Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say (gizmodo.com)

Posted by msmash on from the stranger-things dept.

To improve functionality between Uber's app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user's iPhone screen, even if Uber's app was only running in the background, security researchers told news outlet Gizmodo. From a report: After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. The screen recording capability comes from what's called an "entitlement" -- a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn't common and would require Apple's explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn't find any other apps with the entitlement live on the App Store. "It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."

51 of 91 comments (clear)

  1. Duh by Aighearach · · Score: 3, Insightful

    Apple users tolerate anything. Even things that protest/boycott over, they're willing to actually move up their purchase schedule when Apple responds to their demands by asking for more money.

    This is a well-trodden path.

    1. Re:Duh by Tablizer · · Score: 1

      Oh, and Google, MS, etc. are careful? Yeah right.

      Anyhow, we don't know Apple's side of the story yet. Knowing Uber, they probably used "social engineering" to sneak stuff past the Apple iGuards.

      --
      Table-ized A.I.
    2. Re:Duh by Aighearach · · Score: 1

      Right, users of other brands have a much higher rate of switching to competing products when they report being very angry about the product.

      I used to use a wide range of google services, but after being forced to switch a few times when things got shut down, I use less and less of their services all the time, and I can be consistently relied on to not even try anything new they offer. No interest. And yet, I still do use gmail and couple other services.

      If you don't understand that there are differences in brand loyalty from one brand to the next, and that that often impacts the user experience, they do have books about that stuff. Spoiler: it doesn't end well for the consumer if the brand owner realizes they are excessively loyal.

    3. Re:Duh by Bing+Tsher+E · · Score: 1

      There are dozens of keyboard alternatives on the Android App marketplace. I use the Hacker's Keyboard, which gives me cursor keys and all the control-alt-esc key sequences, on my Asus Android tablet.

      The default Android keyboards from Google or Samsung are deplorable.

      Does Apple even allow third party keyboards on iOS? It's been so long since I used iOS on anything.

    4. Re: Duh by Anonymous Coward · · Score: 1

      But if the 3rd party doesn't log keystrokes back to Apple it doesn't get approved.

    5. Re:Duh by JohnFen · · Score: 1

      Anyhow, we don't know Apple's side of the story yet. Knowing Uber, they probably used "social engineering" to sneak stuff past the Apple iGuards.

      TFA contains a statement from Apple explaining that they intentionally granted this ability to to Uber app, and why.

  2. Assholes ... by Anonymous Coward · · Score: 1

    Sorry, but Uber's business model is pretty much end to end "be colossal assholes, claim regulations don't apply, and keep being assholes".

    Sorry, but this isn't a company I would ever trust or do business with.

    Claiming you're a magical pony who isn't covered by laws doesn't make it true.

    1. Re:Assholes ... by ShanghaiBill · · Score: 5, Insightful

      Sorry, but Uber's business model is pretty much end to end "be colossal assholes ..."

      Of course. But the real issue is not that Uber is unethical (we already knew that) but that Apple gave them full access.

      If my landlord gave a burglar the key to my door, his behavior would be more noteworthy than the behavior of the burglar.

    2. Re:Assholes ... by Aighearach · · Score: 1

      Uber is so evil, it didn't even occur to me to care about the affect on their users/accomplices.

      The real story has to be Apple giving them permission, because Apple is not obviously evil. Normally the complaint of Apple haters is merely that it is overpriced, and walled gardens are for snobs, and not everybody likes snobs. Snobs are often looked down on, but also often looked up to; they are not obviously evil. So to have this sort of snake inside the garden might turn out to be a big deal. Especially if there are others.

    3. Re:Assholes ... by currently_awake · · Score: 4, Interesting

      I consider the bigger issue that Apple can bypass your security settings at will, with no notification. I don't know how legal this is, but we can assume police and intelligence agencies are currently making use of this because Apple spent money to MAKE this feature.

    4. Re:Assholes ... by thegarbz · · Score: 4, Insightful

      bypass your security settings

      No you have this backwards. Apple owns the absolute control of your device. Any settings you have are gifted to you by them. They aren't bypassing your security, they simply aren't offering you security you want.

