Apple threatens to BAN iOS apps that secretly record users' iPhone screens and gives developers just 24 hours to remove the codes that allow it
Apple is cracking down on apps that record users' screens without their consent
Firm is giving developers 24 hours to delete the code or their app will be yanked
Expedia, Hollister and Hotels.com use analytics tools that record screen activity
Apple is cracking down on apps that secretly record your screen activity.
The Silicon Valley giant has told developers that they must remove code in apps that lets them record how users are interacting with their phone or their apps will be yanked from the App Store.
It comes after a TechCrunch investigation discovered that several major companies use an analytics tool that secretly records users' screens, often without their knowledge or consent to the practice.
The report found popular companies like Expedia, Hollister and Hotels.com were using an analytics tool to record screen activity in their apps.
However, they often fail to ask for user permission and don't denote the shady activity in their privacy policies.
What's more, the analytics tool used by the companies is supposed to mask sensitive data, such as passport numbers and credit card numbers, but it failed to do so, according to TechCrunch.
Apple says this goes against its rules around user privacy.
'Protecting user privacy is paramount in the Apple ecosystem,' an Apple spokesperson told TechCrunch.
'Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging or otherwise making a record of user activity.
'We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,' they added.
Apple has reportedly begun reaching out to developers to inform them that they have to remove the screen recording code from their apps.
In some cases, developers were told they have less than 24 hours to remove the code, or their app would be yanked from the App Store.
One company that provides the analytics code, called Glassbox, claims it provides the code to customers so they can reduce app error rates, TechCrunch noted.
However, Glassbox doesn't require customers to mention they're using screen recording technology in their privacy policies.
In a statement to Engadget, Glassbox also reaffirmed that it tries to mask users' sensitive data in the screen recordings.
'Glassbox and its customers are not interested in "spying" on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective,' Glassbox told Engadget.
'This information helps companies better understand how consumers are using their services, and where and why they are struggling.
'...We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded -- just as contact centers inform users that their calls are being recorded,' the company added.
Glassbox also explained that the data it collects from consumers isn't shared with third parties and is 'highly secured and encrypted.'
The screen recording code is also available to Android app developers, TechCrunch said.
It's unclear, however, if Google will follow in the footsteps of Apple and ban any apps that use it.
What user data are screen- recording apps seeing?
A TechCrunch investigation revealed that many companies like Expedia, Hollister and Hotels.com are using a third-party analytics tool in their apps that lets them record users' screen activity.
App developers record the screen and play them back to see what people did in the app to see what people liked, disliked, or if an error occurred.
This means that every tap, button push and keyboard entry is recorded, screenshotted and sent back to the app developers.
This means payment information or passport and visa details could potentially be viewed by third parties.
Not every app was leaking masked data and companies like Expedia and Hotels.com were capturing the data but sending it back to a server on their own domain.