An investigation yesterday by TechCrunch revealed numerous travel apps, including Air Canada, had secret screen recording code, monitoring and taking screenshots of user interactions and personal data.
The screen recording was via a tool from analytics company Glassbox, used by developers to determine if an app is functioning properly or not.
In Air Canada’s iPhone app, the screenshots taken by Glassbox revealed sensitive data, such as passwords, credit cards, passport numbers and more, were not blacked out from view. This means user data, if ever compromised on servers from Glassbox or Air Canada, would leak out customer data in plain view.
Now, TechCrunch reports Apple has told developers to remove or disclose the screen recording code in their apps, or get removed from the App Store altogether.
“Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” said Apple in a statement to TechCrunch.
“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” added Apple.
Developers today have been notified by Apple about their apps violating developer privacy policies and to remove code or seek explicit content. One developer’s email from Apple read:
“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,”
The unnamed developer in question was provided less than 24 hours to remove the screen recording code, or have their app disappear from the App Store.
As for Glassbox, when asked if they knew of any client apps being removed from the App Store, a spokesperson would only say “the communication with Apple is through our customers.”
TechCrunch commissioned mobile expert the App Analyst to investigate specific iOS apps, and the report on Air Canada revealed astonishing user details being recorded in plain view, without them knowing.
When asked regarding these privacy violations in their iOS app, an Air Canada spokesperson responded to iPhone in Canada with the following boilerplate statement, seen widely on social media:
Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips. This includes user information entered in, and collected on, the Air Canada mobile app. However, Air Canada does not—and cannot—capture phone screens outside of the Air Canada app.
All information is handled securely and in accordance with our policy (https://www.aircanada.com/ca/en/aco/home/legal/privacy-policy.html) and applicable regulations.
For now, you’re better off not using the Air Canada iOS app and entering in sensitive personal info, until an update has been released.