An Update with Apple’s response can be found at the end of the article.

The Smartphone is the most personal device ever. From the most intimate of conversations and images, and Shopping and holidays, to work, Bank and tax information, the whole of life on the small devices can be found in many users. Even scarier is the idea that Apps record everything that happens on the device.

But this is precisely, according to the Portal “Techcrunch”. Thus a number of Apps, store every input, every Wipe, and every Tipper. Even large providers like Expedia, Abercrombie & Fitch, or to use these services, and diligently recording what is happening in the respective Apps. “Imagine, your website or mobile App, you could see exactly what your users are doing in real time and why they do it. This is not only hypothetically possible, but truly feasible,” tweeted about the provider Glassbox.

behind “Session Replay”

The technology is called “Session Replay”, and is also used on many websites (learn more here). Actually, it serves a comprehensible purpose: The accurate analysis of the use of allows the providers to optimize the websites and Apps as they are the users actually needed. Also errors and problems can be theoretically faster.

The big Problem here is that non-informed users are usually about the snooping. According to “Techcrunch” was found in none of the examined offers in the terms and conditions of a note that the Session Replays are used and the usage data are sent to the Server the App operator or the analysis company.

Secret information in plain text

it is not present, the recording process itself is as safe as the operator. Although Glassbox emphasized that only information is recorded in the App itself – so no calls, Chats, or other activities from other Apps and also sensitive data such as credit cards-would be blacked out information. In practice, Techcrunch found “” but cases in which the went wrong.

As the App of the Airline Air Canada failed, of all people, to blacken the entries in the credit card field. The App transferred, therefore, clearly readable credit card information of the user to the Server of Glassbox – without the customer learned something. In many other Apps, the masking of the data have failed, writes “Techcrunch”, such valuable information like credit card details, however, were not transferred. Can occur it all: The Session-Replay-provider Mixpanel had sent in the past to a series of phrases from a password and user name through the network, as Wired reported.

From the user’s point of view, is the lack of transparency annoying. The App provider does not inform the customer that their data will be recorded and sent, a way to switch the function off. The provider has to communicate the function as little “tech crunchs” evaluation of a simple reason: “you know how creepy it all is.”

Update 8. February 2019, 9:46: Apple responds

Apple has responded to the report and the developer of the Apps via E-Mail, written, reports “Techcrunch”. You will be prompted to inform the user about the spy or remove the feature entirely – otherwise, the out throw from the App Store threat. Apple gave the developers less than a day time, an updated Version of the Apps for review by Apple to submit.

sources: Techcrunch, Wired, Twitter