Uber Faces Negative Reactions After Update Introduces Background GPS Tracking

[Rigby]

If an app is force-quit then it won't receive background notifications.

This is not correct in all cases. Apps that receive APNS notifications will be launched in the background, even if you have "force quit" them (i.e. swipe up in the task switcher). You can easily test this using e.g. a 3rd party email app with push support such as Protonmail.

According to Apple, this also seems to be the case for at least some location notifications:

https://developer.apple.com/library...n.html#//apple_ref/doc/uid/TP40007072-CH4-SW7

"In most cases, the system does not relaunch apps after they are force quit by the user. One exception is location apps, which in iOS 8 and later are relaunched after being force quit by the user."

 

[ubereverywhere]

That's absolutely false. iOS apps that aren't running can be silently launched in the background in response to notifications that the app has subscribed to (like "my location has changed").

Clearly we have different views on what it means for an app to be running or not. It's 0 or 1 for me man. How are you proving me false by saying that an app can transmit data if it is launched in the background (IE: running)? lol. That's just proving me true.

 

[cmaier]

This is not correct. Apps that receive APNS notifications will be launched in the background, even if you have "force quit" them (i.e. swipe up in the task switcher). You can easily test this using e.g. a 3rd party email app with push support such as Protonmail.

According to the SDK documentation:
However, the system does not automatically launch your app if the user has force-quit it. In that situation, the user must relaunch your app or restart the device before the system attempts to launch your app automatically again.

 

[Timothy Leo Crowley]

Because its not up to you. You are the user, and quite frankly, you don't have a clue what is best for the App or the service. User's like you will ignore all of the factual detail and will just fauxrage over some talking point, about which you know absolutely nothing.

In this case, another word for user is Customer, without which there is no service. Trust me, business that doesn't listen to it's customers will wither and die.

 

[cmaier]

That said, it looks like this behavior changed in recent versions of the OS, and it WILL relaunch if the app is tracking location. Trying to track down a clear answer in the docs - they contradict each other.
[doublepost=1481333760][/doublepost]

Clearly we have different views on what it means for an app to be running or not. It's 0 or 1 for me man. How are you proving me false by saying that an app can transmit data if it is launched in the background (IE: running)? lol. That's just proving me true.

the issue is if you never launched the app in the first place. Most people would say it is not running. