fbpx

Share:

Air Canada iOS App Secretly Records Your Screen, Doesn’t Encrypt Passwords or Credit Cards [u]

Share:

TechCrunch is reporting many iPhone apps–particularly travel apps–are secretly recording your screen, without your permission, including Air Canada’s popular iOS app.

Aircanada 2

The revelations come from mobile expert, App Analyst, which found many apps deploying a “session replay” technology from customer experience analytics firm, Glassbox. Companies utilize Glassbox to record user sessions to let developers see how an app is used, to get feedback on changes and errors. The problem? Every tap and keyboard button press is recorded, sending sensitive information unencrypted to developers.

Air Canada iPhone App Found to Expose User Details in Plain View

The App Analyst has discovered the Air Canada iPhone app “wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session,” writes TechCrunch.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” TechCrunch was told.

Below is a video example of the Air Canada iPhone in action, showing unencrypted information in screenshots. The black boxes meant to block customer data are not used properly:




The App Analyst says “If any user feels uncomfortable with the data collected via screenshots by Air Canada they should attempt to block connections to glassbox.aircanada.ca. This should be possible through DNS settings within your home router.”

Air Canada has about 1.7 million customers registered with the Air Canada mobile app. This security lapse means if the company’s servers are compromised, screenshots can harvest tonnes of user data.

Last August, Air Canada alerted mobile users 20,000 profiles “potentially have been improperly accessed,” asking all 1.7 million users to reset their passwords.

TechCrunch says “in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline.”

Air Canada and Glassbox announced a partnership back in the fall of 2017, to use the latter’s analytics platform within the airline’s mobile app.

We have reached out to Air Canada for comment and will update this post when we hear back.

Update: Air Canada has been responding on social media via DMs to some customers, noting an official statement is coming soon regarding this revelation.

Update Feb. 7, 2019: Air Canada emailed iPhone in Canada the following response:

Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips. This includes user information entered in, and collected on, the Air Canada mobile app. However, Air Canada does not—and cannot—capture phone screens outside of the Air Canada app.

All information is handled securely and in accordance with our policy (https://www.aircanada.com/ca/en/aco/home/legal/privacy-policy.html) and applicable regulations

Share: