TechCrunch is reporting many iPhone apps–particularly travel apps–are secretly recording your screen, without your permission, including Air Canada’s popular iOS app.
The revelations come from mobile expert, App Analyst, which found many apps deploying a “session replay” technology from customer experience analytics firm, Glassbox. Companies utilize Glassbox to record user sessions to let developers see how an app is used, to get feedback on changes and errors. The problem? Every tap and keyboard button press is recorded, sending sensitive information unencrypted to developers.
Air Canada iPhone App Found to Expose User Details in Plain View
The App Analyst has discovered the Air Canada iPhone app “wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session,” writes TechCrunch.
“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” TechCrunch was told.
Below is a video example of the Air Canada iPhone in action, showing unencrypted information in screenshots. The black boxes meant to block customer data are not used properly:
The App Analyst says “If any user feels uncomfortable with the data collected via screenshots by Air Canada they should attempt to block connections to glassbox.aircanada.ca. This should be possible through DNS settings within your home router.”
Air Canada has about 1.7 million customers registered with the Air Canada mobile app. This security lapse means if the company’s servers are compromised, screenshots can harvest tonnes of user data.
Last August, Air Canada alerted mobile users 20,000 profiles “potentially have been improperly accessed,” asking all 1.7 million users to reset their passwords.
Air Canada and Glassbox announced a partnership back in the fall of 2017, to use the latter’s analytics platform within the airline’s mobile app.
We have reached out to Air Canada for comment and will update this post when we hear back.
Update: Air Canada has been responding on social media via DMs to some customers, noting an official statement is coming soon regarding this revelation.
Air Can DM reply to ? re @iPhoneinCanada article below. Seems tacit admission AC records screen in app. While I know 1st-hand how complex tech industry is, hoped @AirCanada would have more care w/ data storage. Hope for good fix plan in official statement. https://t.co/9KwMs00WHd pic.twitter.com/9gtQ82IZP3
— Brennan (@CdnBeacon) February 7, 2019
Update Feb. 7, 2019: Air Canada emailed iPhone in Canada the following response:
Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips. This includes user information entered in, and collected on, the Air Canada mobile app. However, Air Canada does not—and cannot—capture phone screens outside of the Air Canada app.