Uber's Android App Caught Reporting Data Back Without Permission

Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.

So, in essence, Uber's app is malware

How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

Re:So, in essence, Uber's app is malware

[0123456]

Or, you know, actually give us actual app permissions control so we can prevent it from retrieving this information in the first place, rather than having to agree that Happy Fluffy Kitty Screensaver can send text messages and read all my contacts or not install it at all?

Re:So, in essence, Uber's app is malware

[Greyfox]

You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone. Adding that functionality ought to be a no-brainer, but Google owns Youtube and Youtube just HAS to have access to your phone's camera for some reason. I'm guessing so they can watch you while you're masturbating.

Re:So, in essence, Uber's app is malware

What do you mean "have to agree"? In what sense do you "have" to? I've certainly never agreed (and in fact don't have Uber's app or other similar "ask for everything under the sun" apps), and have detected no one attempting to compel me to agree to anything I don't want to agree to.

Have we lost any and all ability as a culture to say "no" to things that are obviously unreasonable? That's all you have to do. Look at the list of permissions, decide that's too much, and refuse to install the app. It's really not hard. I do it at least once a week. You can too.

I swear, our culture has a 2 year old's mentality: "but i WAAAAAANT it!!!"

Re:So, in essence, Uber's app is malware

[jareth-0205]

How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

Worse than that, Google an an invester of Uber. They have put in $250million, they should just go and demand that Uber stop fucking about.

Re:So, in essence, Uber's app is malware

[stoploss]

You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone.

Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close due to exceptions being thrown. XPrivacy lets me keep my privacy without app force closes. Anyway, the CM devs used to be adamant that they would never allow spoofing because it would interfere with app devs data mining user data. It's one of the reasons I parted ways with CM. Maybe they have changed their position, though.

Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.

Re:So, in essence, Uber's app is malware

[gstoddart]

But, cynically, how would you even know?

If they're collecting stuff against the app permissions, WTF would you trust them when they say "oh, sure, we've deleted your stuff".

If they collected anything beyond what they had explicit permissions for, you have to assume everything else is a bloody lie.

Re:So, in essence, Uber's app is malware

[hankwang]

"Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close"

Well, they did. CM11 has a privacy manager that will allow you to block access to contacts and so on, without making apps crash. I have set it up such that it will notify me whenever an app tries to access contacts, sms, calendar, location and it is surprising how few suspicious popups I get. One weird thing: wifi related apps need location access in order to show access points. Makes some sense, but it took me a while to realize why those apps weren't working.

Re:So, in essence, Uber's app is malware

[AJWM]

This -- although I don't even need your phone.

These days smartphones might as well just be GPS house-arrest bracelets with better PR.

Re:So, in essence, Uber's app is malware

I've switched to a prepaid $50 Nokia Lumina 520(paid for entirely in cash including the minutes). They can still interogate the people from my call logs to find out who the phone belongs to, or GPS track it to my house using Carrier IQ, but atleast I'm not spoonfeeding it to them. Since it's a windows phone, I only use it for wifi tethering my Google Voice number/Google Hangouts to the 4G LTE network.

I have Whatsapp on my old burner cell phone I use for international travel... Tons of stupid android apps. Terrible battery life!

I say this as an App developer: Google really needs to clean house. I know the permissions configuration while writing an app encourages asking for everything so the code will compile, but all the same: the Carriers cock-blocking Android updates for 6-15 months(so they can "lame it up" with their stupid skins that nobody wants) is a HUGE security problem and probably one of the reasons why BYOD is so dangerous to corporate networks if done incorrectly. The privacy issue with being unable to firewall your contacts list, SMS history, and Photos is a major problem. One solution would be for every phone to have two contacts lists, SMS logs, and Photo albums set where you have to specifically move your private data in to the "everyone can see this shit" section where the Apps can go nuts.

Another solution would be to force all apps to ex-filtrate data through a Google monitored intermediary. This could be done at the kernel level by Android forcing the issue via their API. All outbound network traffic could be MITMed Transparently to the App developers. Sort of a "Privacy IDS"/MITM which is encrypted between the App and Google, and Google/the App's back-end servers. Would it cause higher latency? Probably(but they could have a "Privacy Certified" alternative where the App has to have it's Source Code reviewed by Google before going through the "Play" app store). Fascist? Yup! Necessary? Seems so!

Google could just start banning developers from their store caught misbehaving but that doesn't really scale well.

Why is Android allowing Uber to access the info?

[ShanghaiBill]

If the app does not have permission to access these personal data, then why is Android giving it access? The solution to privacy is not trust, but robust security. No app should be able to access my call logs or other personal data unless I give explicit permission.

Spoofing

[korbulon]

Tangentially, does anyone know of a procedure on Android which enables you to spoof your personal data and activity (at least as far as apps are concerned)?

Example: your name is Dorothy and you're in Kansas clicking your red ruby slippers together, but all apps see you as Toto, living down in Africa, blessing the rains.

