Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say (gizmodo.com)

Posted by msmash on from the stranger-things dept.

To improve functionality between Uber's app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user's iPhone screen, even if Uber's app was only running in the background, security researchers told news outlet Gizmodo. From a report: After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. The screen recording capability comes from what's called an "entitlement" -- a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn't common and would require Apple's explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn't find any other apps with the entitlement live on the App Store. "It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."

1 of 91 comments (clear)

  1. Re: This is real bad by Anonymous Coward · · Score: 5, Informative

    It's not as bad as it sounds.

    There was no way for the original apple watch to get maps on the phone. Apple allowed Uber to use a system function to take a screen recordings from the phone to send to the watch so it could show maps.

    Apple specially vetted the code source and inspected it with every update to make sure it was only taking and sending shots of map from Uber app.

    Basically you are already trusting apple for an enormous amount of things, this is just one more thing, you are trusting apple to sufficiently police the rare entitlements.

    However I agree it's seedy, and the app should need to request permission to record the screen just like for other access permissions. Apple seem to deliberately have done this on the down low.