Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses IOS Operating Systems Privacy Security Software Apple

Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say (gizmodo.com) 91

To improve functionality between Uber's app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user's iPhone screen, even if Uber's app was only running in the background, security researchers told news outlet Gizmodo. From a report: After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. The screen recording capability comes from what's called an "entitlement" -- a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn't common and would require Apple's explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn't find any other apps with the entitlement live on the App Store. "It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."
This discussion has been archived. No new comments can be posted.

Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say

Comments Filter:
  • Duh (Score:4, Insightful)

    by Aighearach ( 97333 ) on Thursday October 05, 2017 @05:48PM (#55318407)

    Apple users tolerate anything. Even things that protest/boycott over, they're willing to actually move up their purchase schedule when Apple responds to their demands by asking for more money.

    This is a well-trodden path.

    • by Tablizer ( 95088 )

      Oh, and Google, MS, etc. are careful? Yeah right.

      Anyhow, we don't know Apple's side of the story yet. Knowing Uber, they probably used "social engineering" to sneak stuff past the Apple iGuards.

      • Right, users of other brands have a much higher rate of switching to competing products when they report being very angry about the product.

        I used to use a wide range of google services, but after being forced to switch a few times when things got shut down, I use less and less of their services all the time, and I can be consistently relied on to not even try anything new they offer. No interest. And yet, I still do use gmail and couple other services.

        If you don't understand that there are differences in b

      • Anyhow, we don't know Apple's side of the story yet. Knowing Uber, they probably used "social engineering" to sneak stuff past the Apple iGuards.

        TFA contains a statement from Apple explaining that they intentionally granted this ability to to Uber app, and why.

  • by Anonymous Coward

    Sorry, but Uber's business model is pretty much end to end "be colossal assholes, claim regulations don't apply, and keep being assholes".

    Sorry, but this isn't a company I would ever trust or do business with.

    Claiming you're a magical pony who isn't covered by laws doesn't make it true.

    • Re:Assholes ... (Score:5, Insightful)

      by ShanghaiBill ( 739463 ) on Thursday October 05, 2017 @06:15PM (#55318541)

      Sorry, but Uber's business model is pretty much end to end "be colossal assholes ..."

      Of course. But the real issue is not that Uber is unethical (we already knew that) but that Apple gave them full access.

      If my landlord gave a burglar the key to my door, his behavior would be more noteworthy than the behavior of the burglar.

      • Re:Assholes ... (Score:5, Interesting)

        by currently_awake ( 1248758 ) on Thursday October 05, 2017 @07:12PM (#55318757)
        I consider the bigger issue that Apple can bypass your security settings at will, with no notification. I don't know how legal this is, but we can assume police and intelligence agencies are currently making use of this because Apple spent money to MAKE this feature.
        • by Dog-Cow ( 21281 )

          What is being bypassed is an OS limitation, not a setting the user chose. You can slither back under your rock now.

        • Re:Assholes ... (Score:5, Insightful)

          by thegarbz ( 1787294 ) on Friday October 06, 2017 @01:32AM (#55319775)

          bypass your security settings

          No you have this backwards. Apple owns the absolute control of your device. Any settings you have are gifted to you by them. They aren't bypassing your security, they simply aren't offering you security you want.

    • Uber is so evil, it didn't even occur to me to care about the affect on their users/accomplices.

      The real story has to be Apple giving them permission, because Apple is not obviously evil. Normally the complaint of Apple haters is merely that it is overpriced, and walled gardens are for snobs, and not everybody likes snobs. Snobs are often looked down on, but also often looked up to; they are not obviously evil. So to have this sort of snake inside the garden might turn out to be a big deal. Especially if th

  • by eepok ( 545733 ) on Thursday October 05, 2017 @05:53PM (#55318439) Homepage
    Apple tosses apps out of the app store for many reasons. Over the last 2-3 years, Uber's apps have shown to violate privacy and intentionally deceive regulators on a massive scale. Money aside (I know, that's asking a lot), how does Apple justify allowing them to continue to have an app in their app store?
    • how does Apple justify allowing them to continue to have an app in their app store?

      They're afraid of driving people to Android. At this point, Uber is so entrenched, that may happen. Now, that would be an excellent reason, if i were Apple, to push people to Lyft.

    • Pretty obviously because iPhone users want to be able to use Ubers.

      • Comment removed based on user account deletion
        • A website experience would be poor vs a native app.
          It would likely be lacking in features, as there are things you can't do with a web site. And it would prevent using the Apple Watch.

          iPhone users want the Uber app. And there's no reason to stop them. They had a good reason to use an entitlement at the time, and now they don't need it any more they'll be removing it.

        • by lerxstz ( 692089 )

          I looked into notifications for iPhone webapps somewhat recently, it is not *currently* possible. Sevice workers are in development [webkit.org] but not currently available.

    • Gee I wonder why? Could it be that Uber is a top 20 app for iOS? What makes you think Apple cares about your privacy? You don't think they are logging what you do?
  • by whoever57 ( 658626 ) on Thursday October 05, 2017 @05:56PM (#55318457) Journal

    There goes Apple's reputation for security.

    I expect that there was money involved.

    Apple cares about security, as long as there is no way to make money out of making you insecure.

