news_coverage_icon

Media Coverage Archive

Download.com [CNET] | BY Tom McNamara
Wednesday | August 29, 2018

App developers might take screenshots of your device’s screen without notifying you.

In the wake of the discovery that some Android and iOS crash analysis apps may be transmitting personal data without your knowledge, mobile research firm Appthority has issued a report on Appsee and Testfairy, indicating that thousands of apps on the App Store and Google Play Store use these two crash analyzer services to fix bugs.

Appsee has by far the larger presence, showing up in about 4,000 apps on iOS and 1,300 apps on Android, versus Testfairy appearing in about 200 Android apps and 175 iOS apps.

It should be noted, however, that neither Testfairy nor Appsee are deliberately exposing sensitive user data. Instead, the problem emerges from how the app developer uses the crash analysis service. Appsee provides guidelines on how to protect user information, but these are not universally followed.

As researchers at UC Santa Barbara¬†learned last month, food delivery app GoPuff was inadvertently sending users’ ZIP codes to Appsee as part of the crash analysis process. A representative for Appsee said that it deleted all recordings that GoPuff had sent, and it disabled the tracking mechanisms that the delivery startup was using to collect data for Appsee.

Why would this be a big deal?

The main issue is twofold. For one, Appsee and Testfairy work in part by taking screenshots of the user’s display, which can expose you to privacy issues. As a rule, mobile apps do not prohibit screenshots from being taken. Encrypted text messengers like Signal are one of the few major exceptions.

Two, the developers using Appsee and Testfairy to analyze app crashes may not clearly state in their privacy policies that screenshots and other potentially private data are being recorded and analyzed and possibly sent to a third party for further inspection.

In addition to the screenshot issue, Appthority also points out that dozens of mobile apps which make use of Appsee and Testfairy can also open PDFs and Microsoft Office files — spreadsheets, presentations, memos, and other documents. It uncovered 142 Appsee-partnered apps that were capable of opening a PDF, though Appthority does not identify them by name.

Granted, the iOS App Store claims over 2 million apps in its catalog, and the Google Play Store counts even more. Therefore, only a small percentage of apps are known to use Appsee or Testfairy.

That said, if you’re using sensitive or personally identifiable data in any of your apps, you may want to take a closer look at their privacy policies and ask questions if you detect any ambiguities.

In desktop operating systems, automated crash data transmission rarely includes screenshots or other data that could include personally identifiable information, and the user customarily has full control over how or even if that data is sent, and full awareness that crash data is being recorded or transmitted. So if you need to work on sensitive documents or other files, you may want to stick to a Windows, MacOS, or Linux PC.

The takeaways
  • Services such as Appsee and Testfairy, which are used to analyze crashes in your mobile apps, may be recording and transmitting personal information because of misuse of their analysis tools.
  • People working with sensitive documents or communications may want to consider using a desktop operating system for these tasks instead, where crash analysis tools are customarily under much tighter control.

Read the original article on Download.com here.