
"The protection of customer data and privacy is of the utmost priority to us".