Uber's Android App Caught Reporting Data Back Without Permission

Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.

So, in essence, Uber's app is malware

How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

Re:So, in essence, Uber's app is malware

[0123456]

Or, you know, actually give us actual app permissions control so we can prevent it from retrieving this information in the first place, rather than having to agree that Happy Fluffy Kitty Screensaver can send text messages and read all my contacts or not install it at all?

Re:So, in essence, Uber's app is malware

[gstoddart]

But, cynically, how would you even know?

If they're collecting stuff against the app permissions, WTF would you trust them when they say "oh, sure, we've deleted your stuff".

If they collected anything beyond what they had explicit permissions for, you have to assume everything else is a bloody lie.

Re:So, in essence, Uber's app is malware

[AJWM]

This -- although I don't even need your phone.

These days smartphones might as well just be GPS house-arrest bracelets with better PR.

It DOES have permission

I just went to the google play store page for Uber, and checked the permissions the app requires. It includes:

Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.

So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.

And in this, it is not alone. The majority of apps on the play store require all these permissions, and google will not give users explicit control over these permissions for two reasons:

1) Users will break their own apps and then google will take the heat for it (you KNOW this will happen, a LOT)
2) Vendors will hate the sandbox that users put them in, and google will take the heat for that (and lose a lot of free apps that represent a competitive advantage for google).

I am not saying this is right, but this is a natural response to the incentives google faces.

Re:It DOES have permission

There's a simple solution to this, and one that Apple has applied successfully to Uber - make it a condition to get into the store that you don't request permissions you don't need to do the app's job. Uber for iOS doesn't require access to all this stuff. I'd bet heavily that that's because Apple told them to go fuck themselves until they sorted it out.

Re:It DOES have permission

[gstoddart]

Google needs to get their shit together.

Google's "shit" is collecting your personal information to use to sell advertising. So, from that perspective, it's mission accomplished.

There isn't a whole lot of ways to reconcile how Google wants to make money from Android, with a desire user privacy.

My best guess is Google has crippled the privacy to ensure that commercial interests trump privacy interests.

Do you think they're going to provide an ability for users to kill off advertising in apps? Especially when Google profits from this?

My guess is this "simplified" permissions model they rolled out this year was specifically designed to ensure better access for apps.

Re:It DOES have permission

[m.dillon]

No, in fact the vast majority of people who run an IOS app on an Apple device who see a permission request pop up that they don't like, say 'No', and the app continues to run just fine.

Even better, the apps on IOS tend not to request absurd permissions in the first place because they know those pop-ups will annoy their customers enough to either say 'no' anyway or not use the app in the first place. Its a black blotch for an IOS app to request permissions that it does not need, and Apple customers call them on it in the reviews.

Whereas with android, everything is quiet and silent and people run apps without really understanding what data they are giving away, EVEN if they have read the manifest... so app writers can get away with almost anything and consumer privacy on android is poorer for it.

-Matt

Re:Spoofing

[digitalchinky]

You need root, XPosed and XPrivacy allow you to give bogus info to apps. The UI could use a little work but you get a deep level of control over app permissions. Along side auto run manager and a firewall of some kind and you pretty much have a non leaky tame android.

Re:Why is Android allowing Uber to access the info

[Russ1642]

You either accept all permissions, without explanation, or you can't install the app. Android needs to give people the ability to deny individual permissions, without having to root your phone and install Cyanogenmod or the like.

Re:It's a storage site

[BarbaraHudson]

... and it wants to be the Facebook of transportation. "We're collecting all this data to help us make your user experience better. Don't like it - use someone else. Oh wait - we actively sabotage the competition 'cuz we got $1.5 billion thrown at us by crazy investors."

Re:Why is Android allowing Uber to access the info

[NatasRevol]

If this is your default answer, you're going to have a bad time.

The problem is with the permissions model of Android. "allow access to make phone calls" also means can see all metadata.

That's a big WTF right there.

Re:Why is Android allowing Uber to access the info

[taustin]

Google is evil since they allow this without doing anything about it.

Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.

Not really. Google actively wants this crap because they are an advertising company, and their entire business model depends on destroying all privacy everywhere (except for the privacy of their proprietary database of your private information). If they put in real security for privacy settings for other people's apps, then Google can't track you either.

Re: XPosed and XPrivacy will lie for you!

[Karlt1]

And BTW, iPhone Apps are not any better about this stuff like phoning home and spying on you unless they are rooted and modified. It is just that the greater openness of Android platform ersus iOS makes it easier to spot. But that also means that there are more and better countermeasures.

IOS doesn't allow any app to have most of those permissions. Even in case like Contacts (as of iOS 8), there is a new API that allows the user to select the contact within the app using an OS provided picker and the app only has access to the contact the user chose.

You can also turn off permissions granularly once an app is installed.

Re:Why is Android allowing Uber to access the info

[whoever57]

Linux security doesn't isolate process disk data from each other, anybody can read any part of the disk under the same user, which in practice is all apps a user use because they all run under the user's account.

Apparently you are not familiar with SELinux.

Re:Explanation of Uber permissions...

[bouldin]

Those are legitimate explanations for the app to need said access, but that's not what the article is about. The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.

Sorry for yelling, but it's an important point.

Also, there is no good reason to report back your data pertaining to malware.