Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Businesses China Transportation Apple

Uber Tried To Hide Its Secret IPhone Fingerprinting From Apple (cnbc.com) 115

theodp quotes today's New York Times profile of Uber CEO Travis Kalanick: For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple's engineers. The reason? So Apple would not find out that Uber had secretly been tracking iPhones even after its app had been deleted from the devices, violating Apple's privacy guidelines.
Uber told TechCrunch this afternoon that it still uses a form of this device fingerprinting, saying they need a way to identify those devices which committed fraud in the past -- especially in China, where Uber drivers used stolen iPhones to request dozens of rides from themselves to increase their pay rate. It's been modified to comply with Apple's rules, and "We absolutely do not track individual users or their location if they've deleted the app..." an Uber spokesperson said. "Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users."

The article offers a longer biography of Kalanick, who dropped out of UCLA in 1998 to start a peer-to-peer music-sharing service named Scour. (The service eventually declared bankruptcy after being sued for $250 billion for alleged copyright infringement.) Desperately trying to save his next company, Kalanick "took the tax dollars from employee paychecks -- which are supposed to be withheld and sent to the Internal Revenue Service," according to the Times, "and reinvested the money into the start-up, even as friends and advisers warned him the action was potentially illegal." The money eventually reached the IRS as he "staved off bankruptcy for a second time by raising another round of funding." But the article ultimately argues that Kalanick's drive to win in life "has led to a pattern of risk-taking that has put his ride-hailing company on the brink of implosion."
This discussion has been archived. No new comments can be posted.

Uber Tried To Hide Its Secret IPhone Fingerprinting From Apple

Comments Filter:
  • I was checking price on an Uber and installed the app for the first time. I ended up using a regular car service because the price differential wasn't enough to overcome the "who knows who is coming to pick me up" issue. So now my phone is fingerprinted, great.

    • by Anonymous Coward

      You don't already assume your smartphone is being fingerprinted and tracked?! That's the first thing anyone using such a device should assume.

      • assume your smartphone is being fingerprinted and tracked

        It's totally wrong. I do not think Uber should be allowed a free pass just because you say we should assume everybody else it doing it. Anybody who does this is wrong. It's wrong and Uber is wrong.

        Uber stepped in it and you want me to think: "oh well. that's the way life is".

        Uber is trying to enter my city. If they do, I will not use their service because their app is intentionally broken. I will advise people I know not to use Uber until they answer to how they will fix this and remove all the silent track

    • by rtb61 ( 674572 ) on Sunday April 23, 2017 @06:44PM (#54289067) Homepage

      Worried about what they are seeing you do, then let them see a whole bunch of stuff you do not do, why try to steam the flow of your privacy when you can deluge them with a flood http://www.cs.nyu.edu/trackmen... [nyu.edu] and https://adnauseam.io/ [adnauseam.io]. I am also thinking email games might be interesting to floor every possible channel with useless information, even all the spy vs spy stuff. Say an email game where one side plots to assassinate the president of Ameriganislav and the other plays as agents, trading emails with plots and encryption for the other side break, when side plotting the assasination and the other side trying to foil the plot a game to punish the professionally paranoid illegally spying on everyone with a flood of suggestive data to poison spy data bases, the game run from a web site.

      So as many way as possible to generate false data at many, many mutliples of real data generated. A personal profile made totally meaningness and as a bonus the more you generate the more they must spend to store it. Double their data storage bill, triple it, how about increasing storage requirements hundreds of times over. Think of all the time, you are not on there internet but your computer could be, generating volumes of false empty data, hundreds of thousands of web visits you never went to, hundred of thousands of searches you never did, emails you never sent, your computer and software flooding marketers with empty data they have to pay to store.

    • Yeah, it's too bad, there is a first-time Uber promo code that is worth about $20 that you can google for, but the app won't accept it now that you've already registered. They probably remember a hashed version of your phone number, credit card number, and the id of your phone.

      There is probably still the $50 promo code from Lyft, but unlike Uber's promo code, the Lyft promo code can only be used $5 at a time (in other words, you have to use it 10 times if you want to use it all). The Uber code, on the other

  • by Anonymous Coward

    The Uber CEO needs to go. He's what's keeping Uber from being great.

    • by hey! ( 33014 )

      Well, Larry Ellison is a bastard. So was Steve Jobs. Being a bastard surely doesn't make you successful, but it probably helps some times. I'm guessing the trick is knowing when not to be yourself.

    • Uber's CEO was replaced a couple of weeks ago. This is old news.

      This particular incident was actually in 2015.

      • by Anonymous Coward

        Uber's CEO was replaced a couple of weeks ago.

