Uber Tried To Hide Its Secret IPhone Fingerprinting From Apple

theodp quotes today's New York Times profile of Uber CEO Travis Kalanick: For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple's engineers. The reason? So Apple would not find out that Uber had secretly been tracking iPhones even after its app had been deleted from the devices, violating Apple's privacy guidelines.
Uber told TechCrunch this afternoon that it still uses a form of this device fingerprinting, saying they need a way to identify those devices which committed fraud in the past -- especially in China, where Uber drivers used stolen iPhones to request dozens of rides from themselves to increase their pay rate. It's been modified to comply with Apple's rules, and "We absolutely do not track individual users or their location if they've deleted the app..." an Uber spokesperson said. "Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users."

The article offers a longer biography of Kalanick, who dropped out of UCLA in 1998 to start a peer-to-peer music-sharing service named Scour. (The service eventually declared bankruptcy after being sued for $250 billion for alleged copyright infringement.) Desperately trying to save his next company, Kalanick "took the tax dollars from employee paychecks -- which are supposed to be withheld and sent to the Internal Revenue Service," according to the Times, "and reinvested the money into the start-up, even as friends and advisers warned him the action was potentially illegal." The money eventually reached the IRS as he "staved off bankruptcy for a second time by raising another round of funding." But the article ultimately argues that Kalanick's drive to win in life "has led to a pattern of risk-taking that has put his ride-hailing company on the brink of implosion."

Re: This article would have been nice two days ago

You don't already assume your smartphone is being fingerprinted and tracked?! That's the first thing anyone using such a device should assume.

FTFY

"has led to a pattern of risk-taking that has put his taxi company on the brink of implosion."

There. FTFY.

Re:FTFY

[Uberbah]

Yes, the horrors of having professional drivers who make a living wage, don't have to pay for maintenance on the cars they drive, and who carry hundreds of thousands in passenger insurance as opposed to the $25,000 you can count on from your Uber driver's All State policy. Horrors, I tell you!

Re:FTFY

[gsslay]

Being, in your estimation, above other taxi companies does not change the fact that Uber is still a taxi company. Uber have obvious interests in claiming they are not a taxi company. But if you provide a service like a taxi company, in vehicles like a taxi company, with drivers like a taxi company, charging a fare like a taxi company, then there's no denying you are a taxi company. The addition of an app doesn't change that.

Uber tries to hide just about everything

[turkeydance]

there must be a Clinton angle somewhere

Re:Uber tries to hide just about everything

[PolygamousRanchKid+]

. . . they are certainly doing extremely well at hiding their profit.

They simply remember your UDID

[ugen]

The *tracking* is based on Uber saving device UDID, so that they know who you are even if you later reinstall the app and use a different account. While Uber is evil in many ways, this UDID "tracking" is not what the article makes it appear - Uber certainly cannot "track" anyone in any way once their app has been removed.
In fact, I am not sure why go to such great lengths to obtain UDID when device MAC address is readily available (and must be for variety of software to work) and globally unique.
This also smacks of those scaremongering sites that start with a banner like "Your computer is broadcasting a unique IP address" and lead to hard sell of overpriced VPN service or bs apps to "hide your IP".

Re: They simply remember your UDID

[sphealey]

= = = eah the NY times article was scaremongering and partially wrong but the 'bad' thing Uber did here was break the Apple TOS which say developers should not be fingerprinting users devices.= = =

Who would have ever thought that a company founded on the principle [sic] of breaking the law in multiple jurisdictions would ignore and circumvent the terms and conditions, to which they agreed, of an entity with which they do business. Whodathunkait.

Re:They simply remember your UDID

[Gr8Apes]

I'm sure they do - this minute's MAC anyways. IIRC, they started randomizing MACs in iOS 9 to prevent wifi spots from tracking you as you moved about town.

Re:They simply remember your UDID

[santiago]

In fact, I am not sure why go to such great lengths to obtain UDID when device MAC address is readily available (and must be for variety of software to work) and globally unique.

MAC Address is no longer available since iOS 7. You can request it, but you'll get the same fake value of 02:00:00:00:00:00 on every iPhone. UDID is not available, either.

There's IDFV, the Identifier For Vendors, which is different for each vendor on the phone, and gets reset if you remove all the apps from that vendor on the phone. (That is, two apps from Google will see the same IDFV, but a different one from the one Facebook sees.)

