Security News

iPhone apps record your taps

Avast Security News Team, 7 February 2019

If you’ve used these apps, your taps and swipes have been recorded and screenshots have been collected without your knowledge.

Mobile security expert The App Analyst published findings that the Air Canada app captures screenshots without user permission and forwards them to analytics firm Glassbox, which then inspired TechCrunch to investigate further into the issue. Together, TechCrunch and The App Analyst dug deeper into the Glassbox client roster and the nature of a commonly used yet unknown industry practice — session replays.

These are recordings of the user’s movements throughout the app, including button taps, swipes, and keystrokes. The reason for the recording is to observe the app’s ease-of-use, analyze the user’s joys and pains with the app, identify improvements and efficiencies, etc. In these session replays, certain fields of sensitive data are supposed to be masked. The App Analyst found this was not always true, such as in the case of the Air Canada app, where passport info and credit card numbers were exposed in session replays. Last August, Air Canada reported a data breach of 20,000 profiles. If hackers found their way into the session replay database, they would find access to volumes of unencrypted sensitive info.

Other iPhone apps using session replay analytics include Abercrombie & Fitch, Expedia, Hotels.com, and Singapore Airlines. None of these apps, including Air Canada, make any mention of session replays, taking screenshots, or recording user keystrokes in their privacy policies. When asked about its clandestine recordings, Air Canada, Abercrombie & Fitch, and Singapore Airlines each defended the practice as valuable to customer experience. Expedia and Hotels.com did not respond to questions about session replays.

“There can be good reasons for session replay analytics,” comments Luis Corrons, Avast security evangelist. “It allows those companies to see, for example, which of their options are most used, so they can then make them more accessible. However, doing that without even mentioning it is not right, and probably illegal in some countries. Extra security measures have to be taken in case sensitive information is involved in these recordings.”


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.