    The only real remedy for this is if Apple pushed out an IOS update that took away the ability for these hidden privileges to exist, but likely they won't because probably the main other user of them is Apple itself.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Oh fuck off Nancy. Are you seriously going to thrash Apple, when Google has been letting Android and its apps use you like a bitch for the past decade?

      I love how the blinders are up whenever horrible fucking practices are used by open source and Android developers, and suddenly you're outraged at Apple for what is probably a fuck up by an employee who didn't know better.

      Fuck this place and its users. What a bunch of narcissistic losers.

      • Are you angry? Why shoot the messenger? Apple and/or Uber are at fault here.

        I know, I know. Apple is "your team" and it's a rivalry match.

        Seriously, grow up.

      • Are you seriously going to thrash Apple, when Google has been letting Android and its apps use you like a bitch for the past decade?

        Why not?

        If you're doing something wrong, whether or not others are just as bad or worse in no way excuses your actions.

    • by xlsior ( 524145 )
      Apple cares about security,

      They really don't -- all they are about is the perception of being secure ('you won't need antivirus on an apple'), but when you get right down to it they have been dragging their feet fixing known vulnerabilities in MacOS for years, and their software always scores poorly during pwn2own-style events.
  • by JohnFen ( 1641097 ) on Thursday October 05, 2017 @05:58PM (#55318469)

    It's sortof impressive how many times Uber apps have been found to contain questionable abilities that Uber claims they stopped using some time ago.

    For the sake of argument, let's assume that they are being truthful when they say these things. My response is: get your engineering house in order.

    Leaving dead code in your software is a terrible practice for a number of reasons. Don't wait until someone discover it's there before you remove it. Remove it as soon as you stop using it.

    • by cfalcon ( 779563 ) on Thursday October 05, 2017 @06:14PM (#55318539)

      > For the sake of argument, let's assume that they are being truthful when they say these things. My response is: get your engineering house in order.

      It should be: demand that Apple remove Uber permanently from the app store. It doesn't matter if they stopped using, or never used, their backdoor exploit code (this is like the third one I think?), to actually do backdoor exploits. The mere fact that they designed it, developed it, and deployed it, means that they are actively evil from head to toe. The guy writing the screenlogger wasn't writing it because he never thought it would be used, his manager didn't ask for him to write it with the assumption that it would just be there *for no reason*, etc. The mere fact that they deployed it PERIOD means that they should be kicked right the hell out the door.

      • Again, I'm giving Uber the benefit of the doubt for rhetorical purposes (I actually think that Uber is essentially a criminal organization who needs to be put out of business, but I'm setting that aside for the moment).

        Uber didn't say they put this in for no reason. The reason that they gave for implementing this is entirely plausible and, if that's all it was ever used for, hard to take exception with.

    • It's sortof impressive how many times Uber apps have been found to contain questionable abilities that Uber claims they stopped using some time ago.

      It's even more impressive that Apple hasn't booted them from the store because of this. Most other developers will be shown the door if Apple doesn't like the exact amount of grovelling they do to keep them from getting banned.

  • It's called money, dumbass.

  • Did no one read the permissions list the app asks for? Its really long... there is no reason for most of it, so why are people now shocked that it was nefarious? It even lists "modify or delete your storage contents" for Jobs sake.
    • by Anonymous Coward

      You are confusing iOS and Android. On iOS you don't accept permissions when installing an app, you accept them as app requests them during runtime.
      Unfortunately these "entitlement" permissions cannot be controlled by user.

  • There's a reason why some of us only use free software on free operating systems, and this kind of abuse is a perfect example of what happens when you trust proprietary software on a closed operating system. If you use a so-called "smart" device, you are a patsy, a mark, a willing victim. Stop hurting yourself.
    • A smart phone is a tool. Use it correctly and it's fine, not to mention incredibly helpful.
    • by Arkham ( 10779 )

      There's a reason why some of us only use free software on free operating systems, and this kind of abuse is a perfect example of what happens when you trust proprietary software on a closed operating system. If you use a so-called "smart" device, you are a patsy, a mark, a willing victim. Stop hurting yourself.

      No offense intended here, but there is no free software phone on the market. None of the carriers would even consider approving it.

  • The more I learn about Uber, the more obvious it becomes that they're a shit-filled cesspool without a shred of ethics or morality.

    I was already pretty down on them, but this firmly cements my resolve to never EVER use them and to bad mouth them at every possible opportunity. Shitbags with a logo, that's all they are.

  • Screen recording is fully supported and available [android.com] to any app. Note however that the system will ask you nicely if you want to allow a particular app to start capturing screen and this prompt can not be suppressed by the app. The user has a checkbox to allow the same app to do it silently in future. I don't know if Apple allows such access without user warning.

  • By using this technique, the app was able to display a map on the watch screen. This allows you to keep your phone in your pocket when youâ(TM)re out in dark, possibly unfamiliar streets at night. There are security implications of that too.

    This is an interesting story and itâ(TM)s plausible that Uber would abuse this privilege if they could get away with that. But, if they couldnâ(TM)t, it may just be a story about how capable iOS and the App Stire review team are.
  • This is why I don't download apps where an existing web interface that will do the job. I object to using Uber tho, so I don't even know whether you can use the service thru a web app. But so many other companies have perfectly serviceable web sites that you can use instead of an app, why let them even further thru the door and into your phone.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...