Wednesday , November 25 2020

Air Canada iOS App secretly records your screen shot, Do not encrypt passwords or credit cards

TechCrunch reports that many iPhone apps secretly capture your screen without your permission, including Air Canada's popular iOS app.

<img style = "display: block; margin-left: auto; margin-right: auto;" title = "aircanada_2.png" src = "" alt = "Aircanada 2″ width=”799″ height=”474″ border=”0″/>

The revelations come from mobile expert, App Analyst, who found many apps that implemented a "session replay" technology from customer experience analysis agency, Glassbox. Companies use Glassbox to record user sessions to let developers see how an app is used to get feedback about changes and errors. The problem? Each press and keyboard button is busy and sends sensitive information unencrypted to developers.

Air Canada iPhone App found to expose user information in plain view

The app analyst has discovered the Air Canada iPhone app "was not properly masked session replays when they were sent, revealing passport numbers and credit card data in each replay session," writes TechCrunch.

"This gives Air Canada employees – and anyone else able to access the screenshot database – to see unencrypted credit cards and password information," TechCrunch was told.

Below is a video example of Air Canada iPhone in action showing unencrypted information in screens. The black boxes that meant blocking customer data are not being used correctly:

App Analyst says: "If a user feels uncomfortable with the data collected through screenshots by Air Canada, they should try to block connections to This should be possible through DNS settings within your home router. "

Air Canada has about 1.7 million customers registered with the Air Canada mobile app. This security process means that if the company's servers are compromised, screens can retrieve tons of user data.

In August, Air Canada warned 20,000 mobile user profiles "may have been improperly accessible" and asked all 1.7 million users to reset their passwords.

TechCrunch says "in Air Canada's case, we couldn't see a single line in its iOS terms or privacy policy suggesting that the iPhone app is sending screen data back to the airline."

Air Canada and Glassbox announced a partnership back in the fall of 2017 to use the latter's analytics platform in the airline's mobile app.

We have reached Air Canada for comment and will update this post when we return.

Source link