Re:Spoofing

[Billhead]

I haven't tried it yet but I think the Xposed module XPrivacy module can do that.

Re:Spoofing

[digitalchinky]

You need root, XPosed and XPrivacy allow you to give bogus info to apps. The UI could use a little work but you get a deep level of control over app permissions. Along side auto run manager and a firewall of some kind and you pretty much have a non leaky tame android.

It DOES have permission

I just went to the google play store page for Uber, and checked the permissions the app requires. It includes:

Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.

So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.

And in this, it is not alone. The majority of apps on the play store require all these permissions, and google will not give users explicit control over these permissions for two reasons:

1) Users will break their own apps and then google will take the heat for it (you KNOW this will happen, a LOT)
2) Vendors will hate the sandbox that users put them in, and google will take the heat for that (and lose a lot of free apps that represent a competitive advantage for google).

I am not saying this is right, but this is a natural response to the incentives google faces.

Re:It DOES have permission

There's a simple solution to this, and one that Apple has applied successfully to Uber - make it a condition to get into the store that you don't request permissions you don't need to do the app's job. Uber for iOS doesn't require access to all this stuff. I'd bet heavily that that's because Apple told them to go fuck themselves until they sorted it out.

Re:It DOES have permission

[Derek+Pomery]

Agreed. It's absurd how many apps require all these permissions to be installed.

If you want the app, you agree to that.
I still haven't upgraded Waze since their new "social" integration required a ton more privileges, mostly to phone private info. And this despite running XPrivacy - I just can't be bothered to go through the whitelisting for it, when current version works well enough. Ditto the updated Google Search app.

It'd be nice if apps had a base set of privs then expanded sets that could be allowed on install or later by request to the system/user. Also it'd be nice if the privileges were a lot more restricted, like "Use Ad Service to show you ads" instead of "Use Internet"

So, I installed a little Fisher Price Animals app for kid, and set XPrivacy to "ask" mode. On startup, XPrivacy popups popped up indicating the app wanted my Localisation, Phone Identity, Telephone (calling/numbers - probably just so the app could know when a call was coming in if a kid was playing, but still, the sort of broad category Android requires for something like that), Sensors, some Shell cpu thingy I couldn't be bothered to figure out, but that it seems to run just fine without, and, Shell lib calls for the animal sounds.
But, yeah, you allow broad categories, some inoccuous, some just 'cause they want to know how many users they have or something, and, surprise!

Re:It DOES have permission

[Kingkaid]

Agreed. I have the windows app of Uber and its permissions are significantly more limited.

Re:It DOES have permission

[gstoddart]

Google needs to get their shit together.

Google's "shit" is collecting your personal information to use to sell advertising. So, from that perspective, it's mission accomplished.

There isn't a whole lot of ways to reconcile how Google wants to make money from Android, with a desire user privacy.

My best guess is Google has crippled the privacy to ensure that commercial interests trump privacy interests.

Do you think they're going to provide an ability for users to kill off advertising in apps? Especially when Google profits from this?

My guess is this "simplified" permissions model they rolled out this year was specifically designed to ensure better access for apps.

Re:It DOES have permission

[m.dillon]

No, in fact the vast majority of people who run an IOS app on an Apple device who see a permission request pop up that they don't like, say 'No', and the app continues to run just fine.

Even better, the apps on IOS tend not to request absurd permissions in the first place because they know those pop-ups will annoy their customers enough to either say 'no' anyway or not use the app in the first place. Its a black blotch for an IOS app to request permissions that it does not need, and Apple customers call them on it in the reviews.

Whereas with android, everything is quiet and silent and people run apps without really understanding what data they are giving away, EVEN if they have read the manifest... so app writers can get away with almost anything and consumer privacy on android is poorer for it.

-Matt

Xprivacy and rooted for the win..

[popoutman]

Makes me very happy that I have XPrivacy installed on my rooted S4 Active, and I now have a fine-grained security model with the ability to control what apps have access to what.

It was an eyeopener to see some apps that were misbehaving or just outright being illegal. My flashlight app now only controls the LED on the rear, and cannot see any of my private details - and they earned themselves a 1-star review..

Re:Why is Android allowing Uber to access the info

[Russ1642]

You either accept all permissions, without explanation, or you can't install the app. Android needs to give people the ability to deny individual permissions, without having to root your phone and install Cyanogenmod or the like.

Re:Why is Android allowing Uber to access the info

They took the safest OS there is and made a Frankenstein POS out of it to make it user friendly.

Or they (google) made android such that it was more easy to spy/track people. User-friendliness has nothing to do with tracking. Why do games need access to call logs, need to launched at android startup, need access to your contact list? None. Yet, 90% of the top-downloaded games in the play store need access to your private data. Google is evil since they allow this without doing anything about it.

Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.

