Uber's Android App Caught Reporting Data Back Without Permission

Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.

So, in essence, Uber's app is malware

How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

Re:So, in essence, Uber's app is malware

[0123456]

Or, you know, actually give us actual app permissions control so we can prevent it from retrieving this information in the first place, rather than having to agree that Happy Fluffy Kitty Screensaver can send text messages and read all my contacts or not install it at all?

Re:So, in essence, Uber's app is malware

[Greyfox]

You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone. Adding that functionality ought to be a no-brainer, but Google owns Youtube and Youtube just HAS to have access to your phone's camera for some reason. I'm guessing so they can watch you while you're masturbating.

Re:So, in essence, Uber's app is malware

[Tukz]

If you think that's bad, don't look at what Facebook Messenger wants access to.

Re:So, in essence, Uber's app is malware

What do you mean "have to agree"? In what sense do you "have" to? I've certainly never agreed (and in fact don't have Uber's app or other similar "ask for everything under the sun" apps), and have detected no one attempting to compel me to agree to anything I don't want to agree to.

Have we lost any and all ability as a culture to say "no" to things that are obviously unreasonable? That's all you have to do. Look at the list of permissions, decide that's too much, and refuse to install the app. It's really not hard. I do it at least once a week. You can too.

I swear, our culture has a 2 year old's mentality: "but i WAAAAAANT it!!!"

Re:So, in essence, Uber's app is malware

[jareth-0205]

How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

Worse than that, Google an an invester of Uber. They have put in $250million, they should just go and demand that Uber stop fucking about.

Re:So, in essence, Uber's app is malware

[SternisheFan]

If you didn't use the app on one of your devices, you didn't agree to the terms and conditions. Out of sheer curiosity, I tried it for an hour, then uninstalled. Getting Uber to delete my personal info meant searching online for help, and writing emails. Uber did get back to me within a day or so and confirmed my info got deleted.

Re:So, in essence, Uber's app is malware

[stoploss]

You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone.

Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close due to exceptions being thrown. XPrivacy lets me keep my privacy without app force closes. Anyway, the CM devs used to be adamant that they would never allow spoofing because it would interfere with app devs data mining user data. It's one of the reasons I parted ways with CM. Maybe they have changed their position, though.

Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.

Re:So, in essence, Uber's app is malware

[gstoddart]

Not to worry ... Twitter wants in on that action.

"To help build a more personal Twitter experience for you, we are collecting and occasionally updating the list of apps installed on your mobile device so we can deliver tailored content that you might be interested in," the company said.

Yeah, no, thanks.

Didn't want your app before. Don't want it now.

This whole "free to use, but we get all your data" model of software is producing some pretty shitty stuff which is actively hostile to your privacy.

The only way to win is to not even play. Sorry, but I don't need your app.

Re:So, in essence, Uber's app is malware

[TechyImmigrant]

>Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.

I don't XPect to like programs with an XTremely crappy habit of putting unnecessary Xs in front of words.

Re:So, in essence, Uber's app is malware

[gstoddart]

But, cynically, how would you even know?

If they're collecting stuff against the app permissions, WTF would you trust them when they say "oh, sure, we've deleted your stuff".

If they collected anything beyond what they had explicit permissions for, you have to assume everything else is a bloody lie.

Re:So, in essence, Uber's app is malware

[hankwang]

"Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close"

Well, they did. CM11 has a privacy manager that will allow you to block access to contacts and so on, without making apps crash. I have set it up such that it will notify me whenever an app tries to access contacts, sms, calendar, location and it is surprising how few suspicious popups I get. One weird thing: wifi related apps need location access in order to show access points. Makes some sense, but it took me a while to realize why those apps weren't working.

Re:So, in essence, Uber's app is malware

[AJWM]

This -- although I don't even need your phone.

These days smartphones might as well just be GPS house-arrest bracelets with better PR.

Re:So, in essence, Uber's app is malware

I've switched to a prepaid $50 Nokia Lumina 520(paid for entirely in cash including the minutes). They can still interogate the people from my call logs to find out who the phone belongs to, or GPS track it to my house using Carrier IQ, but atleast I'm not spoonfeeding it to them. Since it's a windows phone, I only use it for wifi tethering my Google Voice number/Google Hangouts to the 4G LTE network.

I have Whatsapp on my old burner cell phone I use for international travel... Tons of stupid android apps. Terrible battery life!

