Slashdot Mirror
Uber's Android App Caught Reporting Data Back Without Permission
Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.
If the app does not have permission to access these personal data, then why is Android giving it access? The solution to privacy is not trust, but robust security. No app should be able to access my call logs or other personal data unless I give explicit permission.
Privacy backlash as Twitter starts to snoop on EVERY app users have on their phone
You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone. Adding that functionality ought to be a no-brainer, but Google owns Youtube and Youtube just HAS to have access to your phone's camera for some reason. I'm guessing so they can watch you while you're masturbating.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.
Worse than that, Google an an invester of Uber. They have put in $250million, they should just go and demand that Uber stop fucking about.
Don't install it.
You'll be okay. There are other ways to get a taxi. I promise.
Incorrect analysis by the original blog. Please see this nextweb article which clarifies
http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/
Yes you are correct, however what are you supposed to do?
It's all or nothing with Android. It's not like you can exchange your phone for a different platform that has better permissions if you decide it's too much.
Google should change the way it works.
Agreed. I have the windows app of Uber and its permissions are significantly more limited.
You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone.
Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close due to exceptions being thrown. XPrivacy lets me keep my privacy without app force closes. Anyway, the CM devs used to be adamant that they would never allow spoofing because it would interfere with app devs data mining user data. It's one of the reasons I parted ways with CM. Maybe they have changed their position, though.
Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.
Contacts: For splitting fares with friends, inviting friends to use Uber
Phone: To call your Uber driver or for them to call you
Camera/Microphone: Uber has a function that lets you take a photo of your credit card for scanning
Wi-Fi Connection: Checks if you have internet and attempts to use the WiFi name to help determine your location
Device ID and Call Information: Allows access to your phone number and a unique ID for your device
Identity: Allows Android users to sign in and pay with one tap (using the Google Sign-In and Google Wallet services)
Photos/Media/Files: Uber says this is to “save data and cache mapping vectors.”
http://thenextweb.com/apps/201...
Probably because android has all-or-nothing, non-granular permissions where you have to grant the app access to everything it requests, or else it's 'no app for you!'
If the app wants to access to your contacts, accounts, phone history, photos, camera, messaging, mail, you give it access or you don't get to install it.
It's a stupid, dumb, and poorly thought out implementation and google should (?) know better.
"Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close"
Well, they did. CM11 has a privacy manager that will allow you to block access to contacts and so on, without making apps crash. I have set it up such that it will notify me whenever an app tries to access contacts, sms, calendar, location and it is surprising how few suspicious popups I get. One weird thing: wifi related apps need location access in order to show access points. Makes some sense, but it took me a while to realize why those apps weren't working.
Avantslash: low-bandwidth mobile slashdot.
Have a look what Citrix Worx asks for (certifier of your phone, so you can look at your work email). Device & app history
retrieve running apps
read sensitive log data
Mobile data settings
change/intercept network settings and traffic
Location
precise location (GPS and network-based)
Photos / Media / Files
modify or delete the contents of your USB storage
test access to protected storage
Camera / Microphone
record audio
Wi-Fi connection information
view Wi-Fi connections
Device ID & call information
read phone status and identity
Other
press keys and control buttons
read frame buffer
close other apps
update component usage statistics
force-stop other apps
modify secure system settings
view network connections
connect and disconnect from Wi-Fi
full network access
run at startup
read battery statistics
control vibration
close other apps
set wallpaper
install shortcuts
uninstall shortcuts
modify system settings
pair with Bluetooth devices
draw over other apps