Then there's IDFA, the Identifier for Advertisers, which the user can reset at any time via system settings, and which Apple will reject your app for if they catch you using it for anything other than ad-tracking.

The end result is that there is no longer any stable cross-app identifier that survives app uninstalls and user attempts to avoid tracking, by explicit design.

Re: They simply remember your UDID

[Motherfucking+Shit]

They're adding functionality that Apple refuses to do.

Apple refuses to do it for a valid reason, and I see Apple as the ethical winners here. If Uber is experiencing a high rate of fraud, that's a business process problem that needs to be addressed within Uber's own internal systems. Considering Uber can afford a "competitive intelligence" team that buys and crunches data about Lyft, and they can afford to develop "Greyball" deception tools to evade law enforcement, they should also be able to afford a couple of employees to build some better fraud detection into their signup process. A little less offense and a little more defense might be a rewarding strategy.

Thousands of other companies conduct business via iOS apps without resorting to breaking the rules. Uber is showing once again that they don't give a fuck about the rules, and that puts them squarely outside of the "ethical right."

Re: They simply remember your UDID

[tlhIngan]

They're adding functionality that Apple refuses to do. If you cheat in a Steam game, your device and account gets banned. On iOS, apparently, you just uninstall and reinstall and then you can fraudlently order cars all over again.

Actually Apple had that ability. The removed it in iOS7 because developers were abusing it for... tracking purposes. They were sending the device unique IDs to advertisers and giving advertisers a per-device view into everything - location information (if allowed), system information, etc.

Apple removed the ability to get that information because it was abused - they now present different forms of unique IDs to apps for various purposes. They have an advertising ID, resettable on user's command and a few others. It is no longer possible to track an individual device because users privacy was being compromised.

So it's not likely it's coming back - developers have shown they cannot be trusted with it.

And if Steam can ban an email and user from their network, so can Uber. Of course, I'm presuming you need an Uber account in order to hail a taxi from them, because they need to charge your credit card for the trip, then there are plenty of ways to track that. Unless a freshly installed Uber only needs a credit card, but I'm sure Uber can track those as well.

And if Uber is using iTunes account balances, then they easy way is to just stop doing that.

Re:They simply remember your UDID

[Lord_Jeremy]

Some posts really make me wish Slashdot had a "-1 factually incorrect" moderation. As a professional developer in iOS I can tell you that Uber's app is most definitely not saving the device UDID. For years, app developers were using the system-provided Unique Device Identifier (UDID) to track individual users, even though the identifier is really supposed to permanently relate to the device and isn't a good way to track a user who may sell or give away that device. Since iOS 6, Apple starting removing any software access to unique hardware identifiers such as UDID and MAC address by apps published on the App Store. Higher level APIs that would return said identifiers either provide randomized data that is specific to each app sandbox or are explicitly forbidden from use. Lower level APIs, such as network driver stuff will return 00:00:00:00:00:00 for MAC address and the like.

Occasionally, an app developer has found a new way to identify specific hardware models and Apple patches it. While Uber may have figured out another identifier or pattern of identifiers that happens to remain unique to a piece of hardware over its lifetime, I promise you they are not simply "saving device UDID."

Re:They simply remember your UDID

[Lord_Jeremy]

The "basic UNIX API" in iOS returns 00:00:00:00:00:00 for non-system apps. iOS has a kernel-level sandbox that lets them do cool things like prevent lowly app developers from circumventing user data protection policies.

Re:They simply remember your UDID

[parkinglot777]

Does iOS make the actual MAC address readily available to the application layer?

You can read it here on the "Deprecated APIs" section.

In iOS 7 and later, if you ask for the MAC address of an iOS device, the system returns the value 02:00:00:00:00:00. If you need to identify the device, use the identifierForVendor property of UIDevice instead. (Apps that need an identifier for their own advertising purposes should consider using the advertisingIdentifier property of ASIdentifierManager instead.)

Re:This article would have been nice two days ago

[rtb61]

Worried about what they are seeing you do, then let them see a whole bunch of stuff you do not do, why try to steam the flow of your privacy when you can deluge them with a flood http://www.cs.nyu.edu/trackmen... and https://adnauseam.io/. I am also thinking email games might be interesting to floor every possible channel with useless information, even all the spy vs spy stuff. Say an email game where one side plots to assassinate the president of Ameriganislav and the other plays as agents, trading emails with plots and encryption for the other side break, when side plotting the assasination and the other side trying to foil the plot a game to punish the professionally paranoid illegally spying on everyone with a flood of suggestive data to poison spy data bases, the game run from a web site.

