Apple Forces Developers to Remove Screen Recording Code From iOS Apps [Update]

[falainber]

It's Glassbox not Glassdoor

And no they do not say that they get their hands on this data. Besides, they say that their tools provide the means for masking sensitive data (i.e. if used properly sensitive data would not be captured in a first place). this is what they said:

Glassbox and its customers are not interested in "spying" on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective. Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on web sites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling.

We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded -- just as contact centers inform users that their calls are being recorded.

Furthermore: No data collected by Glassbox customers is shared with third parties, nor enriched through other external sources.
Glassbox meets the highest security and data privacy standards and regulations (e.g. SOC2, GDPR), and all data captured via our solution is highly secured and encrypted.

We provide our customers with the ability to mask every piece of data entered by a consumer, restrict access to authorized users, and maintain a full audit log of every user accessing the system.

While the statement does not say explicitly that Glassbox does not get this data, it does not say that they do either. I do not see the reason for them to be getting this data. They provide the tools that companies (like Air Canada) could use to improve their apps. And they can do it in a careful manner without endangering user's sensitive data.

 

[curtvaughan]

To get to some surface insights on Apple's developer guidelines, check out the following link. Analytics is one of the subtopics.

https://developer.apple.com/app-store/resources/

 

[firewood]

Did these "screen recording" apps also have access to the front facing camera and microphone?

Depends on how you respond to various iOS privacy alerts, if and when an app tries to access such.

 

[falainber]

Did these "screen recording" apps also have access to the front facing camera and microphone?

What is the "screen recording" app? Any app can record its own screen. As long as the app can't record the screens displayed by other apps, what's the problem? Also, these tools were developed to analyze UI efficiency. For example, they can help understand how often the users click the "wrong" buttons etc. thus helping the developers to understand if the UI is easy or difficult to use. Why would these tools use camera or mic? Any app can use the camera and mic with or without these tools (if you let it) but that's a different matter.

 

[curtvaughan]

Every major airline, retail, travel site, and most websites in general have analytics tracking embedded in the page that captures every action you take on their site. Session replay has been a standard CX - Customer Experience toolset for UX/UI designers/developers for nearly a decade. Google search IBM Tealeaf, Clicktale, hotjar, decible, Adobe Analytics(Omniture), Google Analytics, I could go on. These are all companies/tools that provide the exact same functionality as Glassbox. They’re not literally “recording” your screen, instead they’re tracking every UI event during your session on their site. This includes button clicks, link clicks, form field entry, mouse movements, mouse hover, etc. These events can then be overlaid onto the screens you visited to effectively provide a “recording” or “replay” of your session. This information is used to help everything from driving website design decisions, detecting nefarious users that are trying to hack or exploit a site, customer support to assist when users call after their website visit crashed while trying to book their flight. These are just a few of the benefits analytics data provide. This isn’t an Apple, Android, Windows, Linux, “thing”. It exists across all web platforms and it’s been around for years, most are just now getting a peak behind the curtain.

The issue is that the developers and/or companies for whom they work are not taking adequate steps in informing the app users that their data is being collected. Such disclosure should be clearly communicated prior to the purchase/installation of the app, and not cloaked in long tiny fine print paragraphs of unintelligible (to non-lawyers) legalese that one generally finds in the form of the EULA (end-user license agreement). The EULA is such a complex entity that a whole class of "EULA Generator" software is marketed for their composition (google "eula generator"). People need professional help or special software to generate these things, so how are they likely to be understood by "Joe EndUser")? Of course, a rather unsatisfactory alternative is just to assume that all or most apps track your usage, in which case substitute "Caveat Emptor" as a disclaimer (let the buyer beware). In the contemporary data age, with hackers, government entities, companies, app developers, and internet service providers all tracking your movements and communications through electronic devices, Caveat Emptor might be appropriate paradigm.

 

[firewood]

Why wasn't this discovered during the review process?

Because this behavior is normal. Many apps (and websites) collect lots of UI data to help fix bugs, improve UI, decide which features to update, help with customer support, target ads, etc. Very possibly including some of Apple’s own apps.

This issue here was with lack of disclosure, not explicit in developer EULA, etc. and sending the data to random 3rd parties.

