
App Analysis: Air Canada - tolien
http://theappanalyst.com/aircanada.html
======
nemothekid
This is fun. Does this potentially mean that there analytics firms out there
with tons of "screenshots" contained easily demasked credit card info probably
sitting somewhere in an s3 bucket? That's a new attack vector I've never
thought about.

~~~
theappanalyst
Exactly! Glad someone is catching my point, the issue is is that people go to
the end of the earth to protect databases of credit card information, I doubt
the same can be said for a database of screenshots containing equivalent info.

Another big issue I see is I may trust company X with my data but I as a
consumer wouldn’t know I’m actually sharing my data with company Y and I think
that is something users should be aware of.

~~~
Vrpe
It will just end up like the GDPR in terms of user response. There will be yet
another new annoying popup with mandatory darkened background asking you to
accept the analytics or leave the site.

Most people will not actually read any of it, and hit OK without giving it
much thought. I feel as if we are just waiting for something bad to happen
before we take action in restricting this big data analytics trend.

It seems to be a trend, we are passive until the problem smacks us in the face
and then we grudgingly work on solving it slowly.

------
rdiddly
This writeup has a nice, calm, "Your house is on fire" quality about it that I
find refreshing.

~~~
theappanalyst
Thanks I try not to be overly sensationalist about my topics and just display
the facts. Thanks for giving it a read :)

~~~
rdiddly
Absolutely - not sure why all these mini-emperors-of-Rome insist on downvoting
a legitimate compliment, but to have a piece of security writing that

1) reveals a significant security issue

2) ...without the usual overblown signals to the effect of how important it is
(it usually isn't) and "hey, pay attention to me"

...is refreshing, no other word for it. And if it were done more often that
way in the mainstream, there would be no need for a clickbait headline arms
race.

------
avip
Good writeup. There's absolutely no way this is not a PCI-DSS violation.

------
minimaxir
What’s the data advantage of _taking and sending a screenshot of the app_
instead of just sending user events (e.g. field filled, field selected, form
submitted)?

A screenshot literally unstructures the data.

~~~
swanson
It's not for data, but for catching visual bugs.

~~~
minimaxir
The website for Glassbox ([https://www.glassboxdigital.com/solution/customer-
experience...](https://www.glassboxdigital.com/solution/customer-experience-
analytics/)) pitches the capture feature as "Watch visitors' struggles for
yourself to improve your website’s customer experience."

IMO that seems inefficient. You could do the same at scale with the right
implementation of events.

~~~
escape_goat
"Watch visitors' struggles for yourself" brought dark patterns to mind
immediately.

~~~
aasasd
It's actually a normal and proper way to improve usability if done right, i.e.
in a study where you set tasks to users and watch what they're doing and where
they have problems. Jakob Nielsen does this for decades.

Not sure if looking at users' screenshots is anywhere near as useful.

------
whoisjuan
[https://www.smartlook.com](https://www.smartlook.com)

[https://www.appsee.com/](https://www.appsee.com/)

[https://uxcam.com/](https://uxcam.com/)

[https://userx.pro/](https://userx.pro/)

That's just a small sample of services that allow you to record the user's
screen or take screenshots). App session replay software has existed for
years, and of course, they capture all the things that are going on the app
including checkouts and profile data (unless you flag those screens on the SDK
implementation).

Like someone already pointed out, that video or image will likely be stored
somewhere (an S3 bucket or some static storage). I think anyone who is
implementing these type of SDKs on their app needs to do their due diligence,
and not push sensitive data to these third parties.

~~~
oliveshell
Just checked out userx.pro, and wow: a site that claims to help improve user
experience yet hijacks the ‘back’ button. The mind boggles.

“Improved retention,” indeed.

~~~
igorbiv
Hi! Could you write on what page of website did you find back-button hijack?
Actually we don't have so. If it realy happened we'll fix this bug ASAP.

~~~
oliveshell
Oops, I only just now saw this reply!

It was the homepage, when I followed the link to it. I was hasty in assuming
it was intentional, and I’m glad to hear that’s not the case.

I suspect it’s a bug, possibly caused by my use of an ad blocker. (I’m
accustomed to sites malfunctioning in certain ways when the blocker is turned
on, but I’d never seen it cause me to be unable to use “back” to leave.)

If it helps, it happened in Safari on iOS 12.1.4. The content blocker I’m
using is ‘1Blocker X’ from the iOS App Store.

------
kslfkkdkdndnn
We need more analysis like these calling out businesses that violate their
users trust.

------
eastbayjake
This write-up doesn't actually state where these unobfuscated images came
from, so it's not clear to me where (or whether) there are actually
unobfuscated images in Air Canada's system. Tools like Glassbox usually mark
PII fields with CSS classes to blur/redact fields when the screenshots are
taken. It looks like the author may have found password and credit card fields
without these CSS classes and manually recreated what the unobfuscated fields
would look like with dummy data, but it's also possible to configure these
tools to not log entire pages or directories -- this is how payment pages are
usually configured, with screenshotting completely disabled.

If the (anonymous) author simply mocked up what these screenshots _might_ look
like if they were saved, that's pretty misleading.