        Kalanick named himself as his replacement. You had to read the stories really carefully.

    • Re:CEO needs to go (Score:5, Insightful)

      by jandersen ( 462034 ) on Monday April 24, 2017 @05:12AM (#54290779)

      The Uber CEO needs to go. He's what's keeping Uber from being great.

      From what I hear about Uber, it seems they in so many ways act and think like criminals, but manage to keep just on the legal side of the law. Mostly. That said, though, they are just an extreme example of all the worst aspects of capitalism: the underhandedness, the ethos that says 'if we can get away with it, it must be OK', the lack of genuine care and consideration for their employees, customers and society, the sense of entitlement take what they want no matter what.

      It is really sad, I think - there is a good kind of capitalism, where a clever, hardworking man or woman can grow a business from little more than their own abilities and determination, but the whole concept gets a grubby taint from the likes of Uber.

      • by Bongo ( 13261 )

        The Uber CEO needs to go. He's what's keeping Uber from being great.

        From what I hear about Uber, it seems they in so many ways act and think like criminals, but manage to keep just on the legal side of the law. Mostly. That said, though, they are just an extreme example of all the worst aspects of capitalism: the underhandedness, the ethos that says 'if we can get away with it, it must be OK', the lack of genuine care and consideration for their employees, customers and society, the sense of entitlement take what they want no matter what.

        It is really sad, I think - there is a good kind of capitalism, where a clever, hardworking man or woman can grow a business from little more than their own abilities and determination, but the whole concept gets a grubby taint from the likes of Uber.

        Well said.

        And in future people may more often look to work for their sense of purpose in life, the place where they can build their character and compassion along with building their career. So "play fair" will be all the more important.

  • FTFY (Score:4, Funny)

    by Anonymous Coward on Sunday April 23, 2017 @06:11PM (#54288961)

    "has led to a pattern of risk-taking that has put his taxi company on the brink of implosion."

    There. FTFY.

    • Re: (Score:2, Insightful)

      by KiloByte ( 825081 )

      taxi company

      There. FTFY.

      Nope. Uber is very scummy, but still worlds above any taxi company. Those bastards need to die.

      • Re:FTFY (Score:5, Insightful)

        by Uberbah ( 647458 ) on Monday April 24, 2017 @12:12AM (#54290131)

        Yes, the horrors of having professional drivers who make a living wage, don't have to pay for maintenance on the cars they drive, and who carry hundreds of thousands in passenger insurance as opposed to the $25,000 you can count on from your Uber driver's All State policy. Horrors, I tell you!

        • What $25k All State policy? You mean the one that doesn't cover commercial activities and so wont pay out?

        • No traditional taxi I've ever been in had a driver to whom the term "professional" could even loosely apply. They've tried to physically steal my credit card, thrown a fit when I don't pay cash, are often unlicensed, and drive recklessly like they picked the wrong week to start amphetamines. At an airport one is compelled to take the first in line, whether they are legitimate or not. On the street, they routinely ignore hails. My Uber/Lyft experiences have varied, but none have even come close to the na
          • by Uberbah ( 647458 )

            You could have said "I have anecdotes and suffer from confirmation bias" and made the same point with fewer words. Efficiency man, efficiency...

      • Re:FTFY (Score:4, Insightful)

        by gsslay ( 807818 ) on Monday April 24, 2017 @06:21AM (#54290903)
        Being, in your estimation, above other taxi companies does not change the fact that Uber is still a taxi company. Uber have obvious interests in claiming they are not a taxi company. But if you provide a service like a taxi company, in vehicles like a taxi company, with drivers like a taxi company, charging a fare like a taxi company, then there's no denying you are a taxi company. The addition of an app doesn't change that.
  • by turkeydance ( 1266624 ) on Sunday April 23, 2017 @06:19PM (#54288977)
    there must be a Clinton angle somewhere
  • by ugen ( 93902 ) on Sunday April 23, 2017 @06:26PM (#54288997)

    The *tracking* is based on Uber saving device UDID, so that they know who you are even if you later reinstall the app and use a different account. While Uber is evil in many ways, this UDID "tracking" is not what the article makes it appear - Uber certainly cannot "track" anyone in any way once their app has been removed.
    In fact, I am not sure why go to such great lengths to obtain UDID when device MAC address is readily available (and must be for variety of software to work) and globally unique.
    This also smacks of those scaremongering sites that start with a banner like "Your computer is broadcasting a unique IP address" and lead to hard sell of overpriced VPN service or bs apps to "hide your IP".

    • by Anonymous Coward

      And if you install the app on a used/resold device?

