"Protecting user privacy is paramount in the Apple ecosystem", an Apple spokesperson told TechCrunch. Confirming in an email to the publication, Apple has stated that they notified the developers that are in violation of these strict privacy terms and guidelines and should take immediate action if necessary. But none of the apps they examined made it clear that they were recording a user's screen or that they were relaying those recordings to each company or to Glassbox's cloud. "The move comes after a TechCrunch report showed that many apps do not disclose such activity to users at all, and some sensitive user data has been compromised through screen recordings". "Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging or otherwise making a record of user activity", it said.
The investigation alleges that the apps go much further than the data collection and monetization people have come to expect.
According to reports by TechCrunch and the App Analyst, iOS applications from the likes of Air Canada, Abercrombie and Fitch, Singapore Airlines, Expedia, and Hotels.com have used "session replay" technology from data analytics company Glassbox to record user's screens while using their apps.
But that doesn't seem to be the case with the apps TechCrunch and the App Analyst looked at: "Not every app was leaking masked data; none of the apps we examined said they were recording a user's screen - let alone sending them back to each company or directly to Glassbox's cloud". The company is accused of having recorded passport numbers and credit card information. The session replays were potentially exposing passport numbers and credit card data in each replay session. Failure to do so would merit removal from the App Store.
One particular app belonging to Air Canada had suffered a major data breach, when it was discovered the airline carrier was not masking its consumer data properly whenever the Glassbox program sent details from mobile devices to its client's servers. If any of Glassbox's customers are not correctly masking data, it could be problematic, The App Analyst told TechCrunch.
Tech Crunch noted that neither Expedia nor Hotels.com or even Air Canada mentioned recording screens in their policy.
Most companies will say, when asked, that they're only using your data to improve your experience.
UPDATE: Feb. 8, 2019, 9:41 a.m. CET "Glassbox and its customers are not interested in "spying" on consumers".
The screen recording code is also available to Android app developers, TechCrunch said. In addition, Glassbox said the data they capture is "highly secured, encrypted, and exclusively belongs to the customers" the company supports. It can even record text you type into that app.