App Analysis: Air Canada
This blog series focuses on the collection of device data by various popular mobile apps. Data is often collected in the name of advertising, error monitoring, fraud detection, and social media integration.
Air Canada's mobile app, which allows their customers to book and manage flights, tracks users with Glassbox Digital analytics. This enables Air Canada to determine device characteristics, collect precise location information, and take screenshots of the users' device.
Air Canada is the largest flight provider within Canada, setting a record of serving 48 million customers in 2017. Of these customers, approximately 1.7 million have registered an account within the Air Canada mobile app.
On August 28th, 2018, Air Canada posted a notice to their mobile app users, alerting them that "20,000 profiles may potentially have been improperly accessed" and that they would be asking all 1.7 million users to reset their password. In this notice Air Canada states that any credit card information that is stored is done so in compliance with security standards set by the Payment Card Industry (PCI).
Air Canada's description of user data stored by their mobile app
Glassbox Screenshots
The Glassbox tool captures many screenshots during a user's session on the Air Canada mobile app. Glassbox has accounted for the fact that user's may enter sensitive data into fields and allows businesses that use their tool to define obfuscating black boxes.
To do this properly requires a large amount of testing to assure that all sensitive fields have been covered appropriately under all circumstances. While Air Canada does configure a list of sensitive data fields which should be covered with a black boxes, many of the fields are still captured within session screenshots.
Air Canada screenshots showing both passwords and credit card information
Transparent black boxes
By attempting to implement the black boxes, Air Canada implicitly acknowledges that various fields within their app will contain sensitive data and that this data should not be captured in screenshots. This obfuscation of sensitive data is potentially done to ensure it is not stored within a database of screenshots.
However the configuration which Air Canada uses to specify placement of black boxes is not extensive enough and almost every black box used to cover sensitive data is captured in screenshots. Included below are two specific examples of poorly implemented obfuscation.
In the first example Air Canada attempts to block the collection of credit card information when a user associates a credit card with their account. Initially obfuscation is performed correctly with black boxes, however subsequent screenshots capture the revealed information. If these screenshots (which contain credit card information) are stored by Air Canada or shared with the third-party Glassbox, Air Canada could find themselves violating the standards set by the Payment Card Industry.
The second example shows the collection of passwords via screenshots. Air Canada attempts to cover the password form when logging in. However they do not obfuscate the initial setting of the password during account creation or resetting the password when forgotten. This finding is caveatted that I had to reveal the password using the show password functionality, but I would be fairly certain that any user who used this would have their password captured as a screenshot.
If this data is saved it would go against industry standards which state that a password should never be stored.
What users can do about it
I don't know why Air Canada takes screenshots of their users' activities. There is the potential that it could be used for quality assurance purposes or dispute resolution. Air Canada would be able to see when their app's user interface is broken or substantiate displayed flight prices when a user claims they saw a different price.
If any user feels uncomfortable with the data collected via screenshots by Air Canada they should attempt to block connections to glassbox.aircanada.ca. This should be possible through DNS settings within your home router.
Conclusion
Air Canada is unsuccessful in obfuscating credit card and password information. As a result, sensitive data is being captured as images and potentially stored. Although the data is not in text format, sensitive data stored as images can just as easily be harvested and leveraged if the database is ever compromised.
While there may be value in documenting user activity through screenshots, there is also a large amount of risk that the screenshots may capture sensitive data. Air Canada has attempted to mitigate this risk by configuring black boxes to cover sensitive fields. However this attempt has failed, potentially condemning a users sensitive data to residing in various screenshots stored by Air Canada.