Latest
Recommended
Published: Mon, October 09, 2017
Research | By Jennifer Evans

Uber app can silently record iPhone screens, researcher finds

Uber app can silently record iPhone screens, researcher finds

Uber told ZDNet that the ability was only intended for a very specific Apple Watch application, in which maps could render in the background on your iPhone, and then be pushed to your Apple Watch. This may have lead to passwords and other sensitive information getting stolen by a hacker or the brand itself.

A group of security researchers has told Gizmodo that Uber's iOS app is capable recording data from a users' screen. "I guess there is some kind of extremely special relationship there, considering Apple granted them exclusive access to a privileged IOKit API a little while after they were abusing other unrelated IOKit APIs in violation of the App Store rules (with no repercussions at all)". Apple had even contemplated removing Uber from the app store due to alleged violations of users' privacy, making the move even more weird.

His assertions appeared to be confirmed by Uber whose head of security and privacy communications, Melanie Ensign, replied that it was used to show maps on iPhones and Apple Watches but that it was no longer being used. According to Strafach, Uber is the only third-party app to be provided the entitlement by Apple. "So they can potentially draw or record the screen", said security researcher Luca Todesco, who is also an Apple expert and a jailbreaker. However, the tool can be used to silently monitor iPhone users' activities and more, even when the app isn't being used.

After digging around in the code of Uber's app, Strafach discovered it used an entitlement called "com.apple.private.allow-explicit-graphics-priority".

After dealing with past controversies in which it followed passengers through a "God View" and tracked users who deleted its app from their phone, Uber now has another surveillance mishap on its hands, though the company says this one was unintentional.

Now, do we blame Apple for not taking the permission away? "This dependency was removed with previous improvements to Apple's OS & our app".

Despite suspicion, this special access permission was issued before release of IOS 11. Gizmodo asked Apple about why the entitlement was granted but had not heard back at time of writing.

"You should know this API isn't connected to anything in our current codebase, meaning it's non-functional and there's no existing feature using it", said the spokesperson in an emailed statement. Kevin Lynch, Apple's VP of technology, demoed Uber's Watch app onstage, showing how a rider could request a vehicle and track its progress on a map, just as the app would work on the iPhone.

Like this: