Session Replay Technology Leads to App Store Removals

February 12, 2019

Session Replay Technology Leads to App Store Removals

Session replay technology provides developers with valuable insight on drop-offs, bugs and more in-app activity. However, many apps have not been disclosing that this information is being collected and for what purpose. As a result, apps across the store were given a sudden 24 hour notice to remove their session replay SDK, receive explicit permission from the user to allow recording, or be removed from the store.

What Happened

A TechCrunch report revealed that popular apps used session replay technology to record users’ screens while the apps were in use, without first obtaining permission. The session replay SDK came from third-party customer experience analytics firms, and essentially records or screenshots the app as it’s open to send back to the developer.

There are two issues with this: first, the data was not always properly masked, potentially revealing sensitive user information. Second, the users were not informed that they were being recorded – there was no notification requesting permission, and very few privacy policies even mentioned screen recording. Those that did include it in the policy still had to update to gain explicit user permission or be removed.

Shortly after this information came out, Apple swept the store to determine which apps were using session replay technology. Any that it found were notified that they had 24 hours to tell users they were being recorded or remove the SDK. Those that failed to do so within the time frame would be removed from the store.

Apple’s notification told developers:

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

Session Replay

The intention of session replay technology is to see how users interact with an app, particularly for identifying bugs or other errors. This can quickly turn risky if the apps require users to enter sensitive information, such as credit card numbers or password information. If the app properly masks the data, the risk is minimized, but that is not always the case.

In one instance, the Air Canada app failed to mask the information properly. This could leave the data vulnerable to being intercepted and stolen, especially in the wake of a recent Air Canada data breach. That jeopardizes important user data, such as credit card numbers or passport information.

Some of the apps sent the data back to the third party’s servers, while others sent them back to their own data servers. Either way, there is no guarantee that the data is properly protected or hidden.

Privacy Policy

Apple requires that apps include a privacy policy that is accessible and includes information on data sharing, such as analytics tools. Specifically, in section 5.1.1 of the App Store Guidelines:

“Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) — such as analytics tools, advertising networks and third party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data — will provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines.”

Additionally, there are further guidelines for the user permissions an app needs to collect data:

“Apps that collect user or usage data must secure user consent for the collection. Paid functionality must not be dependent on or require a user to grant access to this data. Apps must also provide the customer with an easily accessible and understandable way to withdraw consent. Ensure your purpose strings clearly and completely describe your use of the data.”

Apple released a statement, saying:

“Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary.”

In the case of apps being targeted for removal, many neither included a disclosure in their privacy policy nor obtained user permission. That’s a clear violation of the App Store Guidelines and a cause for removal. Those that included information in their privacy policies still had to update or face removal, since users did not grant them access.

ASO & What Developers Can Do

It should go without saying that being removed from the App Store is disastrous for an app’s optimization. Not only does removal prevent an app from being found or downloaded at all, the impact remains even after it’s restored.

If an app is removed, it loses all its keyword indexation and rankings. Putting it back on the store later will require re-indexing for targeted keywords – the app must begin the process of building its rankings up all over again, which takes time. The setback would be immense.

Apps that were at risk of removal have already been informed and should have updated by now. If they have not yet, they will have been removed.

The best way to avoid removal for a similar situation is to be upfront with users. If you are going to use session replay SDKs to record their usage, make it clear in the privacy policy and receive permission from users first. Even if the purpose is just to help resolve any issues that may arise and improve the user experience, users still have the right to know if their behavior is being recorded.

This is more than just a matter of following guidelines – it’s a matter of transparency, safety and user trust. Users lose faith in an app when they learn it’s been collecting information on them without permission – this gets reflected in uninstallations and negative ratings/reviews, both of which can have negative impact on an app’s rankings within the store.

If your app used a session replay SDK, you should have received a notification with the 24-hour notice on Friday night and updated accordingly by now. It’s important to monitor messages from Apple in case there are other drastic changes like this; anyone who decided to wait to address it after the weekend will have had their app taken down by then. If your app does not use a session replay SDK, this serves as an important lesson for following guidelines closely and safeguarding user privacy.

Want more information regarding App Store Optimization? Contact Gummicube and we’ll help get your strategy started.