Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store. It’s the latest privacy debacle that has forced Apple to wade in to protect its customers after apps were caught misbehaving. Last week it was a student finding a Group FaceTime bug and discovering that Facebook and Google were improperly using an iPhone tool to track the web-browsing habits of teenagers.
An investigation by TechCrunch has revealed that major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. They found that none of the apps tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.
Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking.
Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it provides the technology, among many reasons, to help reduce app error rates. But the company "doesn’t enforce its customers" to mention that they use Glassbox’s screen recording tools in their privacy policies.
But Apple expressly forbids apps that covertly collect data without a user’s permission.
TechCrunch began hearing on Thursday that app developers had already been notified by Apple that their apps had fallen afoul of Apple’s rules. One app developer was told by Apple to remove code that recorded app activities, citing the company’s app store guidelines.
Apple's email to the developers read: "Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity." You could read the full TechCrunch report here.
The entire smartphone Industry is abusing its customers like guinea pigs. Yesterday we learned that 250 bounty hunters and related business had access to location data on T-Mobile, AT&T, and Sprint networks.
One bail bond firm reportedly used the phone location service more than 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by Motherboard.
The news shows how widely available Americans’ sensitive location data was to bounty hunters. This ease-of-access dramatically increased the risk of abuse.
"This scandal keeps getting worse. Carriers assured customers location tracking abuses were isolated incidents. Now it appears that hundreds of people could track our phones, and they were doing it for years before anyone at the wireless companies took action,” Oregon Senator Ron Wyden said in an emailed statement after presented with Motherboard’s findings. “That’s more than an oversight—that’s flagrant, wilful disregard for the safety and security of Americans."
Eva Galperin, director of cybersecurity at campaign group the Electronic Frontier Foundation, told Motherboard in an email that "The scale of this abuse is outrageous." You could read the rest of this report from Motherboard here.
It was reported yesterday that three of the Senate’s biggest privacy advocates are sending letters to Facebook, Google, and Apple executives Thursday, following a recent TechCrunch report that Facebook used an iOS and Android app to monitor the phones of users as young as 13 years old. The app, called Research and sometimes referred to as Project Atlas, gave Facebook complete visibility into users' app activity, web searches, encrypted data, and even private messages.
Senators Richard Blumenthal (D-Connecticut), Ed Markey (D-Massachusetts), and Josh Hawley (R-Missouri) want more information from Facebook CEO Mark Zuckerberg, Apple CEO Tim Cook, and Google’s senior vice president of platforms, Hiroshi Lockheimer, about the origins of the app and the information it collected, particularly from minors. For more on this, read the full Wired report here.
The letter sent to Apple's CEO by the Senators begins by stating:
"We write concerned about reports that Facebook is collecting highly-sensitive data on teenagers, including their web browsing, phone use, communications, and locations -all to profile their behavior without adequate disclosure, consent, or oversight. These reports fit with longstanding concerns that Facebook has used its products to deeply intrude into persona l privacy. Additionally, the scope of the research and the use of the Onavo Protect app raises questions about Facebook's use of personal data to engage in potentially anti-competitive behavior. As Apple is responsible for the App Store and the iOS operating systems, we request information on your policies regarding the monitoring of teens and Apple's response to the Facebook research program."
The letter later states that "Given the sensitivity and seriousness of any intrusions into the privacy of teens, we respectfully request a written response to the following questions by March 1, 2019:
- Does the collection of browsing histories, communications content, or app usage from a user's device violate the App Store terms of service? Please explain. Why did Apple consider it important to update its terms of service in June 2018 to ban the collection of data about other apps?
- If Apple finds that an application has bypassed its app review process and is operating in a manner intrusive to user privacy, what remedies does it maintain to protect users, such as disabling or removing problematic apps? Will Apple pursue such any remedies with respect to the Project Atlas app?
- When was the Project Atlas app made available to iPhone users and on how many devices was the app installed?
- Does Apple plan to allow the Project Atlas app on its devices in the future?
- How does Apple plan to address the Screenwise Monitor app's bypass of its app review process?
- Has Apple conducted an assessment to determine whether Google and Facebook have bypassed the App Store approval processing using enterprise certificates for any other non-internal apps?
- In light of recent invasions of children's and teens' privacy, including those described above, would Apple support federal legislation to create new privacy safeguards for children and teens online?
In the end, TechCrunch has done us all a great service by exposing these many loop holes in security. While we'd all like to think that perhaps we're nearing the end of these discoveries, the threats will continue and hopefully more investigative work will be done to keep us all informed.
For now, it's deeply disturbing that internet companies have gone out of their way to find ways to sell user data that allows cybercrime to hurt millions of citizens around the world each year. While we were almost taught not to trust the government for being big brother, Silicon Valley has made that a joke. We now look to Government to put in new laws in place with teeth and to fine companies like Facebook with meaningful punishment on multiple levels.
While Apple is trying to do their best in preserving iPhone user data, the last week has shown us that the problem is even too big for Apple to stay on top of.
About Making Comments on our Site: Patently Apple reserves the right to post, dismiss or edit any comments. Those using abusive language or negative behavior will result in being blacklisted on Disqus.
Our Cover Graphic: From Ivacy. Ivacy VPN Blog brings you the latest news, tips, tricks and information related to the world of online security, privacy, entertainment, sports, Kodi, surveillance laws and anything that has to do something with a VPN.