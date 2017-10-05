Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen, Researchers Say (gizmodo.com) 24
To improve functionality between Uber's app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user's iPhone screen, even if Uber's app was only running in the background, security researchers told news outlet Gizmodo. From a report: After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app. The screen recording capability comes from what's called an "entitlement" -- a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn't common and would require Apple's explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn't find any other apps with the entitlement live on the App Store. "It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach said. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this."
Apple users tolerate anything. Even things that protest/boycott over, they're willing to actually move up their purchase schedule when Apple responds to their demands by asking for more money.
This is a well-trodden path.
Oh, and Google, MS, etc. are careful? Yeah right.
Anyhow, we don't know Apple's side of the story yet. Knowing Uber, they probably used "social engineering" to sneak stuff past the Apple iGuards.
Right, users of other brands have a much higher rate of switching to competing products when they report being very angry about the product.
I used to use a wide range of google services, but after being forced to switch a few times when things got shut down, I use less and less of their services all the time, and I can be consistently relied on to not even try anything new they offer. No interest. And yet, I still do use gmail and couple other services.
If you don't understand that there are differences in b
Sorry, but Uber's business model is pretty much end to end "be colossal assholes, claim regulations don't apply, and keep being assholes".
Sorry, but this isn't a company I would ever trust or do business with.
Claiming you're a magical pony who isn't covered by laws doesn't make it true.
Sorry, but Uber's business model is pretty much end to end "be colossal assholes
...
Of course. But the real issue is not that Uber is unethical (we already knew that) but that Apple gave them full access.
If my landlord gave a burglar the key to my door, his behavior would be more noteworthy than the behavior of the burglar.
There goes Apple's reputation for security.
I expect that there was money involved.
Apple cares about security, as long as there is no way to make money out of making you insecure.
The only real remedy for this is if Apple pushed out an IOS update that took away the ability for these hidden privileges to exist, but likely they won't because probably the main other user of them is Apple itself.
Privacy and security are related. Privacy is a subset of security.
It's sortof impressive how many times Uber apps have been found to contain questionable abilities that Uber claims they stopped using some time ago.
For the sake of argument, let's assume that they are being truthful when they say these things. My response is: get your engineering house in order.
Leaving dead code in your software is a terrible practice for a number of reasons. Don't wait until someone discover it's there before you remove it. Remove it as soon as you stop using it.
> For the sake of argument, let's assume that they are being truthful when they say these things. My response is: get your engineering house in order.
It should be: demand that Apple remove Uber permanently from the app store. It doesn't matter if they stopped using, or never used, their backdoor exploit code (this is like the third one I think?), to actually do backdoor exploits. The mere fact that they designed it, developed it, and deployed it, means that they are actively evil from head to toe. Th
Again, I'm giving Uber the benefit of the doubt for rhetorical purposes (I actually think that Uber is essentially a criminal organization who needs to be put out of business, but I'm setting that aside for the moment).
Uber didn't say they put this in for no reason. The reason that they gave for implementing this is entirely plausible and, if that's all it was ever used for, hard to take exception with.
It's not as bad as it sounds.
There was no way for the original apple watch to get maps on the phone. Apple allowed Uber to use a system function to take a screen recordings from the phone to send to the watch so it could show maps.
Apple specially vetted the code source and inspected it with every update to make sure it was only taking and sending shots of map from Uber app.
Basically you are already trusting apple for an enormous amount of things, this is just one more thing, you are trusting apple to suffic
If Apple vetted the code then how come Uber was able to collect screenshots even when it was not running? It should have informed the user about the permission. I don't blindly trust Apple. I trust Apple that it will make right decisions and in this case, it failed me.
It's called money, dumbass.
