A message from Glassbox CTO and co-founder Yaron Gueta – Part 1
Glassbox is not a social media tool. The purpose of Glassbox is to make your digital journey friendlier and more efficient. Have you ever tried to book a flight using a travel agency’s mobile app, only to have the app fight back? How frustrating is it? Did you ever wish that someone from the travel company could truly feel your frustration? I wished for it and did something about it; I founded Glassbox.
Several articles have recently been published regarding Glassbox and security, and I’ve noticed a lot of confusion on the topic. Glassbox considers security and privacy its top priorities, and in fact includes security features above and beyond any competitive solution, so I would like to explain the truth behind the stories.
Security cannot be explained with slogans and catchy titles, so from this point and on, you need to be a geek (my favorite audience :)) to understand the details.
First of all, when Glassbox customers read the blog post at The App Analyst, they naturally became concerned that Glassbox had suffered a data breach. I would like to strongly emphasize that the incident described does not relate to any data breach. No customer data was ever compromised.
The App Analyst used a common mechanism called “man in the middle” to gain access to its own traffic. This means that the entire article describes techniques used for watching your own data while it’s being streamed between the mobile device and the server, including background data that is not related to Glassbox. Any sensitive data is visible to the user, but again, this data only relates to the user’s own traffic. As this methodology can only be performed by the user that owns the device, it is not a real security concern. For example, it would only take me two minutes to record my own traffic on TechCrunch’s credit card page by just using Fiddler and a “man in the middle” approach.
How does this relate to Glassbox:
Glassbox records the entire mobile session, including all user actions. In cases when our clients would like to hide data from the recording, it can be masked. The masking configuration is very flexible and can hide any elements that need to be excluded. The article mentioned this mechanism as well, as you can see below on the left side:
The left side shows a masked screen and the right side displays an additional CC screen that was not configured to be masked.
When Air Canada noticed this issue, it was quickly determined that masking had not been applied correctly to hide these fields. It was also determined that any sniffing activity done by The App Analyst was conducted outside of the Air Canada network and outside of the Glassbox platform. It is important to mention again that there was no data breach, and no customer data was ever compromised. I would like to emphasize that Air Canada is using Glassbox on premise; the data referenced here was sent to Air Canada’s data center and never left their premise.
The other main topic of discussion in the recent news articles involves a “user consent message.” Until now, Glassbox has not been involved in user consent messages because every company has its own policies based on geolocation, vertical sector and more. It made sense to let our customers decide how to deal with these consent messages.
This is now going to change. We are now taking ownership and responsibility alongside our customers to make sure that end users are made fully aware that their sessions are being recorded for quality and compliance purposes — just as callers to a contact center are informed that their calls are being recorded. We are also trying to get guidance from Apple to make sure we are complying with all App Store policies, but to date they have not responded.
Furthermore, in order to prevent the recording of credit card numbers and passwords, as well as ‘man in the middle’ mechanisms, Glassbox is implementing the following protections:
- We will encrypt the streaming data on top of the SSL encryption. This will prevent “man in the middle” attackers from decrypting Glassbox data even when the SSL data is decrypted.
- Glassbox will automatically identify and mask all credit card numbers and passwords, no configuration necessary. Furthermore, it will no longer be possible to send credit card data as part of the session recording.
- We will continue to push our clients to use “Certificate Pinning” that can be configured on the SDK side to prevent “man in the middle” sniffing.
In my next blog post, I will elaborate in greater depth on Glassbox’s security measures and why it’s being used by the most secure organizations worldwide.
Learn how digital experience analytics can support your data privacy efforts