 

[Bawstun]

Another PR nightmare.

Please, fire Tim Cook before it is too late! This will drive down sales even further.

 

[I7guy]

Another PR nightmare.

Please, fire Tim Cook before it is too late! This will drive down sales even further.

Won’t have any affect at all, except on the inter webs, where people pick everything apart. Saying to fire Tim Cook, while putting it out in the universe, doesn’t mean it’s gonna happen. You have to be aligned with the universe and not the other way around.

 

[Bawstun]

Won’t have any affect at all, except on the inter webs, where people pick everything apart. Saying to fire Tim Cook, while putting it out in the universe, doesn’t mean it’s gonna happen. You have to be aligned with the universe and not the other way around.

2019 the year of the Apple crash!! Ahh!

 

[I7guy]

...and it isn't certain whether or not Apple had been aware of this all along and only decided to respond once it was made public.

And it is only for those apps using Glassbox for analytics. There are many other apps out there using alternative methods for on-device analytics. This also doesn't include those apps that use server-side analytics.

IMO this story is more of a "Judas Goat" to draw attention away from the falacy that is "privacy on Apple platforms".

I think people understand, Apple doesn’t misuse your personal information. And all apple software is safe.

The issue is “one bad apple” can spoil the bunch applies. There is no platform that is 100% safe, and no platform safer. That isn’t a fallacy it’s reality.
[doublepost=1549653454][/doublepost]

2019 the year of the Apple crash!! Ahh!

Wait I thought 2018 was the year of the Apple crash. Everybody pretty much has it pegged when the market turned.

 

[mrex]

I think people understand, Apple doesn’t misuse your personal information. And all apple software is safe.

The issue is “one bad apple” can spoil the bunch applies. There is no platform that is 100% safe, and no platform safer. That isn’t a fallacy it’s reality.

im pretty sure people who buy Apple products think they are in safe - that is thehype apple has managed to build. just go to the street and ask a question from random people if they think they are in safe by using apple devices... unless you meet a person who follows tech news, im quite sure the answer is ”yes”.

 

[cmaier]

What's the vetting process for applications allowed into the App Store? Does Apple proof the source code for submitted software? If so, how did this stuff escape the proofers' attention? If Apple does not inspect the sources, do they simply get developers to sign agreements that their software doesn't expose user data without user consent? If Apple truly was surprised at these revelations, then their application vetting process is flawed; otherwise, it's hard to see how Apple wasn't aware of the situation, indicating that they reacted only after poor publicity exposed the situation. It's not exactly a win-win. They either have a poor vetting process, or have been deceptive in their privacy claims.

No, Apple does not have the source code. Source code is proprietary, and the property of the developers. It’s subject to trade secret and copyright protections. Apple receives binaries or bytecode representations of the app. There are automated checks run on the app to make sure that the app does not do certain bad things (like link to private frameworks that are not intended for use by developers). Human reviewers check that the app functions generally as it is supposed to, that it complies with various requirements of the developer program (use of certain copyrighted resources, not misleading in-app purchases, etc.). If the app connects to a back end server, the developer is required to provide a user account and login for use by the reviewers.

Developers are required to sign various contracts that say they will adhere to apple’s rules. If apple find substantial violations they terminate the developor from the App Store, potentially permanently.

There are many ways to game the system that have been eventually caught in some cases:

1) developers have put in code that causes the app to behave differently during review than it does upon release. This can be due to:

A) the server behaving differently before app release
B) the app detecting that Apple is running the app (based on IP address, date, user Id, etc.)

When these can be detected by finding suspicious linked packages and the like, Apple has from time to time done mass banning of such things.

2) developers changing the metadata for the app (the description, subscription pricing, etc.) after the app has been approved. Apple has responded by requiring metadata changes to accompany a new binary upload.

3) hiding things in the code that only show up in “Easter egg” fashion. For example, people have hidden MAME emulators and the like in code that can be triggered by typing in a code.

Given the thousands of app updates that are submitted every day, the reviewers cannot spend days reviewing each. In my experience, my apps are usually tested for somewhere between 15 minutes and several hours.

