Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security Software Apple Technology

Apple Tells App Developers To Disclose Or Remove Screen Recording Code (techcrunch.com) 33

An anonymous reader quotes a report from TechCrunch: Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps -- or face removal from the app store, TechCrunch can confirm. In an email, an Apple spokesperson said: "Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity." "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user's app activity. Even though sensitive data is supposed to be masked, some data -- like passport numbers and credit card numbers -- was leaking.

This discussion has been archived. No new comments can be posted.

Apple Tells App Developers To Disclose Or Remove Screen Recording Code

Comments Filter:
  • I'm sure that no one would ever misuse all that sweet sweet private information like password and account numbers and logins and private nude pics.

  • by Dan East ( 318230 ) on Thursday February 07, 2019 @08:51PM (#58087136) Journal

    And once again the misnomer "Screen recording" is being used inaccurately in the headline to draw more attention. "Screen recording" is a phrase that has a specific meaning, and there is no screen recording going on. I don't feel like typing it all again... https://slashdot.org/comments.... [slashdot.org]

    (I'm not condoning or defending this practice, but just clarifying that the screen is not literally being recorded and streamed as video)

    • by Anonymous Coward

      Glassbox does also send screenshots back to the developer: http://theappanalyst.com/aircanada.html

  • by Anonymous Coward

    Did you know that every app in the App Store is required to link to a privacy policy if it records data? If you did, do you know how to find that link?

    It's in the "information" box that is helpfully hidden way at the bottom - but not all the way at the bottom - of an app's page on the App Store. If you scroll to the bottom you won't see if because you'll have gone past it.

    So all this is going to do is make the apps doing this add it to that privacy policy most people probably aren't aware even exists becaus

    • Hyperbole much?

      It's not hidden. It's very easy to find since in the "Information" box (2 of 3 for each app) it's the only blue link and the only entry with an icon. (A blue hand which is the same icon used in iOS for "Privacy" as you can see in the Settings app.)
    • No, nor did they bother to immediately disclose this even to their users. That would interfere with the effectiveness of the spying. Most people learned about this from Ed Snowden's disclosures (three cheers for Snowden!). So when Apple tells you "What happens on your iPhone stays on your iPhone" there's no reason to believe them. After all, I'll bet people running iTunes thought they were getting a media player, not opening a remotely-exploitable hole [telegraph.co.uk] despite Apple knowing about this problem for years and

      • by jbn-o ( 555068 )

        Apple is part of the UAE's "secret hacking team of American mercenaries [reuters.com]" which seek to "help the United Arab Emirates engage in surveillance of other governments, militants and human rights activists critical of the monarchy".

        What Apple tells people via its ads: "What happens on your iPhone, stays on your iPhone [techcrunch.com]"

        Some of what Apple won't comment on: "The operatives utilized an arsenal of cyber tools, including a cutting-edge espionage platform known as Karma, in which Raven operatives say they hacked into th

  • by cerberusss ( 660701 ) on Friday February 08, 2019 @01:21AM (#58087882) Journal

    I'm an app developer and years ago, started with an app in the App Store and included one of those free analytics libraries. It's quite useful, you get the crash reports coming in as they occur in the field. At some point, I was very proud to have solved nearly all crashes.

    Then I felt like people needed to be able to opt out. So I built a screen with a simple checkmark, and looked at their API to turn off data collection. Turns out, it's not there. To opt out as a user you needed to go to a web page, and fill in your email adres. I thought to myself, what? What the fucking what? How can you relate crash reports with an email address? Then I realized that's what free means. I should never have started with it.

    Note: this was in 2012/2013, and as a starting iOS developer, I was pretty naive. First of all I should've built my own light weight crash reporter. Second of all, it should've been opt-in.

    I've tried Localytics, Crashlytics and Flurry. They all have severe privacy problems in my opinion. I have simply removed them from my app, because I kept feeling bad for my users.

    • by AmiMoJo ( 196126 )

      Fortunately that's illegal now. GDPR requires explicit opt-in. Opt-out and requiring an email address to do so are not allowed.

    • Thank you! I hope there are many more developers like you out there that keep the users privacy in mind.
  • How this slipped their review is beyond me, bur our fine paperless office applications, like ExactScan, they reject because they would "ask for an access the user's Contacs" (which we don't): https://www.youtube.com/watch?... [youtube.com] And yet every other time they approve the updates, ..! And I swear we have no code to access the Contacts, ..! And they can't even answer with a backtrace where it would happen, ..! :-/ In the meantime I suspect our "crash reporter" optional "directly sending it to us" code accessing s
  • Extract : "Air Canada is unsuccessful in obfuscating credit card and password information. As a result, sensitive data is being captured as images and potentially stored."

    ref: http://theappanalyst.com/airca... [theappanalyst.com]

  • Protecting user privacy is paramount in the Apple ecosystem.

    Oh really? Then how come Apple only takes action after these issues get exposed to the press? Surely someone at Apple knows each and every trick that app developers use to create and promote their apps.

  • I can't reconcile the two statements below, like I can't reconcile nearly everything Apple does. If you're so serious about privacy and an app (or apps) completely violated this in such a violent and litigious way - why wait to do something? Toss them off the store... for good!

    What they captured without consent is so over the line, the response needs to be equally strong.

    ""Protecting user privacy is paramount in the Apple ecosystem."" ... ""and will take immediate action if necessary""

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...