Tech, Now + Beyond

Apps are secretly recording our screens, and it’s not cool

I spy with my little line of code… your credit card information. 

There’s no denying that apps bring accessibility into our lives via educational, organizational, entertainment, and online services. However, like most things, the good must come with the bad. And the bad here comes in the form of security risks. Our beloved apps are secretly recording our phone screens.

Online tech news publisher, TechCrunch, recently revealed that a number of apps – Air Canada, Hollister and Expedia – are lined with code which allows for screen recordings to be made during user interactions – every tap, type, and swipe. TechCrunch also highlighted that they found no mention of any such feature in the respective apps’ privacy policies.

This isn’t the first time such an invasion has been reported. A Northwestern University study, published last year, scoured over 17,000 Android apps and found similar results. Among the several alarming privacy risks found were apps which share user image and video data with other parties.

It’s about “recording” user experience

Apps have been around for over two decades. So, it’s a known fact that apps are collecting our data – shoutout to Facebook – and even monetizing it. It’s practically an industry standard.

But why record user interaction?

The reasoning behind recording is filed under wanting to monitor and continuously improve user experiences. Therefore, many companies embed “session replay” codes. These are then sent to developers or customer experience analytics firms like Glassbox for analyses.

It’s a privacy nightmare

So, not only are we not told that our data is being recorded, but our sensitive information is being shared with third parties we aren’t even aware of.

Some solace can be found in that sensitive information is at least blurred to protect our rights. Though, there have been instances, such as with Air Canada, where details weren’t masked properly. This also follows an incident in August 2018 when Air Canada’s app was breached and 20,000 users affected.

It seems there are cybersecurity risks everywhere. A huge chunk is because users have no say in, or knowledge of, how their data is being managed. The Gmail debacle is yet another example from a long list.

Users might have no issue with data collection if those responsible for it were open and upfront about their procedures. It’s as simple as that. Ask us if we’re cool with being recorded. Transparency – we need it.

Unfortunately, for those who do find issue, and prefer to keep sensitive information off the official record, options are limited.

What now?

Following the TechCrunch report, Apple swung out with a take-it-or-leave-it deal for developers. They stamped it with a 24-hour expiration – either be upfront about your creeping or get out of the App Store. Google, though, made no such announcement.

It’s baffling that the concept of consent is hard to grasp. We, as a society, keep circling around it. Often times, one yes leads to a lot more being taken than initially allowed for.

In this case, just because a user agreed to the terms and conditions listed to using the app, doesn’t mean it was an open invitation to creep on every action that that person makes within the app.

Perhaps we should be thankful that the recording kicks in only when the app is in use. Though, how can we be sure that we aren’t falling victims to bugs or lazy encryption elsewhere? Errors which allow for even more data to be “collected”.

As we grow into an IoT world, the wall between the simple users and those in power keeps strengthening. There are a lot of excuses flying around – improving user experiences, sifting for red flags – but do the ends justify the means? Especially when only one side seems to be benefiting from this lack of transparency, while the other is being put in positions of vulnerability, like identity theft, through no fault of their own.