The Uber app for iPhone enjoyed an ‘exclusive’ permission to read iPhone screens even when the app was running in the background, according to a cyber security expert.
The Uber app could read iPhone screens and collect detail about user activities on their iPhones for a limited time.
According to Will Strafach, the CEO of Sudo Security Group, the ability of Uber apps to read iPhone screens even when running in the background was facilitated by a permission granted by Apple to Uber which, he added, was not offered to any other app on the Apple App Store.
“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature. Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this,” he told Gizmodo.
Why did Uber require the permission?
According to Uber, the permission was required so that Uber apps on initial variants of Apple Watches could handle user locations which they couldn’t on their own due to memory limitations in such devices. The said memory limitations were later removed by Apple through WatchOS updates.
“It enabled the app to run the memory-intensive rendering of maps on the iPhone & then send the image to the Watch app. It was never used for any other purpose and has been non-functional in our code for quite some time.
“The memory limitation of Apple Watch was fixed by subsequent updates in the OS (operating system) and we’ve issued an update to our app to remove the (software) completely,” said an Uber spokesman.
Why was the permission granted by Apple?
Earlier this year, it came to light that in 2015, Apple almost kicked Uber out of the App Store after it learnt that the ride-hailing service bypassed Apple’s device identification rules to track iPhones even after such users deleted the company’s app.
To hide its efforts, Uber decided to geofence Apple’s headquarters in Cupertino, California to prevent Apple’s engineers from finding out about the exploit. This led Tim Cook to serve an ultimatum to then-Uber CEO Travis Kalanick to either cease and desist or the app would be kicked out of the Apple App Store.
Considering such a colourful history between the two firms, it seems strange that Apple would grant Uber a permission which it didn’t to any other app on its App Store.
A Uber spokesman’s clarification now suggests that Apple granted the permission to Uber so that the company’s app could run on the first generation Apple Watch despite the device’s memory limitations.
“Apple gave us this permission years because Apple Watch couldn’t handle our maps rendering. It’s not connected to anything in our current codebase,” the spokesman said. Uber added that the software is no longer in use because of subsequent updates to the Apple Watch and is now being removed from the App Store.
Were iPhone users impacted?
According to Luca Todesco, a researcher and iPhone jailbreaker, the permission obtained by Uber could enable it to harvest personal information as well as passwords from iPhones. “Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” he told Gizmodo.
However, Strafach said that he found no evidence on the software being used by Uber in any malicious manner. He added that third party app developers were given only four months to slim down their apps prior to the launch of the first Apple Watch and that Apple could have granted the permission to Uber to help Uber run its app smoothly on the Apple Watch.