Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say (gizmodo.com) 91
To improve functionality between Uber's app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user's iPhone screen, even if Uber's app was only running in the background, security researchers told news outlet Gizmodo. From a report: After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. The screen recording capability comes from what's called an "entitlement" -- a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn't common and would require Apple's explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn't find any other apps with the entitlement live on the App Store. "It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."
Duh (Score:4, Insightful)
Apple users tolerate anything. Even things that protest/boycott over, they're willing to actually move up their purchase schedule when Apple responds to their demands by asking for more money.
This is a well-trodden path.
Re: (Score:1)
Oh, and Google, MS, etc. are careful? Yeah right.
Anyhow, we don't know Apple's side of the story yet. Knowing Uber, they probably used "social engineering" to sneak stuff past the Apple iGuards.
Re: (Score:2)
Right, users of other brands have a much higher rate of switching to competing products when they report being very angry about the product.
I used to use a wide range of google services, but after being forced to switch a few times when things got shut down, I use less and less of their services all the time, and I can be consistently relied on to not even try anything new they offer. No interest. And yet, I still do use gmail and couple other services.
If you don't understand that there are differences in b
Re: (Score:2)
Anyhow, we don't know Apple's side of the story yet. Knowing Uber, they probably used "social engineering" to sneak stuff past the Apple iGuards.
TFA contains a statement from Apple explaining that they intentionally granted this ability to to Uber app, and why.
Re: (Score:1)
There are dozens of keyboard alternatives on the Android App marketplace. I use the Hacker's Keyboard, which gives me cursor keys and all the control-alt-esc key sequences, on my Asus Android tablet.
The default Android keyboards from Google or Samsung are deplorable.
Does Apple even allow third party keyboards on iOS? It's been so long since I used iOS on anything.
Re: Duh (Score:1)
But if the 3rd party doesn't log keystrokes back to Apple it doesn't get approved.
Assholes ... (Score:1)
Sorry, but Uber's business model is pretty much end to end "be colossal assholes, claim regulations don't apply, and keep being assholes".
Sorry, but this isn't a company I would ever trust or do business with.
Claiming you're a magical pony who isn't covered by laws doesn't make it true.
Re:Assholes ... (Score:5, Insightful)
Sorry, but Uber's business model is pretty much end to end "be colossal assholes ..."
Of course. But the real issue is not that Uber is unethical (we already knew that) but that Apple gave them full access.
If my landlord gave a burglar the key to my door, his behavior would be more noteworthy than the behavior of the burglar.
Re:Assholes ... (Score:5, Interesting)
Re: (Score:1)
What is being bypassed is an OS limitation, not a setting the user chose. You can slither back under your rock now.
Re:Assholes ... (Score:5, Insightful)
bypass your security settings
No you have this backwards. Apple owns the absolute control of your device. Any settings you have are gifted to you by them. They aren't bypassing your security, they simply aren't offering you security you want.
Re: (Score:2)
Uber is so evil, it didn't even occur to me to care about the affect on their users/accomplices.
The real story has to be Apple giving them permission, because Apple is not obviously evil. Normally the complaint of Apple haters is merely that it is overpriced, and walled gardens are for snobs, and not everybody likes snobs. Snobs are often looked down on, but also often looked up to; they are not obviously evil. So to have this sort of snake inside the garden might turn out to be a big deal. Especially if th
Where's the limit with Uber on iOS? (Score:5, Insightful)
Re: (Score:2)
They're afraid of driving people to Android. At this point, Uber is so entrenched, that may happen. Now, that would be an excellent reason, if i were Apple, to push people to Lyft.
Re: (Score:2)
Pretty obviously because iPhone users want to be able to use Ubers.
Re: (Score:2)
Re: (Score:2)
A website experience would be poor vs a native app.
It would likely be lacking in features, as there are things you can't do with a web site. And it would prevent using the Apple Watch.
iPhone users want the Uber app. And there's no reason to stop them. They had a good reason to use an entitlement at the time, and now they don't need it any more they'll be removing it.
Re: (Score:1)
I looked into notifications for iPhone webapps somewhat recently, it is not *currently* possible. Sevice workers are in development [webkit.org] but not currently available.
Re: (Score:2)
There goes Apple's reputation for security. (Score:3)
There goes Apple's reputation for security.
I expect that there was money involved.
Apple cares about security, as long as there is no way to make money out of making you insecure.
The only real remedy for this is if Apple pushed out an IOS update that took away the ability for these hidden privileges to exist, but likely they won't because probably the main other user of them is Apple itself.
Re: (Score:2)
Privacy and security are related. Privacy is a subset of security.
Re: (Score:2)
posting to undo moderation error
Re: (Score:2, Interesting)
Oh fuck off Nancy. Are you seriously going to thrash Apple, when Google has been letting Android and its apps use you like a bitch for the past decade?
I love how the blinders are up whenever horrible fucking practices are used by open source and Android developers, and suddenly you're outraged at Apple for what is probably a fuck up by an employee who didn't know better.
Fuck this place and its users. What a bunch of narcissistic losers.
Re: (Score:1)
Are you angry? Why shoot the messenger? Apple and/or Uber are at fault here.
I know, I know. Apple is "your team" and it's a rivalry match.
Seriously, grow up.
Re: (Score:2)
Are you seriously going to thrash Apple, when Google has been letting Android and its apps use you like a bitch for the past decade?
Why not?
If you're doing something wrong, whether or not others are just as bad or worse in no way excuses your actions.
Re: (Score:2)
They really don't -- all they are about is the perception of being secure ('you won't need antivirus on an apple'), but when you get right down to it they have been dragging their feet fixing known vulnerabilities in MacOS for years, and their software always scores poorly during pwn2own-style events.