  3. Where's the limit with Uber on iOS? by eepok · · Score: 4, Insightful

    Apple tosses apps out of the app store for many reasons. Over the last 2-3 years, Uber's apps have shown to violate privacy and intentionally deceive regulators on a massive scale. Money aside (I know, that's asking a lot), how does Apple justify allowing them to continue to have an app in their app store?

    1. Re:Where's the limit with Uber on iOS? by Actually,+I+do+RTFA · · Score: 1

      how does Apple justify allowing them to continue to have an app in their app store?

      They're afraid of driving people to Android. At this point, Uber is so entrenched, that may happen. Now, that would be an excellent reason, if i were Apple, to push people to Lyft.

      --
      Your ad here. Ask me how!
    2. Re:Where's the limit with Uber on iOS? by BasilBrush · · Score: 1

      Pretty obviously because iPhone users want to be able to use Ubers.

    3. Re:Where's the limit with Uber on iOS? by squiggleslash · · Score: 1

      And Uber wants iPhone users to be its customers. I'd assume Uber has a mobile website by now, so if they can make that pinnable and assuming iPhone webapps allow notifications (I don't have an iPhone, so can't comment), there's no good reason for Uber to need a native app for iPhones.

      I don't think banning Uber from the App Store would have a significant impact on Apple. It would be more serious for Uber, effectively another highly publicized attack on its honesty, and a reduction in exposure.

      --
      You are not alone. This is not normal. None of this is normal.
    4. Re:Where's the limit with Uber on iOS? by 110010001000 · · Score: 1

      Gee I wonder why? Could it be that Uber is a top 20 app for iOS? What makes you think Apple cares about your privacy? You don't think they are logging what you do?

    5. Re:Where's the limit with Uber on iOS? by BasilBrush · · Score: 1

      A website experience would be poor vs a native app.
      It would likely be lacking in features, as there are things you can't do with a web site. And it would prevent using the Apple Watch.

      iPhone users want the Uber app. And there's no reason to stop them. They had a good reason to use an entitlement at the time, and now they don't need it any more they'll be removing it.

    6. Re:Where's the limit with Uber on iOS? by lerxstz · · Score: 1

      I looked into notifications for iPhone webapps somewhat recently, it is not *currently* possible. Sevice workers are in development but not currently available.

      --
      I chose to end my comments, not with a rim shot, but a long decaying F#7sus4
  4. There goes Apple's reputation for security. by whoever57 · · Score: 2

    There goes Apple's reputation for security.

    I expect that there was money involved.

    Apple cares about security, as long as there is no way to make money out of making you insecure.

    The only real remedy for this is if Apple pushed out an IOS update that took away the ability for these hidden privileges to exist, but likely they won't because probably the main other user of them is Apple itself.

    --
    The real "Libtards" are the Libertarians!
    1. Re:There goes Apple's reputation for security. by JohnFen · · Score: 1

      Privacy and security are related. Privacy is a subset of security.

    2. Re:There goes Apple's reputation for security. by Anonymous Coward · · Score: 2, Interesting

      Oh fuck off Nancy. Are you seriously going to thrash Apple, when Google has been letting Android and its apps use you like a bitch for the past decade?

      I love how the blinders are up whenever horrible fucking practices are used by open source and Android developers, and suddenly you're outraged at Apple for what is probably a fuck up by an employee who didn't know better.

      Fuck this place and its users. What a bunch of narcissistic losers.

    3. Re:There goes Apple's reputation for security. by xlsior · · Score: 1

      Apple cares about security,

      They really don't -- all they are about is the perception of being secure ('you won't need antivirus on an apple'), but when you get right down to it they have been dragging their feet fixing known vulnerabilities in MacOS for years, and their software always scores poorly during pwn2own-style events.

    4. Re:There goes Apple's reputation for security. by Bing+Tsher+E · · Score: 1

      Are you angry? Why shoot the messenger? Apple and/or Uber are at fault here.

      I know, I know. Apple is "your team" and it's a rivalry match.

      Seriously, grow up.

