If you are using popular travel apps to make flight or hotel bookings, check-ins and reservations, you should probably know that the apps could be sending back screenshots and video grabs of your iPhone’s screen to the company for their internal use. While this could be a possible fair practice from many app-based companies to improvise on their services to their customers, the practice could put the user into vulnerable space by exposing his or her crucial data to a MITM attacker.
According to an investigation done by TechCrunch, session replay technology is abusing the iOS norms. The report from TC states that popular travel apps such as airline, hotels and retail, are secretly recording screens from iPhone users without their consent. The practice, known as session replaying, involves a third-party firm (Glassbox) which embeds its technology into the app.
Glassbox’s software records every action taken on the app by the user and also grabs screenshots along the way. What spelled worse was that apps such as Air Canada, and a few other travel websites, were also recording sensitive data fields such as passport numbers, credit card details and other financial and personal information.
‘None of the most widely used travel or retail apps that TC could find that employed Glassbox’s technology disclose this in a privacy policy or similar public-facing document’, said TechCrunch. TC also mentioned that none of them seem like they have received consent from the user.
Apps mentioned in the investigation include Air Canada, Abercrombie & Fitch and its Hollister subsidiary, Expedia, Hotels.com, and Singapore Airlines, among others.
TechCrunch based its report on information unearthed first by the App Analyst, a mobile security blog.
‘While this would appear to be a common practice in the mobile app industry, what makes it especially worrisome is that the App Analyst discovered that Air Canada in particular was not properly masking its session replay files when they were sent from a mobile device to the company’s servers, meaning they’re vulnerable to a man-in-the-middle attack or other similar interception technique,’ reported TC.
TechCrunch also suggests that there could also be a number of other iOS and Android apps that use session replays in such a way that leaves the information recorded through the app vulnerable to a hacker or other malicious third party.