I say this as an App developer: Google really needs to clean house. I know the permissions configuration while writing an app encourages asking for everything so the code will compile, but all the same: the Carriers cock-blocking Android updates for 6-15 months(so they can "lame it up" with their stupid skins that nobody wants) is a HUGE security problem and probably one of the reasons why BYOD is so dangerous to corporate networks if done incorrectly. The privacy issue with being unable to firewall your contacts list, SMS history, and Photos is a major problem. One solution would be for every phone to have two contacts lists, SMS logs, and Photo albums set where you have to specifically move your private data in to the "everyone can see this shit" section where the Apps can go nuts.

Another solution would be to force all apps to ex-filtrate data through a Google monitored intermediary. This could be done at the kernel level by Android forcing the issue via their API. All outbound network traffic could be MITMed Transparently to the App developers. Sort of a "Privacy IDS"/MITM which is encrypted between the App and Google, and Google/the App's back-end servers. Would it cause higher latency? Probably(but they could have a "Privacy Certified" alternative where the App has to have it's Source Code reviewed by Google before going through the "Play" app store). Fascist? Yup! Necessary? Seems so!

Google could just start banning developers from their store caught misbehaving but that doesn't really scale well.

Re:So, in essence, Uber's app is malware

[runningduck]

More to the point, why is it even possible for a third party app to access this much informaiton?

Re:So, in essence, Uber's app is malware

[Wootery]

The usual excuse is but what if we confuse someone!?

Mozilla, too, are a fan of this sort of reasoning.

Re:So, in essence, Uber's app is malware

[kaladorn]

There are permissions viewers, but you may also find permission managers. I have one installed but my phone is charging.

Not sure if the app has been borked by updates since the last time I went and used it to revoke some permissions after installation. It may have been. Google has tampered a bunch with security settings.

I usually go adjust the permissions after installation but before first execution.

Ultimately, people should light a fire under Google to force app publishers to only request perms they really need and to allow users to disable any perms they don't like (and encourage app devs to not make that break their app - modular enable-able/disable-able app functionality please!). Of course, that may be hard. If they still can't do a f***ing table of contents in Google Docs with page numbers, there isn't much hope they can get this right or will pay attention to massive outcry. In some ways, Google is a metric pantload of nerds doing nerd things and ignoring anyone that might actually use their apps. Microsoft, for all its flaws, was often more customer responsive than Google has been. Just sayin'.

Why is Android allowing Uber to access the info?

[ShanghaiBill]

If the app does not have permission to access these personal data, then why is Android giving it access? The solution to privacy is not trust, but robust security. No app should be able to access my call logs or other personal data unless I give explicit permission.

Spoofing

[korbulon]

Tangentially, does anyone know of a procedure on Android which enables you to spoof your personal data and activity (at least as far as apps are concerned)?

Example: your name is Dorothy and you're in Kansas clicking your red ruby slippers together, but all apps see you as Toto, living down in Africa, blessing the rains.

Re:Spoofing

[Billhead]

I haven't tried it yet but I think the Xposed module XPrivacy module can do that.

Re:Spoofing

[digitalchinky]

You need root, XPosed and XPrivacy allow you to give bogus info to apps. The UI could use a little work but you get a deep level of control over app permissions. Along side auto run manager and a firewall of some kind and you pretty much have a non leaky tame android.

Twitter snooping into your medicine cabinet, too

[theodp]

Privacy backlash as Twitter starts to snoop on EVERY app users have on their phone

It DOES have permission

I just went to the google play store page for Uber, and checked the permissions the app requires. It includes:

Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.

So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.

And in this, it is not alone. The majority of apps on the play store require all these permissions, and google will not give users explicit control over these permissions for two reasons:

1) Users will break their own apps and then google will take the heat for it (you KNOW this will happen, a LOT)
2) Vendors will hate the sandbox that users put them in, and google will take the heat for that (and lose a lot of free apps that represent a competitive advantage for google).

I am not saying this is right, but this is a natural response to the incentives google faces.

Re:It DOES have permission

There's a simple solution to this, and one that Apple has applied successfully to Uber - make it a condition to get into the store that you don't request permissions you don't need to do the app's job. Uber for iOS doesn't require access to all this stuff. I'd bet heavily that that's because Apple told them to go fuck themselves until they sorted it out.

Re:It DOES have permission

[Derek+Pomery]

Agreed. It's absurd how many apps require all these permissions to be installed.

