As Apple releases iOS 12.1.4 to fix the FaceTime issue that basically turned iOS devices into listening posts, another major issue is emerging. A number of apps are effectively acting as key loggers, collecting every tap and swipe you make. And the apps can do this without requesting permission.
As well as fixing the known FaceTime issue, iOS 12.1.4 also fixes a previously unidentified vulnerability in the Live Photos feature of FaceTime. Systems that aren't updated will have this feature blocked.
A report at Techcrunch says the apps - many of which come from well known companies - include “session replay” technology. The session replays allow app developers record what's happened so they can follow up on errors. Which sounds like a good idea except that they haven't asked for permission and the session replay tech can be embedded into any app.
The report points to Air Canada’s iPhone app. The session replays were potentially exposing passport numbers and credit card data in each replay session. Air Canada reported that its app had a data breach which exposed 20,000 profiles.
Many app developers use an analytics firm called Glassbox to capture this data. The company boasts Singapore Airlines and Expedia as well as a number of banks, insurers and retailers. Incredibly, the company recently posted a a blog article discussing privacy and digital risk management but now finds itself embroiled in a privacy scandal.
Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it? This is no longer a hypothetical question, but a real possibility. This is Glassbox. Experience it for yourself: https://t.co/E3uXcr0Gjf pic.twitter.com/9cJ40xbSaI
— Glassbox (@GlassboxDigital) October 16, 2018
Privacy and security are incredibly important. For the most part, not withstanding bugs like the FaceTime one exposed by a teenager, Apple does a good job of telling you when an app is accessing personal data such as location services or contact information. But this oversight is significant.
While all of the companies that Techcrunch spoke to said the data they collect is in accordance with their privacy policies, none of the apps explicitly said they collected on-screen activity in this way.