Uber’s special access
Apple-granted “entitlement” raises questions over Cupertino’s commitment to privacy
The ride-booking service reins in its app’s reach.
Ride-hailing service Uber has removed a set of Apple-granted developer tools from the latest version of its iOS app, which potentially enabled it to record any user’s iPhone screen - including passwords and other personal data.
Will Strafach, security researcher and CEO at Sudo Security Group made the discovery in October, arguing it was rare for Apple to give what he called “a private sensitive entitlement” to developers - with no other similar examples currently known to exist in the App Store.
Uber said in a statement that it was granted the entitlement by Apple to enable the Uber app for Apple Watch to display maps correctly. The company told tech site Gizmodo: “It was used for an older version of the Apple Watch app, specifically to run the heavy lifting of rendering apps on your phone and then sending the rendering to the Apple Watch app.” The company said the dependency had since been removed thanks to improvements in “Apple’s OS” (presumably watchOS) and that it has now removed the application programming interface (API) from its iOS codebase.
Strafach said the entitlement first appeared in Uber’s app in 2015, around the March launch of Apple Watch, when Apple demonstrated the ride-hailing abilities of the Watch version during a keynote. It’s believed that since developers were given just four months to get their apps ready for the launch of the Watch, Uber was given special access to the API.
One concerning aspect of the entitlement is that it could have enabled Uber to record almost anything on your iPhone screen, whether the Uber app was running or not. Security researcher Luca Todesco told Gizmodo: “Essentially it gives you full control over the frame buffer, which contains the colors of each pixel on your screen. So they can potentially draw or record the screen.”
There is no evidence to suggest that Uber ever used the entitlement for this purpose, but it does raise
questions about Apple’s granting of the entitlement to Uber, a company that’s been mired in controversy.
Last August, Uber pulled a feature from its iPhone app that enabled it to track your location from the time you requested a ride up until five minutes after your trip ended, even when the app was running in the background. Uber said the app’s post-ride, five-minute tracking was never activated on iPhone, although when evidence emerged that in some cases the app was able to track a device for weeks after a trip, Uber blamed the way Apple had applied extensions in iOS’s Maps app.
It’s not the first time Uber has run into trouble. Early in 2015, Tim Cook reportedly threatened to have Uber’s app removed from the App Store after Apple learned that it was capturing the unique identifier (UUID) of iPhones even after its app was removed and the device wiped - something that developers aren’t allowed to do. Apple engineers also discovered that Uber had tried to hide its activities by placing a geofence around Cupertino. “Uber would then obfuscate its code from people within that geofenced area,” the New York Times reported last April, “essentially drawing a digital lasso around those who it wanted to keep in the dark.”
While Apple had stopped Uber from identifying devices using its app in 2015 – something Uber said it did to avoid fraud – it’s now offering a comparable service in iOS and tvOS. Called DeviceCheck, it enables developers to assign two bits of data and a timestamp to a device when an app is installed, with the code passed on to Apple. The aim is to crack down on suspicious activity, such as reinstalling a trial app to avoid paying for the full version, while also protecting your privacy by not including any identifying data.