Yesterday, a report detailed how certain apps used session replay frameworks to monitor user interactions. Now, Apple is cracking down on that practice, saying apps must remove such code or face being kicked out of the App Store.
Sylvania HomeKit Light Strip
According to TechCrunch, Apple is notifying developers that are using session replay frameworks that they must remove the code due to privacy concerns. In a statement, an Apple spokesperson said that protecting privacy is “paramount in the Apple ecosystem.”
“Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.
“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.
In an email sent to affected developers, Apple says that apps must “request explicit user consent” before logging or recording any user activity:
Developers affected by this crackdown told TechCrunch that Apple is giving them “less than a day to remove the code and resubmit their app.” If the developers fail to adhere to this request, their app will be removed from the App Store.
“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”
An investigation from TechCrunch yesterday explored how prominent apps like Expedia and Hotels.com were using “customer experience analytics firms” to effectively record user screens. The goal of such frameworks is to see how a user interacts with apps and when they lose interest. In some cases, however, apps were not properly masking sensitive information, making things like credit card information and passwords viewable to all employees.
Notably, Apple’s statement today doesn’t explicitly ban these practices. Instead, it says that apps must request user consent and “provide a clear visual indication” of recording and logging.