If you want the app, you agree to that.
I still haven't upgraded Waze since their new "social" integration required a ton more privileges, mostly to phone private info. And this despite running XPrivacy - I just can't be bothered to go through the whitelisting for it, when current version works well enough. Ditto the updated Google Search app.

It'd be nice if apps had a base set of privs then expanded sets that could be allowed on install or later by request to the system/user. Also it'd be nice if the privileges were a lot more restricted, like "Use Ad Service to show you ads" instead of "Use Internet"

So, I installed a little Fisher Price Animals app for kid, and set XPrivacy to "ask" mode. On startup, XPrivacy popups popped up indicating the app wanted my Localisation, Phone Identity, Telephone (calling/numbers - probably just so the app could know when a call was coming in if a kid was playing, but still, the sort of broad category Android requires for something like that), Sensors, some Shell cpu thingy I couldn't be bothered to figure out, but that it seems to run just fine without, and, Shell lib calls for the animal sounds.
But, yeah, you allow broad categories, some inoccuous, some just 'cause they want to know how many users they have or something, and, surprise!

Re:It DOES have permission

[WaffleMonster]

I just went to the google play store page for Uber, and checked the permissions the app requires. It includes:

Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.

So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.

What I don't understand is the SMS claim. Is Uber exploiting a vulnerability to get SMS data or do these other permissions somehow grant some kind of access to SMS as well?

There is a whole group of SMS privileges and according to the app store not a single one is being claimed... so what gives?

Re:It DOES have permission

[Kingkaid]

Agreed. I have the windows app of Uber and its permissions are significantly more limited.

Re:It DOES have permission

[gstoddart]

Google needs to get their shit together.

Google's "shit" is collecting your personal information to use to sell advertising. So, from that perspective, it's mission accomplished.

There isn't a whole lot of ways to reconcile how Google wants to make money from Android, with a desire user privacy.

My best guess is Google has crippled the privacy to ensure that commercial interests trump privacy interests.

Do you think they're going to provide an ability for users to kill off advertising in apps? Especially when Google profits from this?

My guess is this "simplified" permissions model they rolled out this year was specifically designed to ensure better access for apps.

Re:It DOES have permission

[AJWM]

Most people can tell that Happy Fluffy Kitty Screensaver doesn't really need to send SMS messages, know your location, or access the Internet.

Why does a phone even need a screensaver?

Re:It DOES have permission

[m.dillon]

No, in fact the vast majority of people who run an IOS app on an Apple device who see a permission request pop up that they don't like, say 'No', and the app continues to run just fine.

Even better, the apps on IOS tend not to request absurd permissions in the first place because they know those pop-ups will annoy their customers enough to either say 'no' anyway or not use the app in the first place. Its a black blotch for an IOS app to request permissions that it does not need, and Apple customers call them on it in the reviews.

Whereas with android, everything is quiet and silent and people run apps without really understanding what data they are giving away, EVEN if they have read the manifest... so app writers can get away with almost anything and consumer privacy on android is poorer for it.

-Matt

Xprivacy and rooted for the win..

[popoutman]

Makes me very happy that I have XPrivacy installed on my rooted S4 Active, and I now have a fine-grained security model with the ability to control what apps have access to what.

It was an eyeopener to see some apps that were misbehaving or just outright being illegal. My flashlight app now only controls the LED on the rear, and cannot see any of my private details - and they earned themselves a 1-star review..

Re:Why is Android allowing Uber to access the info

[ShanghaiBill]

Nobody knows about permissions. People just press "Accept".

The why does the summary say otherwise? According to the summary, the app is accessing data which it explicitly doesn't have permission to do.

Re:Why is Android allowing Uber to access the info

[0123456]

OK, so I want to use their taxi service, but their app demands permissions it obviously doesn't need. Android gives me an option of installing it or not installing it.

Now what do you suggest I do?

Android's permission model is completely broken. It's the Windows of the modern world.

Re:Why is Android allowing Uber to access the info

[Russ1642]

You either accept all permissions, without explanation, or you can't install the app. Android needs to give people the ability to deny individual permissions, without having to root your phone and install Cyanogenmod or the like.

Re:Why is Android allowing Uber to access the info

[gstoddart]

Your options are:

1) Uninstall it, get on with your life.
2) Decide this is so important you don't care about your privacy
3) Root your device and install something which gives you granular control.

From what I've been able to ascertain, rooting my first gen Nexus 7 is hit and miss, and I've not yet decided to take that step.

