Uber app had “unprecedented” access to Apple user data, recorded user's screens
A security researcher has discovered that Uber's iPhone app was given unprecedented access to iOS user information, allowing the ride-hailing service to record a user’s screen without their knowledge, functionality that's supposed to be kept off-limits to anyone but Apple.
Most iPhone apps can use some “entitlements”: means by which third-party software can activate features such as the camera on an Apple device. Some entitlements, however, are only available to Apple.
The researcher discovered that Uber had access to these highly sensitive entitlements and could access an entitlement labelled “com.apple.private.allow-explicit-graphics-priority”. “com.apple.private” is used to label a sensitive entitlement not available to external app developers.
It is thought that no apps besides those created by Apple have this level of access. This entitlement allows Uber to record a user’s phone pixel and display data without their knowledge. This access is not disclosed in Uber’s app.
An Uber spokesperson stated that the code was permitted by Apple and not currently in use. She said that it was simply a remnant from an earlier version of its app for the Apple Watch which enabled it to display maps on the screen: Uber was a launch app for the Apple Watch.
“Granting such a sensitive entitlement to a third-party is unprecedented as far as I can tell, no other app developers have been able to convince Apple to grant them entitlements they’ve needed to let their apps utilise certain privileged system functionality,” Will Strafach, the security research who first identified the code, told Business Insider.
“I guess there is some kind of extremely special relationship there, considering Apple granted them exclusive access to a privileged IOKit API a little while after they were abusing other unrelated IOKit APIs in violation of the App Store rules,” he concluded.
Uber has come into conflict with Apple previously after it was found to be exploiting internal Apple abilities to track individual iPhones up to five minutes after the completion of an Uber ride. Apple CEO Tim Cook reportedly threatened to remove Uber from the App Store in 2015.
The discovery could raise further questions around Uber’s already highly questionable business practices, which have led to the app being banned in many cities: recently, Transport for London decided not to renew its operating license given its “lack of corporate responsibility”.
Uber is currently engaged in a high-profile legal battle with Waymo over the alleged theft of trade secrets from Google’s self-driving car project, facing legal action over its use of “Greyball” software, which allows it to evade law enforcement officers, and undergoing an internal investigation into its workplace culture, which has been described as aggressive and rife with sexual harassment.
Sign up to the E&T News e-mail to get great stories like this delivered direct to your inbox every day.