Apps That Record Your Screen are Normal

2 minute read
| Editorial

A report from TechCrunch is making the rounds, and says that apps secretly record your screen without telling you. Here’s why that’s not a big deal.

[iPhone Privacy for the Paranoid: What You Can Do]

Analytics

Popular apps from airlines, travel sites, carriers, banks, etc., all record your screen. Let’s get one thing out of the way first: Because iOS apps are sandboxed, they are unable to record what you do in other parts of your iPhone. An app can only record the screen within that app.

image of data obfuscation
Sometimes covering up data didn’t “stick.” Credit: The App Analyst via TechCrunch

I reached out to an iOS developer on Reddit. He/she had made a comment explaining the situation, but didn’t want their real name associated with their Reddit username. Nevertheless, the developer perspective is valuable:

They are not recording your screen in the sense you are thinking. Most analytics frameworks are recording your taps and swipes INSIDE, and ONLY INSIDE the app itself. They can’t record anything outside of that app.

Some frameworks like Appsee can indeed send recording of the apps, it does obfuscate any views with secure text entries, but if you have any custom components for that you have to make sure you are setting up the obfuscation yourself.

There are two sides you can view this from: as a developer and product manager, tools like Appsee, Firebase Analytics, etc provide incredible value for A/B testing, for seeing how your users interact with the app, to see which features are worth maintaining and what can be dropped. For users, yeah, it’s obtrusive but this should be very well specified in the ToS of your app.

Chances are, you have one more apps that perform this kind of analytics. And in the very worst case, someone is using a remote logging platform to log virtually everything you are typing in the app, and if it’s cloud hosted then maybe it is vulnerable to hacking and that will suck for everyone. So your best bet is using something like Charles Proxy to see what your apps are doing, if you truly care.

Something else: no one is using this to make money out of you (except the people who sell the platforms/frameworks themselves, this market is huge, all these tools are very expensive past their free tiers). Advertisers really don’t care about where you tap on app unless it’s ads and in said case you are dealing with something else.

Privacy Policies

Essentially, certain things wouldn’t be possible without recording the screen, like A/B testing. Developers and designers need to know how their users are interacting with their product so they can improve it.

iOS privacy symbol
iOS privacy symbol

Now, there are a couple of issues. First, screen recording isn’t mentioned in privacy policies, only the word “analytics.” I think the concept of a privacy policy needs to be overhauled, with less lawyer-speak. Write them in plain language explaining what you’re doing with peoples’ information.

The second issue is sensitive information like passwords and credit card data. The App Analyst told TechCrunch that data was “mostly obfuscated” but in some cases did see email addresses and postal codes. We have no idea whether data is properly obfuscated or not. And we don’t know whether the data—any user data—is properly encrypted. My guess is no.

So there are definitely real concerns about this, but it’s not a scandal, and screen recording isn’t an abuse of iOS.

[New Privacy Feature Coming to iOS 12.2]

1
Leave a Reply

Please Login to comment
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
John Kheit Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
John Kheit
Member
John Kheit

I don’t get the big deal here either. Now if they were screen recording things OUTSIDE the app in question, that would be horrendous. But if the recording is only limited to within the app, well, the app still gets all the data you give it anyway. So I just dont see what the outrage is over, as it’s clear, you are supplying data to that app regardless. Seems a bit tempest in a tea pot if the recording is truly limited to just the single app from which the recording code is embedded. Now if it turns out some… Read more »