Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm.
In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”
“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.
It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.
Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking.
Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it provides the technology, among many reasons, to help reduce app error rates. But the company “doesn’t enforce its customers” to mention that they use Glassbox’s screen recording tools in their privacy policies.
But Apple expressly forbids apps that covertly collect data without a user’s permission.
TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen afoul of Apple’s rules. One app developer was told by Apple to remove code that recorded app activities, citing the company’s app store guidelines.
“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.
Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.
When asked if Glassbox was aware of the app store removals, a spokesperson for Glassbox said that “the communication with Apple is through our customers.”
Glassbox is also available to Android app developers. Google did not immediately comment if it would also ban the screen recording code. Google Play also expressly prohibits apps from secretly collecting device usage. “Apps must not hide or cloak tracking behavior or attempt to mislead users about such functionality,” the developer rules state. We’ll update if and when we hear back.
It’s the latest privacy debacle that has forced Apple to wade in to protect its customers after apps were caught misbehaving.
Last week, TechCrunch reported that Apple banned Facebook’s “research” app that the social media giant paid teenagers to collect all of their data.
It followed another investigation by TechCrunch that revealed Facebook misused its Apple-issued enterprise developer certificate to build and provide apps for consumers outside Apple’s App Store. Apple temporarily revoked Facebook’s enterprise developer certificate, knocking all of the company’s internal iOS apps offline for close to a day.