Many popular iPhone apps secretly record your screen without asking

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it — or ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking out the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick. (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data, none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and end session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And, in Singapore Airlines’ privacy policy, there’s no mention either.

We asked all of the companies to point us to exactly where in its privacy policies that permit each app to capture what a user does on their phone phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app/ “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s like to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.

---

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Dozens of popular iPhone apps caught sending user location data to monetization firms

from iPhone – TechCrunch https://tcrn.ch/2Dcek24

Tesla has opened an Amazon store to spread its swag far and wide

Tesla has had a brisk merch business for years now, thanks to its fervent owner base and fans, who are enthusiastic supporters of the company and its CEO Elon Musk.

But until now, those Tesla-branded items — everything from water bottles and hats to jackets, chargers and once a surfboard — have been sold through the automaker’s own website.

Tesla has now expanded it merch ambitions and opened a store on Amazon. (A reader tipped TechCrunch off to the store; however, the story was first reported by Electrek). Tesla confirmed the store opened earlier this week.

It should be noted that, for now, the store on Amazon isn’t as robust as the one on Tesla’s website. However, there are at least two items that can only be found on the Amazon page: an iPhone 8+ case and a Tesla iPhone  X folio case. No prices are listed for the items and they’re currently “unavailable.”

 

In fact, every item on the store is “unavailable.”

It’s not clear when these items will be back in stock or why they aren’t available now. Did the company sell out already? Has it simply failed to make the items available? So many questions.

Tesla merchandise, especially specialty items, do tend to sell out quickly. For instance, the Tesla branded surfboard priced at $1,500 sold out in a day. However, the mini diecast Tesla models sold on the Amazon store appear to be in stock over at Tesla’s website. We’ll update the story when the mystery is solved.

from iPhone – TechCrunch https://tcrn.ch/2Bolsbo

Angela Ahrendts is leaving Apple

Angela Ahrendts will depart Apple in April, almost exactly five years after taking on a role as the company’s senior vice president of retail.

The company says Ahrendts’ responsibilities will now be handled by Deirdre O’Brien, whose title is changing from “senior vice president of People” to “senior vice president of Retail + People”

Story developing…

from Apple – TechCrunch https://tcrn.ch/2Bmivbg

iOS 12.2 beta includes new Animojis and fake 5G logo

Apple has released a new beta version of iOS 12.2 yesterday. While the final version isn’t available just yet, here’s what you should expect: new Animojis and a fake 5G logo if you’re an AT&T customer.

If you have an iPhone X, XS, XS Max or XR, you’ll see new animals in the Animoji collection. As 9to5mac spotted, you will be able to record video message and replace your head with a giraffe, an owl, a shark or a warthog. These Animojis will also work during FaceTime calls.

Here’s a picture from 9to5mac with the new lineup:

More interestingly, Apple succumbed to AT&T’s marketing plot to rename 4G into 5G. MacRumors noticed that some AT&T users now have a ‘5G E’ icon in the top right corner when they upgrade to the beta version of iOS 12.2. Some Android phones already show a 5G E icon after an AT&T update.

But don’t get fooled, this isn’t 5G — this icon replaces the LTE icon. AT&T has basically rebranded LTE with carrier aggregation as 5G Evolution. But it still runs on the same network.

Here’s a picture from the MacRumors forums:

The same thing happened in the U.S. during the transition from 3G to 4G. AT&T decided to rebrand its 3G HSPA+ network to 4G. It’s the reason why many carriers talk about LTE instead of 4G.

AT&T confused everyone back then, and the company is about to do the same again. It’s too bad Apple is helping AT&T with this iOS update.

Disclosure: TechCrunch is a Verizon Media company.

from Apple – TechCrunch https://tcrn.ch/2GbCiP2

Report: Smart speaker adoption in U.S. reaches 66M units, with Amazon leading

Smart speakers had a good holiday. Amazon already said its Echo Dot outsold all other items on its site this holiday season, which hinted toward the sizable growth for the voice-powered speaker market. Today, research firm CIRP is reporting the U.S. installed base for speakers grew to 66 million units in December 2018, up from 53 million in the September 2018 quarter and just 37 million in December 2017.

However, holiday sales didn’t have much impact on the market shares for the various speaker brands, the firm found.

Amazon Echo devices still lead the U.S. market with a 70 percent share of the installed base, followed by Google Home at 24 percent, then Apple HomePod at 6 percent, the report said.