    5. Re:There goes Apple's reputation for security. by Aussie · · Score: 1

      posting to undo moderation error

    6. Re:There goes Apple's reputation for security. by JohnFen · · Score: 1

      Are you seriously going to thrash Apple, when Google has been letting Android and its apps use you like a bitch for the past decade?

      Why not?

      If you're doing something wrong, whether or not others are just as bad or worse in no way excuses your actions.

  5. Bad engineering practices by JohnFen · · Score: 2

    It's sortof impressive how many times Uber apps have been found to contain questionable abilities that Uber claims they stopped using some time ago.

    For the sake of argument, let's assume that they are being truthful when they say these things. My response is: get your engineering house in order.

    Leaving dead code in your software is a terrible practice for a number of reasons. Don't wait until someone discover it's there before you remove it. Remove it as soon as you stop using it.

    1. Re:Bad engineering practices by cfalcon · · Score: 3, Insightful

      > For the sake of argument, let's assume that they are being truthful when they say these things. My response is: get your engineering house in order.

      It should be: demand that Apple remove Uber permanently from the app store. It doesn't matter if they stopped using, or never used, their backdoor exploit code (this is like the third one I think?), to actually do backdoor exploits. The mere fact that they designed it, developed it, and deployed it, means that they are actively evil from head to toe. The guy writing the screenlogger wasn't writing it because he never thought it would be used, his manager didn't ask for him to write it with the assumption that it would just be there *for no reason*, etc. The mere fact that they deployed it PERIOD means that they should be kicked right the hell out the door.

    2. Re:Bad engineering practices by JohnFen · · Score: 1

      Again, I'm giving Uber the benefit of the doubt for rhetorical purposes (I actually think that Uber is essentially a criminal organization who needs to be put out of business, but I'm setting that aside for the moment).

      Uber didn't say they put this in for no reason. The reason that they gave for implementing this is entirely plausible and, if that's all it was ever used for, hard to take exception with.

    3. Re:Bad engineering practices by thegarbz · · Score: 1

      It's sortof impressive how many times Uber apps have been found to contain questionable abilities that Uber claims they stopped using some time ago.

      It's even more impressive that Apple hasn't booted them from the store because of this. Most other developers will be shown the door if Apple doesn't like the exact amount of grovelling they do to keep them from getting banned.

  6. Re: This is real bad by Anonymous Coward · · Score: 5, Informative

    It's not as bad as it sounds.

    There was no way for the original apple watch to get maps on the phone. Apple allowed Uber to use a system function to take a screen recordings from the phone to send to the watch so it could show maps.

    Apple specially vetted the code source and inspected it with every update to make sure it was only taking and sending shots of map from Uber app.

    Basically you are already trusting apple for an enormous amount of things, this is just one more thing, you are trusting apple to sufficiently police the rare entitlements.

    However I agree it's seedy, and the app should need to request permission to record the screen just like for other access permissions. Apple seem to deliberately have done this on the down low.

  7. Curious how they convinced Apple? by redshirt · · Score: 1

    It's called money, dumbass.

  8. Re: This is real bad by Anonymous Coward · · Score: 1

    If Apple vetted the code then how come Uber was able to collect screenshots even when it was not running? It should have informed the user about the permission. I don't blindly trust Apple. I trust Apple that it will make right decisions and in this case, it failed me.

  9. Whatcha mean 'secret'? by Kenja · · Score: 1

    Did no one read the permissions list the app asks for? Its really long... there is no reason for most of it, so why are people now shocked that it was nefarious? It even lists "modify or delete your storage contents" for Jobs sake.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Whatcha mean 'secret'? by Anonymous Coward · · Score: 2

      You are confusing iOS and Android. On iOS you don't accept permissions when installing an app, you accept them as app requests them during runtime.
      Unfortunately these "entitlement" permissions cannot be controlled by user.

  10. Re: This is real bad by Kenja · · Score: 1

    It did inform users, there are three pages of app permissions. The Uber app has more or less full control over your phone.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  11. Re:This is real bad by Anonymous Coward · · Score: 1

    This incident has shaken my faith in Apple. Thankfully, I am not a victim as I don't use Uber.

