Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber's Android App Caught Reporting Data Back Without Permission

Posted by timothy on from the distinguish-from-government dept.

Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.

13 of 234 comments (clear)

  1. So, in essence, Uber's app is malware by Anonymous Coward · · Score: 5, Insightful

    How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

    1. Re:So, in essence, Uber's app is malware by 0123456 · · Score: 5, Insightful

      Or, you know, actually give us actual app permissions control so we can prevent it from retrieving this information in the first place, rather than having to agree that Happy Fluffy Kitty Screensaver can send text messages and read all my contacts or not install it at all?

    2. Re:So, in essence, Uber's app is malware by jareth-0205 · · Score: 5, Informative

      How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.

      Worse than that, Google an an invester of Uber. They have put in $250million, they should just go and demand that Uber stop fucking about.

    3. Re:So, in essence, Uber's app is malware by stoploss · · Score: 5, Informative

      You can do this with the cyanogenmod privacy manager. Of course, then you have to root your phone.

      Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close due to exceptions being thrown. XPrivacy lets me keep my privacy without app force closes. Anyway, the CM devs used to be adamant that they would never allow spoofing because it would interfere with app devs data mining user data. It's one of the reasons I parted ways with CM. Maybe they have changed their position, though.

      Besides, XPrivacy, while it requires root, does *not* require a whole custom rom. Custom ROMs are passe compared to what the XPosed framework can do, and XPrivacy is an excellent example of an XPosed module.

    4. Re:So, in essence, Uber's app is malware by Anonymous Coward · · Score: 5, Interesting

      I've switched to a prepaid $50 Nokia Lumina 520(paid for entirely in cash including the minutes). They can still interogate the people from my call logs to find out who the phone belongs to, or GPS track it to my house using Carrier IQ, but atleast I'm not spoonfeeding it to them. Since it's a windows phone, I only use it for wifi tethering my Google Voice number/Google Hangouts to the 4G LTE network.

      I have Whatsapp on my old burner cell phone I use for international travel... Tons of stupid android apps. Terrible battery life!

      I say this as an App developer: Google really needs to clean house. I know the permissions configuration while writing an app encourages asking for everything so the code will compile, but all the same: the Carriers cock-blocking Android updates for 6-15 months(so they can "lame it up" with their stupid skins that nobody wants) is a HUGE security problem and probably one of the reasons why BYOD is so dangerous to corporate networks if done incorrectly. The privacy issue with being unable to firewall your contacts list, SMS history, and Photos is a major problem. One solution would be for every phone to have two contacts lists, SMS logs, and Photo albums set where you have to specifically move your private data in to the "everyone can see this shit" section where the Apps can go nuts.

      Another solution would be to force all apps to ex-filtrate data through a Google monitored intermediary. This could be done at the kernel level by Android forcing the issue via their API. All outbound network traffic could be MITMed Transparently to the App developers. Sort of a "Privacy IDS"/MITM which is encrypted between the App and Google, and Google/the App's back-end servers. Would it cause higher latency? Probably(but they could have a "Privacy Certified" alternative where the App has to have it's Source Code reviewed by Google before going through the "Play" app store). Fascist? Yup! Necessary? Seems so!

      Google could just start banning developers from their store caught misbehaving but that doesn't really scale well.

  2. It DOES have permission by Anonymous Coward · · Score: 5, Insightful

    I just went to the google play store page for Uber, and checked the permissions the app requires. It includes:

    Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.

    So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.

    And in this, it is not alone. The majority of apps on the play store require all these permissions, and google will not give users explicit control over these permissions for two reasons:

    1) Users will break their own apps and then google will take the heat for it (you KNOW this will happen, a LOT)
    2) Vendors will hate the sandbox that users put them in, and google will take the heat for that (and lose a lot of free apps that represent a competitive advantage for google).

    I am not saying this is right, but this is a natural response to the incentives google faces.

    1. Re:It DOES have permission by Anonymous Coward · · Score: 5, Insightful

      There's a simple solution to this, and one that Apple has applied successfully to Uber - make it a condition to get into the store that you don't request permissions you don't need to do the app's job. Uber for iOS doesn't require access to all this stuff. I'd bet heavily that that's because Apple told them to go fuck themselves until they sorted it out.

  3. Xprivacy and rooted for the win.. by popoutman · · Score: 5, Interesting
    Makes me very happy that I have XPrivacy installed on my rooted S4 Active, and I now have a fine-grained security model with the ability to control what apps have access to what.

    It was an eyeopener to see some apps that were misbehaving or just outright being illegal. My flashlight app now only controls the LED on the rear, and cannot see any of my private details - and they earned themselves a 1-star review..

    --
    - This sig deliberately left blank. Nothing to see, move along.
  4. Re:Spoofing by digitalchinky · · Score: 5, Insightful

    You need root, XPosed and XPrivacy allow you to give bogus info to apps. The UI could use a little work but you get a deep level of control over app permissions. Along side auto run manager and a firewall of some kind and you pretty much have a non leaky tame android.

  5. Incorrect analysis by Anonymous Coward · · Score: 5, Informative

    Incorrect analysis by the original blog. Please see this nextweb article which clarifies
    http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/

  6. Re:It's a storage site by BarbaraHudson · · Score: 5, Insightful

    ... and it wants to be the Facebook of transportation. "We're collecting all this data to help us make your user experience better. Don't like it - use someone else. Oh wait - we actively sabotage the competition 'cuz we got $1.5 billion thrown at us by crazy investors."

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  7. Re: XPosed and XPrivacy will lie for you! by Karlt1 · · Score: 5, Insightful

    And BTW, iPhone Apps are not any better about this stuff like phoning home and spying on you unless they are rooted and modified. It is just that the greater openness of Android platform ersus iOS makes it easier to spot. But that also means that there are more and better countermeasures.

    IOS doesn't allow any app to have most of those permissions. Even in case like Contacts (as of iOS 8), there is a new API that allows the user to select the contact within the app using an OS provided picker and the app only has access to the contact the user chose.

    You can also turn off permissions granularly once an app is installed.

  8. Re:Explanation of Uber permissions... by bouldin · · Score: 5, Insightful

    Those are legitimate explanations for the app to need said access, but that's not what the article is about. The researcher found Uber was SENDING ALL OF THIS BACK TO UBER'S SERVERS.

    Sorry for yelling, but it's an important point.

    Also, there is no good reason to report back your data pertaining to malware.