In the end, Apple relies on spot checking and the ban hammer, because it would be impossible to guarantee that no app can do no bad thing. Especially because some things are only “bad” (in apple’s eyes) if they aren’t properly disclosed in the app’s privacy policy or user agreement. The app reviewers are not lawyers; they can’t spend all day trying to figure out if the app’s behavior correctly is covered by the legal jargon in the app’s privacy policy, for example.

 

[raghu8912]

Any reason why Apple waits until the media makes a big deal about it before doing anything about it? Calculator bug, Group FaceTime bug, etc. Come on, Apple. Get it together. I'm starting to feel like everything they do is a PR stunt. Like if this information wasn't released to the public Apple would have just let the apps continue recording all our screens.

Group FaceTime bug
Is they knew it they would have fixed it, may be they missed it in testing.
[doublepost=1549659430][/doublepost]

im pretty sure people who buy Apple products think they are in safe - that is thehype apple has managed to build. just go to the street and ask a question from random people if they think they are in safe by using apple devices... unless you meet a person who follows tech news, im quite sure the answer is ”yes”.

You are saying comparatively iOS/Mac OS are not safer/Secure compared to Windows/Android/Chrome OS (Privacy) ?

 

[macduke]

Every major airline, retail, travel site, and most websites in general have analytics tracking embedded in the page that captures every action you take on their site. Session replay has been a standard CX - Customer Experience toolset for UX/UI designers/developers for nearly a decade. Google search IBM Tealeaf, Clicktale, hotjar, decible, Adobe Analytics(Omniture), Google Analytics, I could go on. These are all companies/tools that provide the exact same functionality as Glassbox. They’re not literally “recording” your screen, instead they’re tracking every UI event during your session on their site. This includes button clicks, link clicks, form field entry, mouse movements, mouse hover, etc. These events can then be overlaid onto the screens you visited to effectively provide a “recording” or “replay” of your session. This information is used to help everything from driving website design decisions, detecting nefarious users that are trying to hack or exploit a site, customer support to assist when users call after their website visit crashed while trying to book their flight. These are just a few of the benefits analytics data provide. This isn’t an Apple, Android, Windows, Linux, “thing”. It exists across all web platforms and it’s been around for years, most are just now getting a peak behind the curtain.

Hah, you have no idea who you’re talking to. I’m a full stack web designer and developer specializing in UI/UX. I already know this. Recording users screens is lazy and I would never do this with live users, and ESPECIALLY wouldn’t try to hide it. No way our lawyers would ever sign off on that and more than that I would never do it because it’s morally wrong. We do testing with users locally by either direct observation or recordings, but the users consent and are usually compensated with a gift card or something. As you said there are a lot of good analytics toolkits out there, but I don’t employ most of it on my sites because it’s creepy. I rely on my good instincts as a designer along with some A/B testing and observation to develop most of my comps. Many designers are too lazy and take this easy way out. The difference is that I respect my users.

 

[robertosh]

...Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on web sites and apps...

How they know that is improving the customer experiences when they do not share any data? Just BS!

 

[Abazigal]

The thing is that defenders/supporters of this monitoring fail to understand is the clandestine and stealth methods/techniques being used to track our mouse movements (finger movements on mobiles) which many people are angry about.

A company wants to know why viewers are not clicking on an ad on their website so they employ stealthy analytic apps and programs to run in the background, capturing our every mouse and finger move to see what we are doing. This is wrong on so many levels. If a company wants to track our movements on a site then be open and honest about it, make a popup appear as soon as you enter the site asking 'this site will tack your mouse movements so we can improve our customer experience. do you wish to continue, YES/NO'.

That is all that is needed, let the viewers/customer make the decision if they want their movements tracked and data collected. Do not allow a business to arbitrary make that decision for us.

It’s not much better if my banking app discloses that they will track my actions and I have no choice but to accept this if I want to continue using said app for lack of a better alternative.

I would rather Apple just make the decision for me and unilaterally ban all apps across the board from doing this altogether. Make the tough decision for me so that I don’t have to.

 

[firewood]

How they know that is improving the customer experiences when they do not share any data?

Because app developers are willing to pay $$$ for the service to get the info?