    • Does iOS make the actual MAC address readily available to the application layer?

      Knowing Apple I would have thought the MAC address would be abstracted, with iOS providing apps access to the TCP/IP stack a lot closer to the top. I haven't programmed an iOS app though so I wouldn't know for sure.

      • by Gr8Apes ( 679165 )
        I'm sure they do - this minute's MAC anyways. IIRC, they started randomizing MACs in iOS 9 to prevent wifi spots from tracking you as you moved about town.
        • OK, the randomised MAC is what's presented to a wifi hotspot: a layer 2 device which definitely won't work without a MAC address to send traffic to.

          Assuming the randomised MAC is also being sent to layer 7 / the application layer of actual apps on your phone, it's not the hardware MAC address of the phone and isn't traceable is it?

        • by ugen ( 93902 )

          They randomize only the MAC address that is used on beacon frames. Once connection is established, the MAC address is the actual permanent address of the device. Users would not be able to use most WiFi hotspots that authenticate them based on the device MAC, if it changed every time.

          • No points to upmod, but thanks for that bit of info. That makes much more sense to me. The first that that occurred to me was the small chance that MACs would conflict, although I guess there could be ways to avoid that in theory.
      • by ugen ( 93902 )

        Yes, they do. It's a basic Unix API, and it must be present because plenty of things need it to work.

        • The "basic UNIX API" in iOS returns 00:00:00:00:00:00 for non-system apps. iOS has a kernel-level sandbox that lets them do cool things like prevent lowly app developers from circumventing user data protection policies.
      • Does iOS make the actual MAC address readily available to the application layer?

        You can read it here [apple.com] on the "Deprecated APIs" section.

        In iOS 7 and later, if you ask for the MAC address of an iOS device, the system returns the value 02:00:00:00:00:00. If you need to identify the device, use the identifierForVendor property of UIDevice instead. (Apps that need an identifier for their own advertising purposes should consider using the advertisingIdentifier property of ASIdentifierManager instead.)

    • Yeah the NY times article was scaremongering and partially wrong but the 'bad' thing Uber did here was break the Apple TOS which say developers should not be fingerprinting users devices.

      You're supposed to be able to install an app, uninstall it and then the next time you install the same app the company has no idea it is a second installation.

      Apple have tried to give each app a new unique udid, unlike the old days of iOS where everyone read the same UDID

      • by sphealey ( 2855 ) on Sunday April 23, 2017 @07:08PM (#54289165)

        = = = eah the NY times article was scaremongering and partially wrong but the 'bad' thing Uber did here was break the Apple TOS which say developers should not be fingerprinting users devices.= = =

        Who would have ever thought that a company founded on the principle [sic] of breaking the law in multiple jurisdictions would ignore and circumvent the terms and conditions, to which they agreed, of an entity with which they do business. Whodathunkait.

        • >Who would have ever thought that a company founded on the principle [sic] of breaking the law in multiple jurisdictions would ignore and circumvent the terms and conditions, to which they agreed, of an entity with which they do business. Whodathunkait.

          They're adding functionality that Apple refuses to do. If you cheat in a Steam game, your device and account gets banned. On iOS, apparently, you just uninstall and reinstall and then you can fraudlently order cars all over again.

          Might violate the Apple TO

          • by Motherfucking Shit ( 636021 ) on Sunday April 23, 2017 @10:47PM (#54289887) Journal

            They're adding functionality that Apple refuses to do.

            Apple refuses to do it for a valid reason, and I see Apple as the ethical winners here. If Uber is experiencing a high rate of fraud, that's a business process problem that needs to be addressed within Uber's own internal systems. Considering Uber can afford a "competitive intelligence" team that buys and crunches data about Lyft, and they can afford to develop "Greyball" deception tools to evade law enforcement, they should also be able to afford a couple of employees to build some better fraud detection into their signup process. A little less offense and a little more defense might be a rewarding strategy.

            Thousands of other companies conduct business via iOS apps without resorting to breaking the rules. Uber is showing once again that they don't give a fuck about the rules, and that puts them squarely outside of the "ethical right."

          • by tlhIngan ( 30335 )

            They're adding functionality that Apple refuses to do. If you cheat in a Steam game, your device and account gets banned. On iOS, apparently, you just uninstall and reinstall and then you can fraudlently order cars all over again.

            Actually Apple had that ability. The removed it in iOS7 because developers were abusing it for... tracking purposes. They were sending the device unique IDs to advertisers and giving advertisers a per-device view into everything - location information (if allowed), system informat

      • by Gr8Apes ( 679165 )
        Per the randomizing MAC comment, I was under the impression you could no longer access the real UDID from an app since iOS 9
    • by santiago ( 42242 ) on Sunday April 23, 2017 @09:38PM (#54289647)

      In fact, I am not sure why go to such great lengths to obtain UDID when device MAC address is readily available (and must be for variety of software to work) and globally unique.