Incorrect analysis

Incorrect analysis by the original blog. Please see this nextweb article which clarifies
http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/

Re:Incorrect analysis

Mod parent up. The summary and the article are complete lies. The summary/article is claiming the app was caught sending the data. Looking at the actual original blog post mentioned by the article, some person decompiled the uber app code, and they found some suspiciously named functions that suggest the app might look up data it should not. They never claimed that the app actually sent any of their data, in fact they specifically say there may not be an issue. The parent's linked article actually shows some (limited) analysis done by someone who was actually intercepting device traffic, and there was nothing suspicious.
 
A more accurate title would be "Uber app contains suspicious looking method names, more analysis needed"

Re:It's a storage site

[BarbaraHudson]

... and it wants to be the Facebook of transportation. "We're collecting all this data to help us make your user experience better. Don't like it - use someone else. Oh wait - we actively sabotage the competition 'cuz we got $1.5 billion thrown at us by crazy investors."

Re:Why is Android allowing Uber to access the info

[NatasRevol]

If this is your default answer, you're going to have a bad time.

The problem is with the permissions model of Android. "allow access to make phone calls" also means can see all metadata.

That's a big WTF right there.

CyanogenMod

[brunes69]

CyanogenMod and many other ROMs let you control this stuff. I have never found an app that broke due to the CyanogenMod privacy manager. I can't see how it would break because all it does is mock dummy responses for all of these things.

Re:Why is Android allowing Uber to access the info

[oogoliegoogolie]

Probably because android has all-or-nothing, non-granular permissions where you have to grant the app access to everything it requests, or else it's 'no app for you!'
If the app wants to access to your contacts, accounts, phone history, photos, camera, messaging, mail, you give it access or you don't get to install it.

It's a stupid, dumb, and poorly thought out implementation and google should (?) know better.

Re:Why is Android allowing Uber to access the info

[taustin]

Google is evil since they allow this without doing anything about it.

Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.

Not really. Google actively wants this crap because they are an advertising company, and their entire business model depends on destroying all privacy everywhere (except for the privacy of their proprietary database of your private information). If they put in real security for privacy settings for other people's apps, then Google can't track you either.

Re: XPosed and XPrivacy will lie for you!

[Karlt1]

And BTW, iPhone Apps are not any better about this stuff like phoning home and spying on you unless they are rooted and modified. It is just that the greater openness of Android platform ersus iOS makes it easier to spot. But that also means that there are more and better countermeasures.

IOS doesn't allow any app to have most of those permissions. Even in case like Contacts (as of iOS 8), there is a new API that allows the user to select the contact within the app using an OS provided picker and the app only has access to the contact the user chose.

You can also turn off permissions granularly once an app is installed.

Think that's bad

[goldcd]

Have a look what Citrix Worx asks for (certifier of your phone, so you can look at your work email). Device & app history
retrieve running apps
read sensitive log data
Mobile data settings
change/intercept network settings and traffic
Location
precise location (GPS and network-based)
Photos / Media / Files
modify or delete the contents of your USB storage
test access to protected storage
Camera / Microphone
record audio
Wi-Fi connection information
view Wi-Fi connections
Device ID & call information
read phone status and identity
Other
press keys and control buttons
read frame buffer
close other apps
update component usage statistics
force-stop other apps
modify secure system settings
view network connections
connect and disconnect from Wi-Fi
full network access
run at startup
read battery statistics
control vibration
close other apps
set wallpaper
install shortcuts
uninstall shortcuts
modify system settings
pair with Bluetooth devices
draw over other apps

Re:Think that's bad

[adolf]

That, actually, doesn't look all too onerous for such a product.

Of course I want my fancy remote-everything program to be able to manage the network, see the status of the network, use the network, vibrate, pair with devices, manage shortcuts (shortcut to email on the homescreen?), change settings (so that the remote apps can, you know, do their thing), draw on top (notifications), take pictures, use a microphone, use the camera, access files (do you like attachments with your email?) and read phone status and identity (it knows you're on the phone, just like every other app that handles audio).

I don't know why it needs precise location, but sheesh. At least it's not like Pandora, which is just a bloody streaming music player:

        find accounts on the device
        read your contacts
        add or modify calendar events and send email to guests without owners' knowledge
        test access to protected storage
        modify or delete the contents of your USB storage
        view Wi-Fi connections
        read phone status and identity
        receive data from Internet
        install shortcuts
        run at startup
        full network access
        pair with Bluetooth devices
        connect and disconnect from Wi-Fi
        change network connectivity
        access Bluetooth settings
        view network connections
        prevent device from sleeping

Re:Why is Android allowing Uber to access the info

[whoever57]

Linux security doesn't isolate process disk data from each other, anybody can read any part of the disk under the same user, which in practice is all apps a user use because they all run under the user's account.

Apparently you are not familiar with SELinux.

Re:Explanation of Uber permissions...

[bouldin]

Those are legitimate explanations for the app to need said access, but that's not what the article is about. The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.

Sorry for yelling, but it's an important point.

Also, there is no good reason to report back your data pertaining to malware.