Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber's Android App Caught Reporting Data Back Without Permission

Posted by timothy on from the distinguish-from-government dept.

Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.

21 of 234 comments (clear)

  1. So, in essence, Uber's app is malware by Anonymous Coward · · Score: 5, Insightful

    How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

    1. Re:So, in essence, Uber's app is malware by 0123456 · · Score: 5, Insightful

      Or, you know, actually give us actual app permissions control so we can prevent it from retrieving this information in the first place, rather than having to agree that Happy Fluffy Kitty Screensaver can send text messages and read all my contacts or not install it at all?

    2. Re:So, in essence, Uber's app is malware by Anonymous Coward · · Score: 3, Insightful

      What do you mean "have to agree"? In what sense do you "have" to? I've certainly never agreed (and in fact don't have Uber's app or other similar "ask for everything under the sun" apps), and have detected no one attempting to compel me to agree to anything I don't want to agree to.

      Have we lost any and all ability as a culture to say "no" to things that are obviously unreasonable? That's all you have to do. Look at the list of permissions, decide that's too much, and refuse to install the app. It's really not hard. I do it at least once a week. You can too.

      I swear, our culture has a 2 year old's mentality: "but i WAAAAAANT it!!!"

    3. Re:So, in essence, Uber's app is malware by gstoddart · · Score: 4, Insightful

      But, cynically, how would you even know?

      If they're collecting stuff against the app permissions, WTF would you trust them when they say "oh, sure, we've deleted your stuff".

      If they collected anything beyond what they had explicit permissions for, you have to assume everything else is a bloody lie.

      --
      Lost at C:>. Found at C.
    4. Re:So, in essence, Uber's app is malware by AJWM · · Score: 4, Insightful

      This -- although I don't even need your phone.

      These days smartphones might as well just be GPS house-arrest bracelets with better PR.

      --
      -- Alastair
  2. It DOES have permission by Anonymous Coward · · Score: 5, Insightful

    I just went to the google play store page for Uber, and checked the permissions the app requires. It includes:

    Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.

    So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.

    And in this, it is not alone. The majority of apps on the play store require all these permissions, and google will not give users explicit control over these permissions for two reasons:

    1) Users will break their own apps and then google will take the heat for it (you KNOW this will happen, a LOT)
    2) Vendors will hate the sandbox that users put them in, and google will take the heat for that (and lose a lot of free apps that represent a competitive advantage for google).

    I am not saying this is right, but this is a natural response to the incentives google faces.

    1. Re:It DOES have permission by Anonymous Coward · · Score: 5, Insightful

      There's a simple solution to this, and one that Apple has applied successfully to Uber - make it a condition to get into the store that you don't request permissions you don't need to do the app's job. Uber for iOS doesn't require access to all this stuff. I'd bet heavily that that's because Apple told them to go fuck themselves until they sorted it out.

    2. Re:It DOES have permission by Derek+Pomery · · Score: 3, Insightful

      Agreed. It's absurd how many apps require all these permissions to be installed.

      If you want the app, you agree to that.
      I still haven't upgraded Waze since their new "social" integration required a ton more privileges, mostly to phone private info. And this despite running XPrivacy - I just can't be bothered to go through the whitelisting for it, when current version works well enough. Ditto the updated Google Search app.

      It'd be nice if apps had a base set of privs then expanded sets that could be allowed on install or later by request to the system/user. Also it'd be nice if the privileges were a lot more restricted, like "Use Ad Service to show you ads" instead of "Use Internet"

      So, I installed a little Fisher Price Animals app for kid, and set XPrivacy to "ask" mode. On startup, XPrivacy popups popped up indicating the app wanted my Localisation, Phone Identity, Telephone (calling/numbers - probably just so the app could know when a call was coming in if a kid was playing, but still, the sort of broad category Android requires for something like that), Sensors, some Shell cpu thingy I couldn't be bothered to figure out, but that it seems to run just fine without, and, Shell lib calls for the animal sounds.
      But, yeah, you allow broad categories, some inoccuous, some just 'cause they want to know how many users they have or something, and, surprise!

      --
      -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
    3. Re:It DOES have permission by gstoddart · · Score: 4, Insightful

      Google needs to get their shit together.

      Google's "shit" is collecting your personal information to use to sell advertising. So, from that perspective, it's mission accomplished.

      There isn't a whole lot of ways to reconcile how Google wants to make money from Android, with a desire user privacy.

      My best guess is Google has crippled the privacy to ensure that commercial interests trump privacy interests.