Me, I've mostly decided I need fewer apps, run my tablet in airplane mode most of the time, and would rather use a web browser than most apps.

As you said, Android's permission model is completely broken. Which means I've mostly decided I don't trust what it's telling me.

Re:Why is Android allowing Uber to access the info

They took the safest OS there is and made a Frankenstein POS out of it to make it user friendly.

Or they (google) made android such that it was more easy to spy/track people. User-friendliness has nothing to do with tracking. Why do games need access to call logs, need to launched at android startup, need access to your contact list? None. Yet, 90% of the top-downloaded games in the play store need access to your private data. Google is evil since they allow this without doing anything about it.

Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.

Re:Why is Android allowing Uber to access the info

Don't install it.

You'll be okay. There are other ways to get a taxi. I promise.

Re:It's a storage site

[ISoldat53]

Turn off your sarcasm filter.

Incorrect analysis

Incorrect analysis by the original blog. Please see this nextweb article which clarifies
http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/

Re:Incorrect analysis

Mod parent up. The summary and the article are complete lies. The summary/article is claiming the app was caught sending the data. Looking at the actual original blog post mentioned by the article, some person decompiled the uber app code, and they found some suspiciously named functions that suggest the app might look up data it should not. They never claimed that the app actually sent any of their data, in fact they specifically say there may not be an issue. The parent's linked article actually shows some (limited) analysis done by someone who was actually intercepting device traffic, and there was nothing suspicious.
 
A more accurate title would be "Uber app contains suspicious looking method names, more analysis needed"

Re:Incorrect analysis

[shutdown+-p+now]

"Suspicious" is an understatement. Here's the offending code:

public void run()
      {
        Looper.prepare();
        InAuthManager.getInstance().updateLogConfig(this.val$URL, this.val$acctGUID);
        InAuthManager.getInstance().sendAccountsLog(this.val$transID);
        InAuthManager.getInstance().sendAppActivityLog(this.val$transID);
        InAuthManager.getInstance().sendAppDataUsageLog(this.val$transID);
        InAuthManager.getInstance().sendAppInstallLog(this.val$transID);
        InAuthManager.getInstance().sendBatteryLog(this.val$transID);
        InAuthManager.getInstance().sendDeviceInfoLog(this.val$transID, true);
        InAuthManager.getInstance().sendGPSLog(this.val$transID, true);
        InAuthManager.getInstance().sendMMSLog(this.val$transID);
        InAuthManager.getInstance().sendNetDataLog(this.val$transID);
        InAuthManager.getInstance().sendPhoneCallLog(this.val$transID);
        InAuthManager.getInstance().sendSMSLog(this.val$transID);
        InAuthManager.getInstance().sendTelephonyInfoLog(this.val$transID, true);
        InAuthManager.getInstance().sendWifiConnectionLog(this.val$transID);
        InAuthManager.getInstance().sendWifiNeighborsLog(this.val$transID);
      }
    });

I don't know about you, but Occam's Razor here clearly indicates that they are data mining. The fact that a guy with a packet sniffer didn't see it on the wire doesn't really prove anything, unless he specifically did whatever action is necessary to cause the above snippet of code to run, which it doesn't sound like what he did.

Re:Summary

[The+MAZZTer]

A redditor suggested that Uber was using a third-party library and the functions found may never be called at all. But looking into if they were ever actually used or not would get in the way of a good old fashioned witch hunt!

Re:Have you ever used Android?

Yes you are correct, however what are you supposed to do?

It's all or nothing with Android. It's not like you can exchange your phone for a different platform that has better permissions if you decide it's too much.

Google should change the way it works.

Re:It's a storage site

[BarbaraHudson]

... and it wants to be the Facebook of transportation. "We're collecting all this data to help us make your user experience better. Don't like it - use someone else. Oh wait - we actively sabotage the competition 'cuz we got $1.5 billion thrown at us by crazy investors."

Re:Why is Android allowing Uber to access the info

[NatasRevol]

If this is your default answer, you're going to have a bad time.

The problem is with the permissions model of Android. "allow access to make phone calls" also means can see all metadata.

That's a big WTF right there.

Explanation of Uber permissions...

[SternisheFan]

Location: Uber needs to know where you are so you can get picked up. Surprise!

