Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say (gizmodo.com)

Posted by msmash on from the stranger-things dept.

To improve functionality between Uber's app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user's iPhone screen, even if Uber's app was only running in the background, security researchers told news outlet Gizmodo. From a report: After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. The screen recording capability comes from what's called an "entitlement" -- a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn't common and would require Apple's explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn't find any other apps with the entitlement live on the App Store. "It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."

7 of 91 comments (clear)

  1. Duh by Aighearach · · Score: 3, Insightful

    Apple users tolerate anything. Even things that protest/boycott over, they're willing to actually move up their purchase schedule when Apple responds to their demands by asking for more money.

    This is a well-trodden path.

  2. Where's the limit with Uber on iOS? by eepok · · Score: 4, Insightful

    Apple tosses apps out of the app store for many reasons. Over the last 2-3 years, Uber's apps have shown to violate privacy and intentionally deceive regulators on a massive scale. Money aside (I know, that's asking a lot), how does Apple justify allowing them to continue to have an app in their app store?

  3. Re: This is real bad by Anonymous Coward · · Score: 5, Informative

    It's not as bad as it sounds.

    There was no way for the original apple watch to get maps on the phone. Apple allowed Uber to use a system function to take a screen recordings from the phone to send to the watch so it could show maps.

    Apple specially vetted the code source and inspected it with every update to make sure it was only taking and sending shots of map from Uber app.

    Basically you are already trusting apple for an enormous amount of things, this is just one more thing, you are trusting apple to sufficiently police the rare entitlements.

    However I agree it's seedy, and the app should need to request permission to record the screen just like for other access permissions. Apple seem to deliberately have done this on the down low.

  4. Re:Bad engineering practices by cfalcon · · Score: 3, Insightful

    > For the sake of argument, let's assume that they are being truthful when they say these things. My response is: get your engineering house in order.

    It should be: demand that Apple remove Uber permanently from the app store. It doesn't matter if they stopped using, or never used, their backdoor exploit code (this is like the third one I think?), to actually do backdoor exploits. The mere fact that they designed it, developed it, and deployed it, means that they are actively evil from head to toe. The guy writing the screenlogger wasn't writing it because he never thought it would be used, his manager didn't ask for him to write it with the assumption that it would just be there *for no reason*, etc. The mere fact that they deployed it PERIOD means that they should be kicked right the hell out the door.

  5. Re:Assholes ... by ShanghaiBill · · Score: 5, Insightful

    Sorry, but Uber's business model is pretty much end to end "be colossal assholes ..."

    Of course. But the real issue is not that Uber is unethical (we already knew that) but that Apple gave them full access.

    If my landlord gave a burglar the key to my door, his behavior would be more noteworthy than the behavior of the burglar.

  6. Re:Assholes ... by currently_awake · · Score: 4, Interesting

    I consider the bigger issue that Apple can bypass your security settings at will, with no notification. I don't know how legal this is, but we can assume police and intelligence agencies are currently making use of this because Apple spent money to MAKE this feature.

  7. Re:Assholes ... by thegarbz · · Score: 4, Insightful

    bypass your security settings

    No you have this backwards. Apple owns the absolute control of your device. Any settings you have are gifted to you by them. They aren't bypassing your security, they simply aren't offering you security you want.