The latest Uber app came under criticism for its invasive code.
Apple recently gave Uber permission to enable their developers to improve the Uber apps’ functionality for Apple Watch.
The improved functionality proved to be a covert espionage tool which can be used to track the users’ activities and location even when the app is not in use. The new function, called entitlement, consists of particular code that enables the app developers to enhance the interaction with Apple systems such as iCloud and Apple.
The invasive element of entitlement was discovered by a security researcher and CEO of Sudo Security Group, Will Strafach. According to Strafach, the entitlement also allowed the Uber app to covertly record iPhone screens. Strafach confirmed that Uber is the only third-party app to which Apple has granted entitlement.
In an interview, Strafach stated that no other app except Uber has been granted this level of private sensitive entitlement up until this point. Since this discovery, Apple has received criticism from various online security advocates, especially since Uber has a troubled past when it comes to privacy concerns.
Several security firms and users alike have voiced concern over the entitlement feature. One of the most prominent concerns being the fact that entitlement can allow Uber or malicious hackers to compromise or monitor a user’s device. The entitlement function also has the potential to be used to gather sensitive information from users such as passwords.
According to a security researcher, Apple expert, and jailbreaker Luca Todesco, the entitlement function gives the user full control over the framebuffer, which contains the colors of each pixel in the screen. Using this, they can either draw or record the screen. This method can also enable hackers to steal passwords.
Uber has confirmed that they will remove the entitlement code from their iPhone app. An Uber spokesperson recently stated that currently the code is not connected to anything within the Uber database, and removing the code has already been approved to go into production.
According to the spokesperson, the API would enable maps to render on your phone in the background. The maps will then be sent to your Apple Watch. However since updates to both iOS and the Uber app has removed the dependency, Uber has confirmed that they will remove the API.
I wonder why Uber (appears to?) have this entitlement. new option in dev portal somewhere? https://t.co/VbknpQTlxV
— Will Strafach (@chronic) October 3, 2017
The Uber spokesperson confirmed that the API was only in use for a short amount of time before the updates became available. The API was essential so that the app could run memory-intensive renderings of maps and communicate that between iPhone and Apple Watch. The spokesperson emphasized that the API was never used for any other purpose, and has been nonfunctional for quite some time. The API was previously necessary due to the memory limitation of the Apple Watch, but updates have since addressed the issue, and Uber could successfully remove the API code.