      Do you think they're going to provide an ability for users to kill off advertising in apps? Especially when Google profits from this?

      My guess is this "simplified" permissions model they rolled out this year was specifically designed to ensure better access for apps.

      --
      Lost at C:>. Found at C.
    4. Re:It DOES have permission by m.dillon · · Score: 4, Insightful

      No, in fact the vast majority of people who run an IOS app on an Apple device who see a permission request pop up that they don't like, say 'No', and the app continues to run just fine.

      Even better, the apps on IOS tend not to request absurd permissions in the first place because they know those pop-ups will annoy their customers enough to either say 'no' anyway or not use the app in the first place. Its a black blotch for an IOS app to request permissions that it does not need, and Apple customers call them on it in the reviews.

      Whereas with android, everything is quiet and silent and people run apps without really understanding what data they are giving away, EVEN if they have read the manifest... so app writers can get away with almost anything and consumer privacy on android is poorer for it.

      -Matt

  3. Re:Spoofing by Billhead · · Score: 3, Insightful

    I haven't tried it yet but I think the Xposed module XPrivacy module can do that.

  4. Re:Why is Android allowing Uber to access the info by 0123456 · · Score: 2, Insightful

    OK, so I want to use their taxi service, but their app demands permissions it obviously doesn't need. Android gives me an option of installing it or not installing it.

    Now what do you suggest I do?

    Android's permission model is completely broken. It's the Windows of the modern world.

  5. Re:Spoofing by digitalchinky · · Score: 5, Insightful

    You need root, XPosed and XPrivacy allow you to give bogus info to apps. The UI could use a little work but you get a deep level of control over app permissions. Along side auto run manager and a firewall of some kind and you pretty much have a non leaky tame android.

  6. Re:Why is Android allowing Uber to access the info by Russ1642 · · Score: 4, Insightful

    You either accept all permissions, without explanation, or you can't install the app. Android needs to give people the ability to deny individual permissions, without having to root your phone and install Cyanogenmod or the like.

  7. Re:It's a storage site by BarbaraHudson · · Score: 5, Insightful

    ... and it wants to be the Facebook of transportation. "We're collecting all this data to help us make your user experience better. Don't like it - use someone else. Oh wait - we actively sabotage the competition 'cuz we got $1.5 billion thrown at us by crazy investors."

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  8. Re:Why is Android allowing Uber to access the info by NatasRevol · · Score: 4, Insightful

    If this is your default answer, you're going to have a bad time.

    The problem is with the permissions model of Android. "allow access to make phone calls" also means can see all metadata.

    That's a big WTF right there.

    --
    There are two types of people in the world: Those who crave closure
  9. CyanogenMod by brunes69 · · Score: 3, Insightful

    CyanogenMod and many other ROMs let you control this stuff. I have never found an app that broke due to the CyanogenMod privacy manager. I can't see how it would break because all it does is mock dummy responses for all of these things.

  10. Re:Why is Android allowing Uber to access the info by taustin · · Score: 4, Insightful

    Google is evil since they allow this without doing anything about it.

    Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.

    Not really. Google actively wants this crap because they are an advertising company, and their entire business model depends on destroying all privacy everywhere (except for the privacy of their proprietary database of your private information). If they put in real security for privacy settings for other people's apps, then Google can't track you either.

  11. Re: XPosed and XPrivacy will lie for you! by Karlt1 · · Score: 5, Insightful

    And BTW, iPhone Apps are not any better about this stuff like phoning home and spying on you unless they are rooted and modified. It is just that the greater openness of Android platform ersus iOS makes it easier to spot. But that also means that there are more and better countermeasures.

    IOS doesn't allow any app to have most of those permissions. Even in case like Contacts (as of iOS 8), there is a new API that allows the user to select the contact within the app using an OS provided picker and the app only has access to the contact the user chose.

    You can also turn off permissions granularly once an app is installed.

  12. Re:Why is Android allowing Uber to access the info by whoever57 · · Score: 4, Insightful

    Linux security doesn't isolate process disk data from each other, anybody can read any part of the disk under the same user, which in practice is all apps a user use because they all run under the user's account.

    Apparently you are not familiar with SELinux.

    --
    The real "Libtards" are the Libertarians!
  13. Re:Explanation of Uber permissions... by bouldin · · Score: 5, Insightful

    Those are legitimate explanations for the app to need said access, but that's not what the article is about. The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.

    Sorry for yelling, but it's an important point.

    Also, there is no good reason to report back your data pertaining to malware.