Fable about Burger King and user data. Developer Comments

Hi, Habr! We are e-Legion, the developer of the Burger King mobile app. We are writing this post to reassure everyone who is worried about their bank card details, and explain how and why data is collected from users' screens.

Characters:

Burger King is the owner of the application that chose the AppSee analytics system for work.
')
e-Legion is an application developer who received the keys from the AppSee SDK from Burger King and integrated it into the application.

Appsee is an analytical service that collects statistical data, transmits and stores them in a safe form, but nevertheless it is under suspicion.

fennikami - as he said about himself: 18 years old, probably bearded, picks up various applications in his spare time

Outraged users - 3 million people who are indignant that their bank card details can fall into the hands of intruders.

PROLOGUE

July 11 appeared on Pikabu, and July 12 was duplicated on the Habré post , in which the user fennikami examines the traffic data of the mobile application Burger King and concludes that he is being followed: recording video from the screen when he enters his bank card data, and then transmit this information to third parties.

This information angered the users of the application and excited the media. Dozens of publications with headlines about the theft of personal data and hundreds of letters addressed to Burger King with a request to comment on what was written in the post.

ACT I. Where Appsee records the user's screen and transmits the recording to Burger King

All applications are tested during development and if bugs are found in them, then testers write bug reports for developers. The developers correct all these errors and the testers re-check the application for these errors.

Some errors may not be noticed at the testing stage, and some cannot be foreseen, and errors occur already in users, for example, the application crashes. Then analytics comes to the rescue. After all, users will not write us bug reports, and thanks to the analytics system, Burger King will see errors, and we will be able to fix them so that your application runs stably.

In the Burger King mobile app, one of the most famous Appsee statistics collection and analysis services is used. Statistics are collected solely for the purpose of analyzing the quality of the application, identifying and eliminating possible errors, emergency situations and the like. As in any statistics, mass indicators are important here. Any private confidential user data in this regard is of no interest and is not collected.

One of the important features of Appsee statistics is recording video from the screen while the application is running. This allows us to provide technical support for the application at a significantly higher quality level, to detect and eliminate various shortcomings.

User concerns about collecting statistics and especially recording video is understandable. Let's take a look at how this happens and what data will eventually end up in the analytics system.

1. About 10% of users who are selected randomly record and transmit video.
2. Video is recorded and transmitted only when there is a Wi-Fi connection and it is never performed via mobile networks. www.appsee.com/tutorials/recording-settings
3. Video recording is conducted with extremely low quality to ensure a low load on device resources and data transmission channels.
4. When recording video, all data entry fields, passwords and images from the camera are automatically hidden. In analytics, they are visible as black rectangles.

Screenshot from the Appsee control panel. The input fields are closed with black rectangles.

ACT II. Where we see how the data is hidden and parse screenshots from Pikabu

Appsee, as a very large company on the market, strictly adheres to all existing laws on working with personal and other user data. In particular, the European GDPR requirements, which are much stricter even Russian.

The Appsee SDK automatically recognizes and hides all data entry fields, passwords and images from the camera. This can be seen on the screen of the very same fennikami - the author of the post on Pikabu. Two lines that say that all the fields are hidden on the client itself when recording video:


Screenshot fennikami from a post on Pikabu

Data hiding is automatically registered in the application code. And the Appsee SDK works in such a way that the hiding of fields with personal data occurs before the records leave the mobile device. Let's see this.

Act III. Where do we compare entries on the phone and in the analytics system

Video still in the phone

Thanks for the video norver , which checked what data is really sent to the Appsee server in his post

Video came to Appsee

Video recorded from the Appsee control panel

Act IV. Where we sum up and reward Fennikami for curiosity

Your data is safe because:

• Hiding personal data when recording video for analytics is written in the application code. Data is hidden before leaving the mobile device.
• Burger King, e-Legion and Appsee do not have access to user banking data. This data is not recorded, stored or transmitted to third parties.
• Burger King receives only the name, email and phone of the user in accordance with the User Agreement: burgerking.ru/legal_for_app
• Recording video from screens helps to collect statistics in order to improve the performance of the application.
• Appsee strictly adheres to all existing laws on working with personal data of users. This is spelled out in their policies: www.appsee.com/legal/privacypolicy
• Data transfer to the Appsee analytics service occurs only via Wi-Fi and does not consume mobile traffic.

The author of the article under the nickname fennikami want to express respect for the curiosity of the data requests / responses. Still, do not be alarmed before you learn all the features of a library or SDK.

We will teach this - we give you free training at the e-Legion Academy . Choose a specialty and write to sv@e-legion.com to access the curriculum.