iOS apps can record what you do in them and then unsafely send that data
If you use an iPhone or iPad and have apps from Air Canada, Abercrombie & Fitch, Expedia, Hollister, Hotels.com, Singapore Airlines and a number of others, you may have sent sensitive data back to those companies and don’t even know it.
Those companies use services from Glassbox, a CRM firm, which records customers’ screens while they are using the app and sends the data back to either that company or to Glassbox. And depending on the company and what protections they apply, some of that data includes input data into address, phone number and other fields.
According to The App Analyst blog, the Air Canada app, which captures a series of screenshots during the user session, utilizes masking boxes that are supposed to block out that data, but those boxes don’t always appear in every screenshot. Other apps have some of the same troubles.
TechCrunch reports that the above companies’ privacy policies for their apps — disclosures required by Apple — don’t make any mention of the screen recording behavior, also known as “session replay” captures. Companies have either not commented or have not been able to point to any specific disclosure about session replays.