So as many way as possible to generate false data at many, many mutliples of real data generated. A personal profile made totally meaningness and as a bonus the more you generate the more they must spend to store it. Double their data storage bill, triple it, how about increasing storage requirements hundreds of times over. Think of all the time, you are not on there internet but your computer could be, generating volumes of false empty data, hundreds of thousands of web visits you never went to, hundred of thousands of searches you never did, emails you never sent, your computer and software flooding marketers with empty data they have to pay to store.

Re:I still LOVE Uber

[quantaman]

I'm glad that the vigilance of the media compels Uber to work harder to be a scrupulous and ethical company, but the series of critical stories seems a bit like a negative campaign or mob mentality dog-piling, without noting how Uber continues to improve the lives of millions (by increasing the efficiency of people traveling between places, and improving rider experience (with driver ratings, and full routes and driver info indicated in receipts, and tracking drivers for accurate pick-up estimation), reducing drunk-driving rates because of truly convenient service).

I feel like the overwhelmingly positive aspects of Uber are not often part of the commentary, and so these revelations often seems to be considered without a reasonable sense of overall perspective.

I'm sure there's some level of astroturfing going on, after all Uber does have enemies, but I think there's also a lot of fire to go with this smoke.

The thing to realize with Uber is that their business is built on breaking the law, specifically Taxi regulations. Now you can make defences for their strategy and the unethical nature of taxi regs, but when your business is built around breaking rules it gets baked into your company's DNA.

Uber is going to keep committing ethical missteps because it's a company that's learned that breaking rules is fine as long as the reward exceeds the penalty.

Re:I still LOVE Uber

[quantaman]

breaking rules is fine as long as the reward exceeds the penalty.

The word you're looking for is 'capitalism'.

I guess so, though I think the real issue is that business people basically think of these laws the same way a hockey player thinks about the rules of hockey. Sure, you're not supposed to hook another player, but you're going to end up hooking sometimes because that's how the game goes, and sometimes even if you're caught the reward is big enough that it's considered a "good penalty". In this context people like Kalanick are basically hockey pests, people who succeed by their ability to skirt as close to the edge of the rules as possible.

Or perhaps they think about things like fraud, false advertising, and ripping off employees the way we think of traffic violations. You're not supposed to speed, but everyone does it to some extent.

I'm not sure what has to be done to make politicians and companies take law-breaking companies seriously, but it doesn't seem to be happening.

example

[Tom]

Uber is actually a good example of what's going wrong with the world: They are openly criminal and it works. It's Al Capone all over again. Everyone knows what they are doing, but they're too slippery to be nailed.

Same with the tax evasion of multinational cooperation, wars based on invented bullshit, election frauds done almost openly (like in Turkey), and so on.

Minority Report may have been on to something: The legal system working after the fact, and with a delay often measured in years, does not deter criminals. If you can take over a country, or become a billionaire, the threat that ten years from now they might file charges which your $1000/h lawyers will then simply drag through the courts for twenty years - well, that is not a very threatening thing especially for people trained to think primarily about next quarter.

Re:CEO needs to go

[jandersen]

The Uber CEO needs to go. He's what's keeping Uber from being great.

From what I hear about Uber, it seems they in so many ways act and think like criminals, but manage to keep just on the legal side of the law. Mostly. That said, though, they are just an extreme example of all the worst aspects of capitalism: the underhandedness, the ethos that says 'if we can get away with it, it must be OK', the lack of genuine care and consideration for their employees, customers and society, the sense of entitlement take what they want no matter what.

It is really sad, I think - there is a good kind of capitalism, where a clever, hardworking man or woman can grow a business from little more than their own abilities and determination, but the whole concept gets a grubby taint from the likes of Uber.

Re:Still better than taking the bus!

[Chrisq]

Is this Fox News or Info Wars? No, so no it isn't Trump. p.s. The fact that this site has text on it should have given it away as well.

It's Mike Pence. He's worked out that Slashdot is the one part of the internet where he can guarantee he won't end up talking to a woman.