mobile software

Many popular iPhone apps secretly record your screen without asking

Posted by | analyst, app-store, apple inc, Banking, iOS, iPhone, iTunes, Mobile, mobile app, mobile software, operating systems, privacy, Security, smartphones, terms of service, travel sites | No Comments

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either.

We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Powered by WPeMatico

Samsung fakes test photo by using a stock DSLR image

Posted by | a8, Computer Hardware, computing, EyeEm, Gadgets, Getty-Images, huawei, malaysia, mobile software, photo sharing, photographer, Samsung, Samsung Electronics, TC, technology | No Comments

Samsung’s Malaysian arm has some explaining to do. The company, in an effort to show off the Galaxy A8 Star’s amazing photo retouching abilities, used a cleverly shot portrait, modified it and then ostensibly passed it off as one taken by the A8.

The trouble began when Serbian photographer Dunja Djudjic noticed someone had bought one of her photos from a service called EyeEm that supplies pictures to Getty Images, a renowned photo reseller. Djudjic, curious as to the buyer, did a quick reverse search and found her image — adulterated to within an inch of its life — on Samsung’s Malaysian product page.

Djudjic, for her part, was a good sport.

My first reaction was to burst out into laughter. Just look at the Photoshop job they did on my face and hair! I’ve always liked my natural hair color (even though it’s turning gray black and white), but I guess the creator of this franken-image prefers reddish tones. Except in the eyes though, where they removed all of the blood vessels.

Whoever created this image, they also cut me out of the original background and pasted me onto a random photo of a park. I mean, the original photo was taken at f/2.0 if I remember well, and they needed the “before” and “after” – a photo with a sharp background, and another one where the almighty “portrait mode” blurred it out. So Samsung’s Photoshop master resolved it by using a different background.

This move follows a decision by Huawei to pull the same stunt with a demo photo in August.

To be fair, Samsung warned us this would happen. “The contents within the screen are simulated images and are for demonstration purposes only,” they write in the fine print, way at the bottom of the page. Luckily for Djudjic, Samsung paid her for her photo.

Powered by WPeMatico

Google Fit gets a redesign, adds Heart Points and coaching

Posted by | activity trackers, Android, Apps, Endomondo, Google, Google Fit, Mobile, mobile software, myfitnesspal, RunKeeper, smartwatches, Software, Sports, Strava, TC | No Comments

Google Fit is getting a major update today. The company’s activity tracking app has been around for a few years now but until today, it pretty much worked and looked that same as on the day it launched. Today’s redesign is quite a departure from that old look and feel, though, and it also introduces quite a few new features that help take the service in a new direction.

The most obvious new feature in the new version is that instead of only focusing on active minutes (or ‘Move Minutes’ as they are called now), Google has now introduced the concept of Heart Points. With this, you don’t just score points for moving, the app will also reward you for activities that actually get your heart beating a bit faster. Google Fit will give you one point for every minute of moderate activity and double points for more intense activities (think running or kickboxing). You won’t be able to buy anything with those points, but you’re more likely to live longer, so there’s that.

Like before, Google Fit will automatically track your activities thanks to the sensors in your phone or Wear OS watch. You can always manually add activities, too, or use apps like Strava, Runkeeper, Endomondo and MyFitnessPal to get credit for the workouts you track with them.

What’s also new in this update is actionable coaching, something that was sorely missing from the old version. It remains to be seen how useful this new feature is in day-to-day use, but the idea here is to give you feedback on how active you’ve been throughout the week and help you stay motivated.

What I’m actually the most excited about, though, is the new look and feel. Based on the screenshots Google has shared so far, the app now provides you with far more details at a glance, without having to dig into timelines (which weren’t all that usable in the old version to begin with).

The new version is now rolling out to Android and Wear OS users.

Powered by WPeMatico

Rapchat raises $1.6 million to help you make and share your def jams

Posted by | Android, Apps, Co-founder, Columbus, computing, digital media, mobile software, oakland, premier, producer, rapchat, RC, Snapchat, social network, Software, soundcloud, Startups, TC, United States, YouTube | No Comments

The first thing to understand about media-sharing app Rapchat is that co-founder Seth Miller is not a rapper and his other co-founder, Pat Gibson, is. Together they created Rapchat, a service for making and sharing raps, and the conjunction of rapper and nerd seems to be really taking off.

Since we last looked at the app in 2016 (you can see Tito’s review below), a lot has changed. The team has raised $1.6 million in funding from investors out of Oakland and the Midwest. Their app, which is sort of a musical.ly for rap, is a top 50 music app on iOS and Android and hit 100 million listens since launch. In short, their little social network/sharing platform is a “millionaire in the making, boss of [its] team, bringin home the bacon.”

