A recent advancement in crash reporting SDKs enables developers to record in-app screens, so that they know the exact state of an app before it crashes. This opens up doors for new exploits in enterprise mobile environments, as third-parties are increasingly recording mobile screens for debugging purpose and sending them back to external servers.
Poor developer practices may lead to unintended recording of sensitive data
User information and sensitive fields, such as passwords and credit cards, are recorded from users’ mobile screens by these SDKs, unless developers proactively flag them during app development according to developer guidelines from Appsee and Testfairy. Unfortunately, there has already been a privacy incident, where user zip code information was recorded and sent back to servers without the users’ acknowledgment.
Prevalence of Mobile Apps with Screen Recording Capabilities on Enterprise Devices
Appthority found that several apps with this screen capturing ability can also open corporate documents, as shown in the following table. This increases the risk of corporate documents being leaked to third-parties, where enterprises can’t exercise control.
|No of Apps with AppSee SDK||No of Apps with TestFairy SDK|
|Can Open MS Word||
|Can Open MS Excel||
|Can Open MS PowerPoint||
|Can Open PDF||
Top 5 Apps with Access to Corporate Documents and Screen Recording Ability
|Application Name||Package Name||File_hash|
|Speechify- #1 Natural Voices||com.cliffweitzman.speechifyMobile2||e0f83bd2c32675e5fb2ca3d02aeb5f75|
|Speechify: Text to Speech OCR||com.cliffweitzman.speechifyMobile2||77140786310e7eef3b7a04d9859c533f|
Enterprise visibility into apps with access to corporate data
In addition to the above apps with access to corporate documents and screen recording capability, enterprise security teams should pay extra attention to these types of apps with access to other corporate data, such as address books and calendar information.
We encourage developers using debugging tools to follow best practices in order to keep their users privacy safe. Companies who record user behavior should do their best to use private clouds, use corporate Single Sign On to access online services, hide sensitive data on the SDK level, and most importantly include a clear statement in their terms of service explaining users how data is being handled, and how to request to delete user information.
Appthority customers can use a combination of these Threat Indicators to identify risky behaviors in managed public and private apps:
- Capture Screenshots
- Uses AppSee SDK
- Uses TestFairy SDK
Non-compliant apps should be removed from the enterprise mobile environment to avoid the risk of corporate data leakage.