Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Report: Apple demands companies obtain consent before recording users’ app sessions

Apple has reportedly issued an ultimatum to companies that rely on "session replay" tools to track the way users interact with their iPhone apps: disclose the practice and seek explicit consent for it, or be removed from the app store.

Apple's mandate comes after a TechCrunch report last Wednesday revealed that Air Canada, Hollister, Expedia, Singapore Airlines, Abercrombie & Fitch, and other brands have been using code that records users' screens as they interact with their apps, allowing the companies to view these sessions later to evaluate the overall experience. None of the apps evaluated for the report sought permission for, or even referenced, this activity.

"Your app uses analytics software to collect and send user or device data to a third party without the user's consent," says an email Apple sent to companies using the session replay technology  developed by customer experience firm Glassbox. "Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," the email continues, according to TechCrunch, in a follow-up to its original report.

Apps developers were reportedly given less than a day to comply by removing the controversial code and resubmitting their apps.

According to the exposé, at least one company using Glassbox Air Canada  failed to properly mask their session replays. Consequently, sensitive customer information such as credit card data and password numbers were not properly redacted, and thus were visible to employees reviewing the recorded user sessions.

Glassbox's technology also works with Android versions of apps; however, Google did not immediately respond to TechCrunch's request for comment.

Other companies offering similar mobile experience technologies include Appsee and UXCam.

"Glassbox and its customers are not interested in 'spying' on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," said Glassbox in an official statement provided to SC Media. "We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded  just as contact centers inform users that their calls are being recorded."

Furthermore, Glassbox said that in order to address global privacy concerns, it "plans to implement development changes and improve the user opt-in methodologies contained within the Glassbox solution and work with Glassbox customers to configure the same within their user subscription processes. In addition, Glassbox intends to increase the contractual compliance accountability of its clients by requiring its customers to certify compliance on a semi-regular basis or risk suspension/termination."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.