“Holiday shoppers helped the smart speaker market take off again,” said Josh Lowitz, Partner and Co-Founder of CIRP, in a statement. “Relative market shares have remained fairly stable, with Amazon Echo, Google Home, and Apple HomePod accounting for consistent shares over the past few quarters. Amazon and Google both have broad model lineups, ranging from basic to high-end, with even more variants from Amazon. Apple, of course, has only its premium-priced HomePod, and likely won’t gain significant share until it offers an entry-level product closer to Echo Dot and Home mini,” Lowitz added.

Also of interest is that some portion of those buying a smart speaker for their home already own one. According to CIRP, 35 percent of smart speaker owners now have multiple devices, as of December 2018. That’s up from 18 percent in December 2017.

This figure is key to the device markers’ larger strategies, because it means that once a company is able to get that first sale, the consumer may return to buy more devices from the same vendor.

Amazon had gained an early advantage here, initially convincing more users to buy another speaker compared with Google Home users. A year ago, almost double the number of Echo users had multiple devices, versus Google Home owners. But Google is catching up, and now about a third of Echo and Google Home users have multiple devices.

It’s worth noting that CIRP data – like much that’s produced by market research firms – isn’t always going to match up exactly with other firms’ estimates and forecasts.

For example, Strategy Analytics this fall said that Amazon’s Echo market share in the U.S. was 63 percent, to Google’s 17 percent and Apple HomePod’s 4 percent. Meanwhile, eMarketer’s 2019 U.S. forecast predicts Amazon Echo will end up with around a 63.3 percent market share this year, versus Google Home’s 31 percent, with all others like HomePod and Sonos, reaching 12 percent.

That said, the broad strokes across all reports point to the same general findings – that Amazon is leading the U.S. market by a wide margin, and while that margin may be shrinking, it’s not going away soon.

from Apple – TechCrunch https://tcrn.ch/2MUztlW

Apple pays millions in backdated taxes to French authorities

Apple has agreed to pay back a large sum in backdated taxes. The company has confirmed the information to the AFP and Reuters. According to L’Express, Apple could have paid as much as €500 million ($572 million) — the AFP also confirmed that sum.

“The French tax administration recently concluded a multi-year audit on the company’s French accounts, and those details will be published in our public accounts,” the company told Reuters. French authorities can’t confirm the transaction due to tax secrecy.

This isn’t the first time French tax authorities investigate on tech companies. Amazon also settled a dispute with French authorities back in February 2018.

In August 2016, the European Commission ruled that Apple had benefited from illegal tax benefits from 2003 to 2014. Like many global companies, Apple has been accused of optimizing its corporate structure to lower the effective corporate tax rate in Europe.

While Apple appealed the decision back in 2016 saying that everything was legal, the company finished paying back the fine in September 2018. There are now $16.4 billion (€14.3 billion) sitting in an escrow account, waiting for the appeal.

And it sounds like Apple should have paid more taxes in France in particular. French tax authorities focused on profits generated in France over the past ten years.

Last month, the French government announced that it would start taxing big tech companies in France even if they report profits in another country. This tax will be based on revenue generated in France. Other European countries could follow the same model.

127 member countries of the OECD are also discussing new taxation rules for big tech companies. This time, the OECD wants to force companies to report profits in all countries where they operate.

from Apple – TechCrunch https://tcrn.ch/2WIsdxX

Google brings Chrome OS Instant Tethering to more Chromebooks and phones

Tethering your laptop and phone can be a bit of a hassle. Google’s Chrome OS has long offered a solution called Instant Tethering that makes the process automatic, but so far, this only worked for a small set of Google’s own Chromebooks and phones, starting with the Nexus 6. Now Google is officially bringing this feature to a wider range of devices after testing it behind a Chrome OS flag for a few weeks. With this, Instant Tethering is now available on an additional 15 Chromebooks and over 30 phones.

The promise of Instant Tether is pretty straightforward. Instead of having to turn on the hotspot feature on your phone and then manually connecting to the hotspot from your device (and hopefully remembering to turn it off when you are done), this feature lets you do this once during the setup process and then, when the Chromebook doesn’t have access to a WiFi network, it’ll simply create a connection to your phone with a single click. If you’re not using the connection for more than 10 minutes, it’ll also automatically turn off the hotspot feature on the phone, too.

Tethering, of course, counts against your cell plan’s monthly data allotment (and even most “unlimited” plans only feature a limited number of GB for tethering), so keep that in mind if you decide to turn this feature on.

You can find the full list of newly supported devices, which include many of today’s most popular Android phones and Chromebooks, below.

from Android – TechCrunch https://tcrn.ch/2TvwJhb
via IFTTT