It was recently discovered that the ride-hailing company known as Uber has an undocumented feature on their handy app. Many people should find this alarming, to say the least. Believe it or not, the secret app capability—known as “entitlement”—lets Uber record what’s on the screen of iPhone users.
The entitlement feature was discovered by Will Strafach, the chief executive of Sudo Security Group. At the time, he commented that it was “very unusual.” But unusual is an understatement considering how Uber was able to do this. According to security researchers like Strafach, Apple actually granted Uber the special permission to do it. Consumers and industry professionals are shocked by this, especially considering Uber’s past transgressions. More on that later.
A Sense of Entitlement
What the community of mobile security experts are saying about the entitlement feature is that it can give control of an iPhone’s framebuffer to Uber (or any hacker who can access it). Essentially, framebuffer is a screenshot of your phone’s display and every single pixel. What Uber (or a hacker) can do is then copy every pixel and a phone’s screen. Additionally, Uber retains that information even when the app is off. Isn’t it scary knowing that Uber was able to obtain people’s iPhone information without having physical access to it?
Apple granted Uber the entitlement back in 2015 to help enhance its functionality on the Apple Watch. However, according to Strafach, no other third-party developer has ever been granted the right to any permission like this. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this,” said the mobile security expert.
Uber reported that they have disabled the tool and that they will soon remove it. They also stated that it will not appear in any later updates. While this affects only iPhones, all Uber users—and smartphone owners—should be concerned. This is, after all, a major privacy issue that should make anyone worried about their online and physical security.
Uber Heaven and Uber Hell—and the Grey Area In Between
This isn’t Uber’s first shady rodeo. The company has been in world of trouble before. A couple of years ago, the company was caught tracking its customers without getting their permission. They did it through a tool called “God View”—later renamed “Heaven” (which dates all the way back to 2011). They used it to track not just their riders, but celebrities, politicians, and even people that Uber employees knew. God View was also used to spy on its drivers to make sure they weren’t driving for competitors (including their biggest nemesis, Lyft).
“Greyball” was another tool that Uber used. According to the company, Greyball helped them identify riders who violated their terms of service. This includes individuals who either threatened or harmed drivers, skipped payment, or didn’t show up. Once identified, Uber would deny services to those hailers. However, it was discovered that Uber also used this tool to avoid officials who were checking up on the company. It’s known that officials have conducted secret sting operations to make sure that Uber was complying with transportation and operation rules.
More recently, Uber made headlines again with yet another intrusive software feature. This one was called “Hell” and it interfered with rival company Lyft’s operations … illegally. This, like Greyball, was used to see if their own drivers were “double apping.” This refers to drivers working for both app-based ride-sharing companies, which led to yet another federal investigation. Yet somehow, Uber is still able to stay in business—and Apple is helping them.
You have to wonder, why would Apple, a company known for cracking down on app store violators, continue to do business with Uber? Even more so, why grant them special permissions like the “entitlement” tool?
An Uber Plague
Uber has a long history of internal and external issues outside of its software spying problems. They’ve been accused of not protecting their customers’ data, age discrimination, and retaliating against whistleblowers. The company is and has been under numerous federal investigations and multiple lawsuits including one against Google’s self-driving company.
They’ve also had sexual harassment suits filed against them. For example, one female employee reported being harassed by her manager. Then, there’s the constant battle with the Taxi and Limousine Commission. Uber wants the right to operate in the same manner, but without the rules and regulations that cab drivers must adhere to.
Additionally, there are the hundreds of offenses committed by and against their drivers. This includes robberies, sexual assaults, accidents, hit and runs, and other violent acts—all of which have led to scrutiny over their vetting processes.
That vetting process came under intense scrutiny after Jason Dalton was arrested for a shooting spree in Kalamazoo, Michigan. Dalton killed six people and wounded two others while “on duty” for Uber. According to the investigation, Dalton led police on a seven hour long manhunt while still picking up fares. Though Dalton did not have any criminal history, there had been numerous complaints about his driving before his terrible crime.
As for the regular, non-malicious crimes such as car accidents, many have noted that Uber should be held responsible for some of them. The company requires that drivers acknowledge a new pick-up opportunity within 15 seconds of notification. Drivers claim that if they fail to respond enough times, they can be out of work.
The National Transportation Safety Board criticized Uber’s policy of cutting off those who don’t respond in a timely manner. Fifteen seconds, no matter who you are, is a tight window of opportunity. This practice is a hazard to anyone on the road because it can distract a driver and cause an accident.
Uber Isn’t Alone in the Spy Game
Of course, plenty of other companies have similar problems—which is not surprising. However what is disturbing is how Uber continues to abuse their riders’ privacy with their app tools. Other companies have done it sure, just not as much and not with the intent that Uber has done so.
Just this past summer, Snapchat rolled out a new feature that let users show their physical location. Called Snap Map, the new program allowed users’ selected friends to track them when using the app. It was supposed to be used to help friends become more connected. While many users were more than happy with the feature, not all of them have realized just how dangerous it could be.
In the lowest privacy settings, a Snapchat user’s location is broadcasted to every single friend on their list when activated. This could pose a danger to those who are only casual acquaintances. The feature opens the doors to stalkers and bullies—something no one thought about upon initially using it. However, that hasn’t deterred Snapchat fans who enjoy knowing that their buddies can see their icon on their devices and vice versa. Most users know or are learning that they can set the app to “Ghost Mode,” which will hide their location.
What’s Next for Uber?
No one really knows what’s next for the ride-hailing company. They have claimed that some of the things they’ve done were to protect their riders and drivers or to enhance their company’s service. The “truthiness” of it all is still in question and the future of the Uber-Apple relationship remains to be seen.
One more thing? Bloomberg reported the other day that Uber may have been using another secret program called “Surfcam” to gather information from its Asian rival Grab. It is not yet clear where the data-scraping app was getting its information from and if it was illegal. Data scraping isn’t necessarily a crime. It’s more common than people think or realize. But how Uber gathered and used the information will determine the outcome of this issue.
So far it’s not looking good for the company, but who knows? Apple doesn’t seem to have too much of a problem with their practice, so why should anyone else?
Interested to see how other companies are spying on you and gathering your information? Check out our recent blog: The Secret Spy-Ring of Data Brokers.