Uber's Android App Caught Reporting Data Back Without Permission

Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.

Xprivacy and rooted for the win..

[popoutman]

Makes me very happy that I have XPrivacy installed on my rooted S4 Active, and I now have a fine-grained security model with the ability to control what apps have access to what.

It was an eyeopener to see some apps that were misbehaving or just outright being illegal. My flashlight app now only controls the LED on the rear, and cannot see any of my private details - and they earned themselves a 1-star review..

Re:Why is Android allowing Uber to access the info

They took the safest OS there is and made a Frankenstein POS out of it to make it user friendly.

Or they (google) made android such that it was more easy to spy/track people. User-friendliness has nothing to do with tracking. Why do games need access to call logs, need to launched at android startup, need access to your contact list? None. Yet, 90% of the top-downloaded games in the play store need access to your private data. Google is evil since they allow this without doing anything about it.

Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.

Re:So, in essence, Uber's app is malware

I've switched to a prepaid $50 Nokia Lumina 520(paid for entirely in cash including the minutes). They can still interogate the people from my call logs to find out who the phone belongs to, or GPS track it to my house using Carrier IQ, but atleast I'm not spoonfeeding it to them. Since it's a windows phone, I only use it for wifi tethering my Google Voice number/Google Hangouts to the 4G LTE network.

I have Whatsapp on my old burner cell phone I use for international travel... Tons of stupid android apps. Terrible battery life!

I say this as an App developer: Google really needs to clean house. I know the permissions configuration while writing an app encourages asking for everything so the code will compile, but all the same: the Carriers cock-blocking Android updates for 6-15 months(so they can "lame it up" with their stupid skins that nobody wants) is a HUGE security problem and probably one of the reasons why BYOD is so dangerous to corporate networks if done incorrectly. The privacy issue with being unable to firewall your contacts list, SMS history, and Photos is a major problem. One solution would be for every phone to have two contacts lists, SMS logs, and Photo albums set where you have to specifically move your private data in to the "everyone can see this shit" section where the Apps can go nuts.

Another solution would be to force all apps to ex-filtrate data through a Google monitored intermediary. This could be done at the kernel level by Android forcing the issue via their API. All outbound network traffic could be MITMed Transparently to the App developers. Sort of a "Privacy IDS"/MITM which is encrypted between the App and Google, and Google/the App's back-end servers. Would it cause higher latency? Probably(but they could have a "Privacy Certified" alternative where the App has to have it's Source Code reviewed by Google before going through the "Play" app store). Fascist? Yup! Necessary? Seems so!

Google could just start banning developers from their store caught misbehaving but that doesn't really scale well.