Apple Issues Ultimatum to Developers Who Use Screen Spying Technology

Following a report earlier this week that many prominent iPhone apps were found to be secretly recording users’ screen activity without their knowledge or consent, Apple is now contacting the offending developers, demanding that they either fully inform users of what they’re doing or remove the feature altogether.

In an email statement to TechCrunch, an Apple spokesperson emphasized the company’s stance on protecting user privacy and how apps that record a user’s activity without their consent are in blatant violation of Apple’s App Store policies.

Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.

Apple

The email goes on to add that Apple has notified developers involved, emphasizing that they are in violation of “these strict privacy terms and guidelines,” and that the company will “take immediate action if necessary” — presumably by removing the offending apps from the App Store.

An investigation by TechCrunch revealed earlier this week that a surprising list of travel, shopping, and banking apps from large companies like Air Canada, Expedia, Hollister, and Hotels.com were using a third-party analytics tool, Glassbox, to surreptitiously record every user interaction inside their apps — every tap, every swipe, and every piece of data typed in.

None of these apps asked for user permission, or even disclosed in their privacy policies that they were doing this — multiple and flagrant violations of Apple’s App Store Review Guidelines, which state in various ways in Section 5.1, Privacy, that privacy policies “must clearly and explicitly” identify any data that’s collected by an app, how it’s collected, and how it’s used, must secure user consent for the collection of data, and must only collect data that is “relevant to the core functionality of the app” and “required to accomplish the relevant task.”

Further, Apple also places the onus on app developers to ensure that any third-party analytics services or advertising networks also “provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines.” So while Glassbox itself doesn’t require its clients to mention the use of its technology in their privacy policies, Apple most certainly does require this of its developers, and also holds developers accountable for ensuring that services like Glassbox are in compliance with Apple’s policies before incorporating them into their apps.

To make matters worse, the TechCrunch investigation also revealed that even though sensitive data — such as credit card and passport numbers — is supposed to be masked, this did not work the way it was supposed to, resulting in screen recordings that were inadvertently collecting this data and storing it on the participating companies’ servers in unencrypted form, making it easily available to hackers, and especially raising concerns considering that at least one of the companies involved, Air Canada, also recently confirmed a major data breach.

In emails to developers obtained by TechCrunch, Apple cited its App Store Review Guidelines, giving developers less than a day to remove the offending code and resubmit their apps to the App Store. Failing to do so would result in the removal of their apps from the App Store, the emails said.

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

Apple, in an email to developers

When asked for a comment, a spokesperson for Glassbox basically washed its hands of the issue, simply stating that “the communication with Apple is through our customers.”

While it’s still an open question as to how these apps passed the original App Store Review process, the most likely explanation is a combination of Glassbox’s technology being buried deeply inside the apps, and therefore hard to detect, along with a certain degree of credibility added by the high profile of the companies publishing the apps in question. It’s also important to note that Glassbox only conducted screen recording within the apps themselves, and therefore wouldn’t have raised the kind of flags that occur when apps are attempting to access external data such as contacts or photos.

While Apple’s ultimatum presumably applies to all of the developers that are using this technology, it’s also unclear exactly how Apple has identified the offending developers. It’s a safe bet that Apple is addressing all of the apps that have been highlighted in recent reports, but with over two billion apps currently on the App Store, and a variety of Glassbox-like technologies in use, it seems like it will be a more difficult task for Apple to weed out every bad actor.