~~~
theappanalyst
Author here, these are not mockups and if you watch the video linked you can
see me replay the session I captured using a https proxy. Hope that clears
things up, thanks for your interest!

~~~
lifeisstillgood
I had a similar question - I would recommend making that clear on an edit of
the post

But thanks for this - I had no idea such things were prevalent ... now I
wonder if I should surf with a proxy on to see what's being sent ...

~~~
z3t4
It's very sobering. But much harder now when everything is on HTTPS.

------
amolgupta
I was once forced to integrate once such product in our app. We did mask what
we thought was the sensitive information. Within days of release, the app was
removed from the play-store for privacy violation. Had to remove the SDK to
get back in business. So Google does use tools to detect such stuff and this
was early 2017.

------
trhway
"Peekaboo" PCI compliance level.

------
franzwong
I love the idea of this web site. But it is not so convincing when it is not
HTTPS. (ok, I expected downvote)

~~~
theappanalyst
Haha very true, I was never expecting this to get much traction... will update
with the proper pki asap, thanks :)

~~~
grumpy-cowboy
Add a RSS feed please ;)

------
polote
I was in charge of building this kind of product for another analytics
company, this technology is called session replay, and it is used for many use
cases, like : UX improvement/ support/ bug detections ...

Most of vendors record keyboard inputs and thus can record password as well as
credit card information, there was an affair about it a few years ago [1]. To
not have this issue, most of vendors provide a way to not record those
information. It requires manual tagging of the website on the element that
contains critical content.

But many of session replays vendors have many clients, and don't force or
don't verify that all the critical information are masked. This is not GDPR
compliant, because when the GDPR apply you need to consent of the user to
record his PII, and you are not even allowed to record information like
password, sexual orientation, credit card even if you have the consent.

Two things: \- Nowadays on the web most of payment pages are not hosted on the
client website, so those analytics tools are not included (but we still have
many websites that don't use third party for that) \- This data is not (most
of the time) recorded in a structured way, data of inputs is recorded as some
element of an HTML, and thus it is not super easy to extract the information
at scale

[1] [https://freedom-to-tinker.com/2018/02/26/no-boundaries-
for-c...](https://freedom-to-tinker.com/2018/02/26/no-boundaries-for-
credentials-password-leaks-to-mixpanel-and-session-replay-companies/)

~~~
codetrotter
> you are not even allowed to record information like password, sexual
> orientation, credit card even if you have the consent

Wait, why can’t a website record my sexual orientation with my consent?

How will dating sites work then? Or is there a difference between asking about
sexual orientation and asking me about what gender I would like to see / what
I am looking for? If there is a difference then what’s the point of not
allowing sexual orientation to be stored? From a practical point of view the
question phrased like what I am interested in / looking for gives about the
same information don’t it?

~~~
polote
It is the difference between personal data and sensitive data, I'm not expert
of the subject, but on this article [https://gdpr-
info.eu/art-9-gdpr/](https://gdpr-info.eu/art-9-gdpr/) they say

> Paragraph 1 shall not apply if one of the following applies: the data
> subject has given explicit consent to the processing of those personal data
> for one or more specified purposes

But I was talking about third party that collect information, not the website
itself, I was only working on third party so I don't know what websites are
allowed to do

~~~
codetrotter
> But I was talking about third party that collect information, not the
> website itself, I was only working on third party so I don't know what
> websites are allowed to do

Ah, I see.

------
mileszim
Great read! Thanks for investigating this kind of thing, it's beyond useful.

------
mr_toad
Glassdoor claim to be able to screenshot web browsers as well. I didn’t know
that was possible.

~~~
asudosandwich
On iOS, apps can open a modal Safari webview instance within the app.

Can apps screenshot what's displayed in Safari in that case?

~~~
saagarjha
No, there is no way to screenshot SFSafariViewController because it's rendered
out-of-process in a way that no identifying information is conveyed to the
host app. You can try this yourself: you'll see that your screenshot contains
a blank navigation bar and toolbar, but nothing else.