Contacts: For splitting fares with friends, inviting friends to use Uber

Phone: To call your Uber driver or for them to call you

Camera/Microphone: Uber has a function that lets you take a photo of your credit card for scanning

Wi-Fi Connection: Checks if you have internet and attempts to use the WiFi name to help determine your location

Device ID and Call Information: Allows access to your phone number and a unique ID for your device

Identity: Allows Android users to sign in and pay with one tap (using the Google Sign-In and Google Wallet services)

Photos/Media/Files: Uber says this is to “save data and cache mapping vectors.”

http://thenextweb.com/apps/201...

Re:Explanation of Uber permissions...

[bouldin]

Those are legitimate explanations for the app to need said access, but that's not what the article is about. The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.

Sorry for yelling, but it's an important point.

Also, there is no good reason to report back your data pertaining to malware.

Re:Explanation of Uber permissions...

[Old+Man+Kensey]

The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.

Sorry for yelling, but it's an important point.

NO HE DID NOT.

Sorry for yelling, but it's an important point.

Go back and read the original GironSec blog post where he even acknowledges explicitly what he (inexcusably, IMHO) failed to do -- that others did after him and surprise! found nothing especially amiss -- before he wrote an inflammatory blog post based on supposition, conjecture and ignorance of context.

Re:Explanation of Uber permissions...

[shutdown+-p+now]

And a little bit of decompiled code like:

public void run()
      {
        Looper.prepare();
        InAuthManager.getInstance().updateLogConfig(this.val$URL, this.val$acctGUID);
        InAuthManager.getInstance().sendAccountsLog(this.val$transID);
        InAuthManager.getInstance().sendAppActivityLog(this.val$transID);
        InAuthManager.getInstance().sendAppDataUsageLog(this.val$transID);
        InAuthManager.getInstance().sendAppInstallLog(this.val$transID);
        InAuthManager.getInstance().sendBatteryLog(this.val$transID);
        InAuthManager.getInstance().sendDeviceInfoLog(this.val$transID, true);
        InAuthManager.getInstance().sendGPSLog(this.val$transID, true);
        InAuthManager.getInstance().sendMMSLog(this.val$transID);
        InAuthManager.getInstance().sendNetDataLog(this.val$transID);
        InAuthManager.getInstance().sendPhoneCallLog(this.val$transID);
        InAuthManager.getInstance().sendSMSLog(this.val$transID);
        InAuthManager.getInstance().sendTelephonyInfoLog(this.val$transID, true);
        InAuthManager.getInstance().sendWifiConnectionLog(this.val$transID);
        InAuthManager.getInstance().sendWifiNeighborsLog(this.val$transID);
      }
    });

Re:Explanation of Uber permissions...

[bouldin]

NO HE DID NOT. Sorry for yelling, but it's an important point.

Yep, I didn't see the NextWeb response until after my post.

I capitalized that phrase because the poster I was responding to (like many other posters) was confusing accessing data with sending data back to Uber servers. I wanted to draw attention to that distinction.

Go back and read the original GironSec blog post where he even acknowledges explicitly what he (inexcusably, IMHO) failed to do -- that others did after him and surprise! found nothing especially amiss -- before he wrote an inflammatory blog post based on supposition, conjecture and ignorance of context.

I re-read the blog post. I guess you mean in the comments section, where someone posts a link to the NextWeb article, GironSec responds:

I found code that might be used to spy. I didn't say they did. Hidden features. Thanks for linking.

I don't see that GironSec supposed or assumed anything. The Gizmag blog post did, though.

GironSec did establish that:

• The Uber app includes a roottools library that can detect and use root access.
• The Uber app includes an semi-weaponized library that is marketed as anti-fraud protection for mobile banking

The next step would be to look through Uber's code and see where it calls these libraries and what triggers the calls. Regardless, this is worthy of security news (and is legitimate research). Uber is not marketed as an anti-fraud, anti-malware tool, and AFAIK it does not advertise extra features on rooted phones.

CyanogenMod

[brunes69]

CyanogenMod and many other ROMs let you control this stuff. I have never found an app that broke due to the CyanogenMod privacy manager. I can't see how it would break because all it does is mock dummy responses for all of these things.

Re:Why is Android allowing Uber to access the info

[oogoliegoogolie]

Probably because android has all-or-nothing, non-granular permissions where you have to grant the app access to everything it requests, or else it's 'no app for you!'
If the app wants to access to your contacts, accounts, phone history, photos, camera, messaging, mail, you give it access or you don't get to install it.