    Not a victim of the announced leak, but what about the unannounced/undiscovered ones?

  12. "Smart" just means "treacherous" by jabberw0k · · Score: 1, Interesting

    There's a reason why some of us only use free software on free operating systems, and this kind of abuse is a perfect example of what happens when you trust proprietary software on a closed operating system. If you use a so-called "smart" device, you are a patsy, a mark, a willing victim. Stop hurting yourself.

    1. Re:"Smart" just means "treacherous" by Nostalgia4Infinity · · Score: 1

      A smart phone is a tool. Use it correctly and it's fine, not to mention incredibly helpful.

    2. Re: "Smart" just means "treacherous" by reanjr · · Score: 1

      As software developers, we don't build OSes and programming languages to sell. We build them to use, to provide services we (or others) sell. We are like scientists performing experiments and sharing the results with our colleagues to advance the craft. And like scientists, if you're not sharing your work, you're really not part of the community; you fundamamentally fail to understand what it is to be a part of a knowledge work community and industry.

    3. Re:"Smart" just means "treacherous" by Arkham · · Score: 1

      There's a reason why some of us only use free software on free operating systems, and this kind of abuse is a perfect example of what happens when you trust proprietary software on a closed operating system. If you use a so-called "smart" device, you are a patsy, a mark, a willing victim. Stop hurting yourself.

      No offense intended here, but there is no free software phone on the market. None of the carriers would even consider approving it.

      --
      - Vincit qui patitur.
    4. Re:"Smart" just means "treacherous" by JohnFen · · Score: 1

      Feature phones, or landlines.

    5. Re:"Smart" just means "treacherous" by JohnFen · · Score: 1

      Nobody became rich by working for free or on free software.

      Lots of people don't have "get rich" as their goal.

  13. Re: This is real bad by bug_hunter · · Score: 1

    It didn't take screenshots when not running.
    But the app had iOS's permission to do it.

    Apple vetted the code to make sure they didn't.

    As other's have said, this whole thing seems shady and unpleasant, but it doesn't look like this privilege was abused (though I'd rather they never had it in the first place).

    --
    It's turtles all the way down.
  14. Uber = Evil by JustAnotherOldGuy · · Score: 1

    The more I learn about Uber, the more obvious it becomes that they're a shit-filled cesspool without a shred of ethics or morality.

    I was already pretty down on them, but this firmly cements my resolve to never EVER use them and to bad mouth them at every possible opportunity. Shitbags with a logo, that's all they are.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  15. Re: This is real bad by BasilBrush · · Score: 1

    You don't know what you are taking about. iOS does not list permissions. You are thinking of Android.

  16. Nothing special on Android by iamacat · · Score: 1

    Screen recording is fully supported and available to any app. Note however that the system will ask you nicely if you want to allow a particular app to start capturing screen and this prompt can not be suppressed by the app. The user has a checkbox to allow the same app to do it silently in future. I don't know if Apple allows such access without user warning.

  17. Maps on your wrist by izzo+nizzo · · Score: 1

    By using this technique, the app was able to display a map on the watch screen. This allows you to keep your phone in your pocket when youâ(TM)re out in dark, possibly unfamiliar streets at night. There are security implications of that too.

    This is an interesting story and itâ(TM)s plausible that Uber would abuse this privilege if they could get away with that. But, if they couldnâ(TM)t, it may just be a story about how capable iOS and the App Stire review team are.

  18. web interface by Kreplock · · Score: 1

    This is why I don't download apps where an existing web interface that will do the job. I object to using Uber tho, so I don't even know whether you can use the service thru a web app. But so many other companies have perfectly serviceable web sites that you can use instead of an app, why let them even further thru the door and into your phone.

  19. Re: This is real bad by JohnFen · · Score: 1

    Because have permission to and actually doing it are two different things.

    True, but from a security point of view, you must assume that if an app has permission to do something, it is doing it.

  20. Re: Shenanigans by JohnFen · · Score: 1

    TFA covers this: apple gave the Uber app special privileges not available to other apps.

  21. Re: This is real bad by JohnFen · · Score: 1

    And Apple did. But I'm talking about the end user, not the vendor.