The pair’s rap bona fides are genuine. Gibson has opened or performed with Big Sean, Wiz Khalifa and Machine Gun Kelly, and he’s sold beats to MTV. “My music has garnered over 20M+ plays across YouTube, SoundCloud and more,” he wrote me, boasting in the semi-churlish manner of a rapper with a “beef.” Miller, on the other hand, likes to freestyle.

“I grew up loving to freestyle with friends at OU and I noticed lots of other millennials did this too (even if most suck lol) … at any party at 3am – there would always be a group of people in the corner freestyling,” he said. “At the same time Snapchat was blowing up on campus and just thought you should be able to do the same exact thing for rap.”

Gibson, on the other hand, saw it as a serious tool to help him with his music.

“I spent a lot of time, energy and resources making music,” he said. “I was producing the beats, writing the songs, recording/mixing the vocals, mastering the project, then distributing & promoting the music all by myself. With Rapchat, there’s a library of 1,000+ beats from top producers, an instant recording studio in your pocket, and the network to distribute your music worldwide and be discovered…. all from a free app. Rapchat is disrupting the creation, collaboration, distribution, & discovery of music via mobile.”

“We have a much bigger but also more active community than any other music creation app,” said Miller.

While it’s clear the world needs another sharing platform like it needs a hole in the head, thanks to a rabid fan base and a great idea, the team has ensured that Rapchat is not, as they say, wicka-wicka-whack. That, in the end, is all that matters.

Powered by WPeMatico

Snapchat adds GIF stickers via Giphy, plus new Friends and Discover screen tabs

Posted by | Apps, computing, digital media, giphy, instagram, Mobile, mobile software, photo sharing, snap inc, Snapchat, Social, social media, Software, sticker, TC | No Comments

 Snapchat is bringing one of the best recent features of Instagram Stories to its own app, with the ability to add GIF stickers from Giphy to your posts. This is a notable reversal of the typical pattern we’ve seen of Instagram cloning Snapchat features, but it’s a good one for users since GIF stickers for Stories are basically the greatest thing ever invented on social media. The… Read More

Powered by WPeMatico

Samsung’s Bixby assistant is now available for Galaxy S8 owners worldwide

Posted by | Amazon, Apple, Apps, artificial intelligence, Asia, Bixby, computing, Mobile, mobile software, s-voice, Samsung, Samsung Electronics, samsung galaxy, Samsung Galaxy S6, smartphones, technology | No Comments

 Samsung’s Bixby voice assistant is now global after it expanded into over 200 countries today.
Bixby is Samsung’s answer to Apple’s Siri, Amazon’s Alexa and other virtual assistants. It got off to a bumpy start when it didn’t ship with the launch of the Galaxy S8, Samsung’s top-of-the-range device for this year, in March. Samsung rolled out a… Read More

Powered by WPeMatico

Samsung’s Bixby assistant finally comes to the Galaxy S8 and S8+ in the US

Posted by | Apps, artificial intelligence, Bixby, computing, google now, Mobile, mobile software, Samsung, Samsung Electronics, samsung galaxy, samsung galaxy s8, smartphones, TC, technology, voice assistants | No Comments

 After much delay, Samsung has begun rolling out its Bixby smart assistant to users in the U.S. The company said today that an update will allow owners of the Galaxy S8 and S8+ to gain voice capabilities for the service. Read More

Powered by WPeMatico

You can now use Signal for encrypted video calls

Posted by | Apps, Mobile, mobile software, open whisper systems, privacy, Security, signal, Signal Protocol, Social, Software, Startups, TC | No Comments

Photo: Jaap Arriens/NurPhoto via Getty Images) Open Whisper Systems, creator of encrypted communication platform Signal, released an update today as an open beta to enable encrypted video calling. The app previously offered fully end-to-end encrypted chat and voice calling, but the addition of video will make it even easier to convey information without compromising security. The update also promises to improve the existing, somewhat… Read More

Powered by WPeMatico

Instagram testing multi-photo album posts

Posted by | Apps, instagram, Mobile, mobile software, photo sharing, Social, social media, Software, TC | No Comments

unknown-2 Sometimes when you’re looking at your Instagram selects and you can’t quite decide between a few options, or when you want to post something from your trip but also don’t want to overwhelm your followers with a bunch of different pictures in a row, you feel keenly the absence of the ability to post a gallery as a single update. Especially if you’ve seen ads that feature… Read More

Powered by WPeMatico