Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber's Android App Caught Reporting Data Back Without Permission

Posted by timothy on from the distinguish-from-government dept.

Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.

9 of 234 comments (clear)

  1. Why is Android allowing Uber to access the info? by ShanghaiBill · · Score: 4, Informative

    If the app does not have permission to access these personal data, then why is Android giving it access? The solution to privacy is not trust, but robust security. No app should be able to access my call logs or other personal data unless I give explicit permission.

  2. Re:So, in essence, Uber's app is malware by Greyfox · · Score: 4, Informative

    You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone. Adding that functionality ought to be a no-brainer, but Google owns Youtube and Youtube just HAS to have access to your phone's camera for some reason. I'm guessing so they can watch you while you're masturbating.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  3. Re:So, in essence, Uber's app is malware by jareth-0205 · · Score: 5, Informative

    How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

    Worse than that, Google an an invester of Uber. They have put in $250million, they should just go and demand that Uber stop fucking about.

  4. Incorrect analysis by Anonymous Coward · · Score: 5, Informative

    Incorrect analysis by the original blog. Please see this nextweb article which clarifies
    http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/

    1. Re:Incorrect analysis by Anonymous Coward · · Score: 4, Informative

      Mod parent up. The summary and the article are complete lies. The summary/article is claiming the app was caught sending the data. Looking at the actual original blog post mentioned by the article, some person decompiled the uber app code, and they found some suspiciously named functions that suggest the app might look up data it should not. They never claimed that the app actually sent any of their data, in fact they specifically say there may not be an issue. The parent's linked article actually shows some (limited) analysis done by someone who was actually intercepting device traffic, and there was nothing suspicious.
       
      A more accurate title would be "Uber app contains suspicious looking method names, more analysis needed"

  5. Re:It DOES have permission by Kingkaid · · Score: 4, Informative

    Agreed. I have the windows app of Uber and its permissions are significantly more limited.

  6. Re:So, in essence, Uber's app is malware by stoploss · · Score: 5, Informative

    You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone.

    Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close due to exceptions being thrown. XPrivacy lets me keep my privacy without app force closes. Anyway, the CM devs used to be adamant that they would never allow spoofing because it would interfere with app devs data mining user data. It's one of the reasons I parted ways with CM. Maybe they have changed their position, though.

    Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.

  7. Re:Why is Android allowing Uber to access the info by oogoliegoogolie · · Score: 4, Informative

    Probably because android has all-or-nothing, non-granular permissions where you have to grant the app access to everything it requests, or else it's 'no app for you!'
    If the app wants to access to your contacts, accounts, phone history, photos, camera, messaging, mail, you give it access or you don't get to install it.

    It's a stupid, dumb, and poorly thought out implementation and google should (?) know better.

  8. Think that's bad by goldcd · · Score: 4, Informative

    Have a look what Citrix Worx asks for (certifier of your phone, so you can look at your work email). Device & app history
    retrieve running apps
    read sensitive log data
    Mobile data settings
    change/intercept network settings and traffic
    Location
    precise location (GPS and network-based)
    Photos / Media / Files
    modify or delete the contents of your USB storage
    test access to protected storage
    Camera / Microphone
    record audio
    Wi-Fi connection information
    view Wi-Fi connections
    Device ID & call information
    read phone status and identity
    Other
    press keys and control buttons
    read frame buffer
    close other apps
    update component usage statistics
    force-stop other apps
    modify secure system settings
    view network connections
    connect and disconnect from Wi-Fi
    full network access
    run at startup
    read battery statistics
    control vibration
    close other apps
    set wallpaper
    install shortcuts
    uninstall shortcuts
    modify system settings
    pair with Bluetooth devices
    draw over other apps