Many popular iPhone apps from airlines, clothing stores and travel sites may be viewing your on-screen activity without you knowing.

An investigation has revealed that this data is sent back to app developers to help improve their services. 

Major companies including Expedia, Hollister and Air Canada, are monitoring what you do in their apps, including every click, tap and swipe.

Scroll down for video 

Many popular iPhone apps from airlines, clothing stores and travel sites may be viewing your on-screen activity without you knowing. The sensitive data is supposed to be sufficiently masked, or blacked out (left), to protect it but the masking ‘didn’t always stick’ (right), according to one security expert

The investigation, by Zack Whittaker for TechCrunch, found several popular iPhone apps use Glassbox, a customer experience analytics firm, which lets developers embed ‘session replay’ technology into their apps. 

The company recently tweeted: ‘Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?’ 

App developers record the screen and play them back to see what people did in the app to see what people liked, disliked, or if an error occurred.

This means that every tap, button push and keyboard entry is recorded, screenshotted and sent back to the app developers. 

One expert fears that data from these session replays may not be sufficiently masked to protect sensitive data.

This means payment information or passport and visa details could potentially be viewed by third parties.

Major companies including Expedia, Hollister and Air Canada, are monitoring what you do in their apps, including every click, tap and swipe. This data is sent back to app developers to help improve their services (stock image)

The App Analyst, a mobile expert who writes about apps on his blog, claims that Air Canada did not properly mask its session replays.

He suggests this may be the reason for Air Canada’s iPhone app data breach which exposed 20,000 profiles in August 2018.

‘This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,’ the App Analyst told TechCrunch. 

The App Analyst looked at a sample of apps that Glassbox listed on its website as customers and ‘success stories’. 

Using Charles Proxy, a tool used to intercept the data sent from Glassbox, the researcher was able to examine data being transmitted from devices.  

Several popular iPhone apps use Glassbox, a customer experience analytics firm, which lets developers embed ‘session replay’ technology into their apps

The company recently tweeted: ‘Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?’ App developers record the screen and play them back to see what people did in the app to see what people liked or disliked

The App Analyst found that some apps were not masking the data properly. 

He also found that none of them said they were recording the user’s activity or that it was sending them to another company’s servers. 

‘Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,’ he said.

Not every app was leaking masked data and companies like Expedia and Hotels.com were capturing the data but sending it back to a server on their own domain.  

The App Analyst, a mobile expert who writes about apps on his blog, claims that Air Canada did not properly mask its session replays. He suggests this may be the reason for Air Canada’s iPhone app data breach which exposed 20,000 profiles in August 2018 (stock image)

MailOnline has contacted Glassbox for comment which we did not receive at the time of publication.

The company told Techcrunch that it doesn’t enforce its customers to mention its usage in their privacy policy.

‘Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,’ the spokesperson said. 

‘When the system keyboard covers part of the native app, Glassbox does not have access to it.’ 

HOW CAN YOU PROTECT YOUR INFORMATION ONLINE?

Because hackers are becoming more creative, security experts are warning that consumers need to take all possible measures to protect their identities (file photo)

1. Make your authentication process two-pronged whenever possible. You should choose this option on websites that offer it because when an identity-specific action is required on top of entering your password and username, it becomes significantly harder for fraudsters to access your information.
2. Secure your phone. Avoiding public Wifi and installing a screen lock are simple steps that can hinder hackers. Some fraudsters have begun to immediately discount secure phones altogether. Installing anti-malware can also be beneficial.
3. Subscribe to alerts. A number of institutions that provide financial services, credit card issuers included, offer customers the chance to be notified when they detect suspicious activity. Turn those notifications on to stay informed about credit card activity linked to your account.
4. Be careful when issuing transactions online. Again, some institutions offer notifications to help with this, which will alert you when your card is used online. It might also be helpful to institute limits on amounts that can be spent with your card online.