It's a stupid, dumb, and poorly thought out implementation and google should (?) know better.

Re:Why is Android allowing Uber to access the info

[jareth-0205]

Google didn't create Android, they backed it and later bought it. The original developers thought users were too dumb to use Linux, so they dumbed it down by stripping the security out of it to make it user friendly.

I don't really understand how this is 'true'. Linux security doesn't isolate process disk data from each other, anybody can read any part of the disk under the same user, which in practice is all apps a user use because they all run under the user's account. Android has a far *better* security model in this respect because it puts different applications in different users, so they can't get at each other. Also, permissions for system information is far more granular in Android than plain Linux, in Linux you just look at /proc whereas Android has to actually get types of permissions for sensitive data.

Re:Why is Android allowing Uber to access the info

[taustin]

Google is evil since they allow this without doing anything about it.

Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.

Not really. Google actively wants this crap because they are an advertising company, and their entire business model depends on destroying all privacy everywhere (except for the privacy of their proprietary database of your private information). If they put in real security for privacy settings for other people's apps, then Google can't track you either.

Re: XPosed and XPrivacy will lie for you!

[Karlt1]

And BTW, iPhone Apps are not any better about this stuff like phoning home and spying on you unless they are rooted and modified. It is just that the greater openness of Android platform ersus iOS makes it easier to spot. But that also means that there are more and better countermeasures.

IOS doesn't allow any app to have most of those permissions. Even in case like Contacts (as of iOS 8), there is a new API that allows the user to select the contact within the app using an OS provided picker and the app only has access to the contact the user chose.

You can also turn off permissions granularly once an app is installed.

Think that's bad

[goldcd]

Have a look what Citrix Worx asks for (certifier of your phone, so you can look at your work email). Device & app history
retrieve running apps
read sensitive log data
Mobile data settings
change/intercept network settings and traffic
Location
precise location (GPS and network-based)
Photos / Media / Files
modify or delete the contents of your USB storage
test access to protected storage
Camera / Microphone
record audio
Wi-Fi connection information
view Wi-Fi connections
Device ID & call information
read phone status and identity
Other
press keys and control buttons
read frame buffer
close other apps
update component usage statistics
force-stop other apps
modify secure system settings
view network connections
connect and disconnect from Wi-Fi
full network access
run at startup
read battery statistics
control vibration
close other apps
set wallpaper
install shortcuts
uninstall shortcuts
modify system settings
pair with Bluetooth devices
draw over other apps

Re:Think that's bad

[adolf]

That, actually, doesn't look all too onerous for such a product.

Of course I want my fancy remote-everything program to be able to manage the network, see the status of the network, use the network, vibrate, pair with devices, manage shortcuts (shortcut to email on the homescreen?), change settings (so that the remote apps can, you know, do their thing), draw on top (notifications), take pictures, use a microphone, use the camera, access files (do you like attachments with your email?) and read phone status and identity (it knows you're on the phone, just like every other app that handles audio).

I don't know why it needs precise location, but sheesh. At least it's not like Pandora, which is just a bloody streaming music player:

        find accounts on the device
        read your contacts
        add or modify calendar events and send email to guests without owners' knowledge
        test access to protected storage
        modify or delete the contents of your USB storage
        view Wi-Fi connections
        read phone status and identity
        receive data from Internet
        install shortcuts
        run at startup
        full network access
        pair with Bluetooth devices
        connect and disconnect from Wi-Fi
        change network connectivity
        access Bluetooth settings
        view network connections
        prevent device from sleeping

Re:Why is Android allowing Uber to access the info

[whoever57]

Linux security doesn't isolate process disk data from each other, anybody can read any part of the disk under the same user, which in practice is all apps a user use because they all run under the user's account.

Apparently you are not familiar with SELinux.

Re:It's a storage site

[SternisheFan]

I just deleted my uber app and will use left going forward

Uber will keep your information in their system ntil you specifically request for your info to be deleted. The only way to do this (that I found) is by digging into their website for the correct email address.

Re:Why is Android allowing Uber to access the info

[rtb61]

Easy, start screaming at Google to pull it's bloody finger out and make a much needed modification to permission to differentiate between unlimited permissions and user confirmed permissions every time a request is made, plus the opportunity to change this on the fly. Add in logs for access, that the user can readily confirm in order to change permissions if they don't like them. Send them emails, blog nasty things about them and stop installing apps until changes are made.