Many popular iPhone apps secretly record your screen without asking

By: Zack Whittaker

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

More: https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret

By: Jennifer Valentino, Natasha Singer, Michael H. Keller, Aaron Krolik

Dozens of companies use smartphone locations to help advertisers and even hedge funds. They say it’s anonymous, but the data shows how personal it is.

The millions of dots on the map trace highways, side streets and bike trails — each one following the path of an anonymous cellphone user.

One path tracks someone from a home outside Newark to a nearby Planned Parenthood, remaining there for more than an hour. Another represents a person who travels with the mayor of New York during the day and returns to Long Island at night.

Yet another leaves a house in upstate New York at 7 a.m. and travels to a middle school 14 miles away, staying until late afternoon each school day. Only one person makes that trip: Lisa Magrin, a 46-year-old math teacher. Her smartphone goes with her.

An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times. While Ms. Magrin’s identity was not disclosed in those records, The Times was able to easily connect her to that dot.

The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing.

More: https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

Hacking Your Ride: Risks Posed by Automotive Smartphone Apps

By: Nick Holland

 

In the latest edition of the ISMG  Report, Asaf Ashkenazi of mobile security firm Inside

In the latest edition of the ISMG Security Report, Asaf Ashkenazi of mobile security firm Inside Secure discusses new threats to car security posed by certain smartphone apps.Automotive

In this report, you’ll hear (click on player beneath image to listen):

  • Ashkenazi discuss emerging threats to automotive security;
  • Saryu Nayyar of the security firm Gurucul explain how behavioral authentication can streamline customer onboarding;
  • Ryan Witt of Proofpoint discuss how “very attackable people” who are potential targets for hackers can be identified.

The ISMG Security Report appears on this and other ISMG websites on Fridays. Don’t miss the Nov. 9 and Nov. 16 editions, which respectively discuss cracking down on criminals’ use of encrypted communications and China’s economic espionage campaign.

More: https://www.bankinfosecurity.com/interviews/hacking-your-ride-risks-posed-by-automotive-smartphone-apps-i-4181