      MAC Address is no longer available since iOS 7. You can request it, but you'll get the same fake value of 02:00:00:00:00:00 on every iPhone. UDID is not available, either.

      There's IDFV, the Identifier For Vendors, which is different for each vendor on the phone, and gets reset if you remove all the apps from that vendor on the phone. (That is, two apps from Google will see the same IDFV, but a different one from the one Facebook sees.)

      Then there's IDFA, the Identifier for Advertisers, which the user can reset at any time via system settings, and which Apple will reject your app for if they catch you using it for anything other than ad-tracking.

      The end result is that there is no longer any stable cross-app identifier that survives app uninstalls and user attempts to avoid tracking, by explicit design.

      • Then there's IDFA, the Identifier for Advertisers, which the user can reset at any time via system settings, and which Apple will reject your app for if they catch you using it for anything other than ad-tracking.

        And every time I submit an app, they threaten me personally with all kinds of nastiness if the app does anything with the IDFA that it shouldn't. I'd say they take this seriously. And I'd say that if I worked for Uber (which I probably wouldn't), I would _not_ be the one submitting apps.

      • by ugen ( 93902 )

        This is not correct - getifaddrs() is available and works. As a case in point, an app I am familiar with that is still used on current versions of iOS (though no longer in appstore) is able to get MAC address on current devices.

        • All bets are off if it's not on the App Store anymore. I've seen getifaddrs() return data structures with blanked out MAC addresses on iOS devices. The sandbox enforced at the kernel level probably hooks the system calls that are being used for any network interface data. Way easier than making patches for each type of network stack API in iOS.
    • And for many years now, long before 2005, Apple removed the ability to request the UDID of a phone, and didn't allow anyone on the app store who would try to identify your iPhone. So very clearly against the app store rules. And they knew that, so this wouldn't happen if the app was run near Cupertino, where presumably the testers were located who checked for this.

      There is a new thing - a device specific identifier for a vendor. That is a unique code identifying your phone _to one application_. And this
    • Some posts really make me wish Slashdot had a "-1 factually incorrect" moderation. As a professional developer in iOS I can tell you that Uber's app is most definitely not saving the device UDID. For years, app developers were using the system-provided Unique Device Identifier (UDID) to track individual users, even though the identifier is really supposed to permanently relate to the device and isn't a good way to track a user who may sell or give away that device. Since iOS 6, Apple starting removing any s
    • I am not sure why go to such great lengths to obtain UDID when device MAC address is readily available (and must be for variety of software to work) and globally unique.

      MAC address are easy to change, and don't actually have to be globally unique. That may be why they don't want to use them -- too easy to to bypass that sort of check.

      MAC addresses only have to be unique at layer 2 of the OSI model (essentially, this means they only have to be unique on your local ethernet or wifi network). You and I can have the exact same MAC on our devices without causing any problem at all as long as we don't both directly connect to the same LAN at the same time.

  • by Anonymous Coward

    A taxi company, whose business model is entirely based on breaking laws, violate the rules of another company. Is anyone surprised?

    Next up: Drug traffickers speed and run red lights.

    • by Xenx ( 2211586 )
      I get that it happens often enough. However, generally speaking, isn't that a terrible idea? Last thing they would want is to draw attention.
    • by EzInKy ( 115248 )

      Next up: Drug traffickers speed and run red lights.

      Only if they are stupid or want to get caught.

  • example (Score:4, Interesting)

    by Tom ( 822 ) on Monday April 24, 2017 @12:37AM (#54290195) Homepage Journal

    Uber is actually a good example of what's going wrong with the world: They are openly criminal and it works. It's Al Capone all over again. Everyone knows what they are doing, but they're too slippery to be nailed.

    Same with the tax evasion of multinational cooperation, wars based on invented bullshit, election frauds done almost openly (like in Turkey), and so on.

    Minority Report may have been on to something: The legal system working after the fact, and with a delay often measured in years, does not deter criminals. If you can take over a country, or become a billionaire, the threat that ten years from now they might file charges which your $1000/h lawyers will then simply drag through the courts for twenty years - well, that is not a very threatening thing especially for people trained to think primarily about next quarter.

  • Red Swoosh is just Bittorrent with its own, private trackers.

    $19M was a really low price. Akamai got a great deal on that technology.

Behind every great computer sits a skinny little geek.

Working...