Bad engineering practices (Score:3)
It's sortof impressive how many times Uber apps have been found to contain questionable abilities that Uber claims they stopped using some time ago.
For the sake of argument, let's assume that they are being truthful when they say these things. My response is: get your engineering house in order.
Leaving dead code in your software is a terrible practice for a number of reasons. Don't wait until someone discover it's there before you remove it. Remove it as soon as you stop using it.
Re:Bad engineering practices (Score:4, Insightful)
> For the sake of argument, let's assume that they are being truthful when they say these things. My response is: get your engineering house in order.
It should be: demand that Apple remove Uber permanently from the app store. It doesn't matter if they stopped using, or never used, their backdoor exploit code (this is like the third one I think?), to actually do backdoor exploits. The mere fact that they designed it, developed it, and deployed it, means that they are actively evil from head to toe. The guy writing the screenlogger wasn't writing it because he never thought it would be used, his manager didn't ask for him to write it with the assumption that it would just be there *for no reason*, etc. The mere fact that they deployed it PERIOD means that they should be kicked right the hell out the door.
Re: (Score:2)
Again, I'm giving Uber the benefit of the doubt for rhetorical purposes (I actually think that Uber is essentially a criminal organization who needs to be put out of business, but I'm setting that aside for the moment).
Uber didn't say they put this in for no reason. The reason that they gave for implementing this is entirely plausible and, if that's all it was ever used for, hard to take exception with.
Re: (Score:2)
It's sortof impressive how many times Uber apps have been found to contain questionable abilities that Uber claims they stopped using some time ago.
It's even more impressive that Apple hasn't booted them from the store because of this. Most other developers will be shown the door if Apple doesn't like the exact amount of grovelling they do to keep them from getting banned.
Re: This is real bad (Score:5, Informative)
It's not as bad as it sounds.
There was no way for the original apple watch to get maps on the phone. Apple allowed Uber to use a system function to take a screen recordings from the phone to send to the watch so it could show maps.
Apple specially vetted the code source and inspected it with every update to make sure it was only taking and sending shots of map from Uber app.
Basically you are already trusting apple for an enormous amount of things, this is just one more thing, you are trusting apple to sufficiently police the rare entitlements.
However I agree it's seedy, and the app should need to request permission to record the screen just like for other access permissions. Apple seem to deliberately have done this on the down low.
Re: (Score:1)
If Apple vetted the code then how come Uber was able to collect screenshots even when it was not running? It should have informed the user about the permission. I don't blindly trust Apple. I trust Apple that it will make right decisions and in this case, it failed me.
Re: (Score:2)
Re: (Score:2)
You don't know what you are taking about. iOS does not list permissions. You are thinking of Android.
Re: (Score:2)
It didn't take screenshots when not running.
But the app had iOS's permission to do it.
Apple vetted the code to make sure they didn't.
As other's have said, this whole thing seems shady and unpleasant, but it doesn't look like this privilege was abused (though I'd rather they never had it in the first place).
Re: (Score:2)
Because have permission to and actually doing it are two different things.
True, but from a security point of view, you must assume that if an app has permission to do something, it is doing it.
Re: (Score:2)
And Apple did. But I'm talking about the end user, not the vendor.
Re: (Score:1)
This incident has shaken my faith in Apple. Thankfully, I am not a victim as I don't use Uber.
Not a victim of the announced leak, but what about the unannounced/undiscovered ones?
Curious how they convinced Apple? (Score:1)
It's called money, dumbass.
Whatcha mean 'secret'? (Score:2)
Re: (Score:2)
You are confusing iOS and Android. On iOS you don't accept permissions when installing an app, you accept them as app requests them during runtime.
Unfortunately these "entitlement" permissions cannot be controlled by user.
"Smart" just means "treacherous" (Score:2, Interesting)
Re: (Score:2)
Feature phones, or landlines.
Re: (Score:2)
Re: "Smart" just means "treacherous" (Score:2)
As software developers, we don't build OSes and programming languages to sell. We build them to use, to provide services we (or others) sell. We are like scientists performing experiments and sharing the results with our colleagues to advance the craft. And like scientists, if you're not sharing your work, you're really not part of the community; you fundamamentally fail to understand what it is to be a part of a knowledge work community and industry.
Re: (Score:2)
Nobody became rich by working for free or on free software.
Lots of people don't have "get rich" as their goal.
Re: (Score:2)
There's a reason why some of us only use free software on free operating systems, and this kind of abuse is a perfect example of what happens when you trust proprietary software on a closed operating system. If you use a so-called "smart" device, you are a patsy, a mark, a willing victim. Stop hurting yourself.
No offense intended here, but there is no free software phone on the market. None of the carriers would even consider approving it.
Re: (Score:2)
TFA covers this: apple gave the Uber app special privileges not available to other apps.
Uber = Evil (Score:2)
The more I learn about Uber, the more obvious it becomes that they're a shit-filled cesspool without a shred of ethics or morality.
I was already pretty down on them, but this firmly cements my resolve to never EVER use them and to bad mouth them at every possible opportunity. Shitbags with a logo, that's all they are.
Nothing special on Android (Score:2)
Screen recording is fully supported and available [android.com] to any app. Note however that the system will ask you nicely if you want to allow a particular app to start capturing screen and this prompt can not be suppressed by the app. The user has a checkbox to allow the same app to do it silently in future. I don't know if Apple allows such access without user warning.
Maps on your wrist (Score:1)
This is an interesting story and itâ(TM)s plausible that Uber would abuse this privilege if they could get away with that. But, if they couldnâ(TM)t, it may just be a story about how capable iOS and the App Stire review team are.
web interface (Score:2)