 

[cmaier]

Because app developers are willing to pay $$$ for the service to get the info?

That just means the service is improving the developers’ experience. So it depends on who they mean by “customer”

 

[redgreenski]

This is why I avoid using third party apps like a plague.

 

[Analog Kid]

Egencia and Air Canada app updates came through. "Bug fixes and performance improvements", they say. I get that saying "We stopped watching your screen while you type" could be bad for PR, but personally I'd be more confident that the version I now have installed is safe.

Glassbox and its customers are not interested in "spying" on consumers.

Our customers aren't interested in spying on the women's shower, so I'm not sure what all the fuss is about with the cameras we installed...

 

[ipponrg]

Hah, you have no idea who you’re talking to. I’m a full stack web designer and developer specializing in UI/UX. I already know this. Recording users screens is lazy and I would never do this with live users, and ESPECIALLY wouldn’t try to hide it. No way our lawyers would ever sign off on that and more than that I would never do it because it’s morally wrong. We do testing with users locally by either direct observation or recordings, but the users consent and are usually compensated with a gift card or something. As you said there are a lot of good analytics toolkits out there, but I don’t employ most of it on my sites because it’s creepy. I rely on my good instincts as a designer along with some A/B testing and observation to develop most of my comps. Many designers are too lazy and take this easy way out. The difference is that I respect my users.

Out of the box, most OTS analytics tracking software is pretty primitive without full setup. They at the very minimum collect how long a person has been on a page/screen.

It’s usually up to the integrator to fire custom events to convey the “screen recording” suite of data points.

There is no difference between using an OTS product vs rolling your own. Most companies will do variations of this because it’s a data driven approach to IA/UX and is what justifies a design decision.

If a IA/designer suggested a certain path based on their instincts and just a focus group (which ultimately may not even be your audience), they are playing with fire which is what most companies will not risk. You need to collect data from the actual product beyond A/B tests, focus groups, and instincts for informed decisions.

 

[ipponrg]

It’s not much better if my banking app discloses that they will track my actions and I have no choice but to accept this if I want to continue using said app for lack of a better alternative.

I would rather Apple just make the decision for me and unilaterally ban all apps across the board from doing this altogether. Make the tough decision for me so that I don’t have to.

Maybe one day Apple will become a financial institution, a government, a hospital, an employer, a restaurant, and a house.

That way you are completely safe from the world.

 

[GuruZac]

Lot's of sneaky stuff going on, Apple seems to be trying to clean it up, hope they are not doing the same.

Problem is that Apple is saying disclose or remove. Well for many of us who have become dependent on certain apps, those app developers will just disclose and most people will click accept.

Apple should have been on this years ago.

Quite frankly there are many iOS users who choose Apple products mostly because of their stance on privacy and security. I'm sure Apple would like to keep their reputation in that area.

 

[jamesrick80]

Looks like the Locked Garden is actually becoming a High Security Prison.....I prefer us not to be like China!!!!!!!

Apple let me have control of a actual file manager and some freakin mouse support on my expensive iPad Please and if I feel like using a screen recorder on any app I please...let me....I sure do on my android devices.

 

[opmisk]

Hah, you have no idea who you’re talking to. I’m a full stack web designer and developer specializing in UI/UX. I already know this. Recording users screens is lazy and I would never do this with live users, and ESPECIALLY wouldn’t try to hide it. No way our lawyers would ever sign off on that and more than that I would never do it because it’s morally wrong. We do testing with users locally by either direct observation or recordings, but the users consent and are usually compensated with a gift card or something. As you said there are a lot of good analytics toolkits out there, but I don’t employ most of it on my sites because it’s creepy. I rely on my good instincts as a designer along with some A/B testing and observation to develop most of my comps. Many designers are too lazy and take this easy way out. The difference is that I respect my users.

Again, these tools are not literally “recording screens”, and they can’t see “anything” you do on your device like you previously stated. These are browser based or mobile based UI tools that generally leverage js to capture UI events. There is nothing morally wrong with correlating button clicks, or specific paths with conversion %, for example. Now, if companies deploying these tools are not adequately masking NPPI data, that’s a legitimate compliance problem.