Uber may have been secretly recording your iPhone screen, even when the app is closed. Will Strafach, a New York-based security researcher, discovered that the taxi hailing app had received a special permission from Apple to access the screen-recording feature. The company, however, rejected the security breach fears, stating the code was installed to improve the experience on Apple Watch version of the app.
It is worth understanding that Apple gives “entitlements”, a code to developers for enabling access to key features of an iPhone. Access to the screen-recording feature, however, is not available to all developers. Strafach claims that no other third-party apps except Uber had this special privilege. The permission is known as “com.apple.private.allow-explicit-graphics-priority” and allows developers to access and alter parts iPhone’s memory that contains data on pixel and display.
I wonder why Uber (appears to?) have this entitlement. new option in dev portal somewhere? https://t.co/VbknpQTlxV
— Will Strafach (@chronic) 3 October 2017
Strafach told Hindustan Times that the code was not limited by location. This essentially means the app had same access to users’ devices in India as well. For now, there is no concrete evidence that Uber actually took advantage of this access. He further said, “It looks like Uber was the only app allowed to do this.”
“My surprise was in the fact that this entitlement was granted to help them work around a performance issue and I am not yet clear if Apple had a security review to make sure they fully understood what new access they granted to Uber,” Strafach added.
Uber, in the meanwhile, said that it has now removed the API (application program interface) from the app.
“It’s not connected to anything else in our current codebase and the diff [sic] to remove it is already being pushed into production. This API would allow maps to render on your phone in the background and then be sent to your Apple Watch,” an Uber spokesperson is quoted as saying by Cnet.
“Subsequent updates to Apple Watch and our app removed this dependency, so we’re removing the API completely,” added the spokesperson.
Even though Uber claims it hasn’t been accessing users’ sensitive data, such features could put users’ security at high risk. Luca Todesco, a security expert, told Zdnet that it was tantamount to giving keylogging ability to apps. Once it is breached, any hacker could get access to users’ iPhone screens.
“This move by Uber and Apple has opened up its users to a massive privacy risk. Even if Uber doesn’t have any ulterior motive and the special ‘entitlement’ is only for rendering the maps, malicious hackers if gain access to the internal controls in Uber could spy on users at mass,” said Ankush Johar, Director at HumanFirewall.io, a cyber security company.
“Millions of users use the application on Apple’s iOS and this access could be exploited gravely if in wrong hands. If a state-sponsored hacker gains access to this feature, it could give a spying agency whether governmental or private, complete access to the targets daily activities including precise location, complete conversations on even the most encrypted channels and all secure passwords that the target is using,” he added.
What makes the new revelation more serious is Uber’s poor record on maintaining user privacy. The company was earlier this year found using software to track location of drivers of rival company, Lyft, in the US. The software, known as Hell, allowed Uber to gather information including location, rides availability and even drivers’ record on whether they previously worked with Uber, reported TheInformation.
In April this year, Apple CEO Tim Cook had warned Uber for violating Apple’s guidelines. He even threatened to remove the app from the Apple App Store altogether. Uber was reportedly caught tracking iPhones even after the app was removed from the device.
It’s surprising that despite Uber’s dismal record on users’ privacy, Apple allowed the company to have the special treatment. Apple is yet to respond to the report.
Share This Post
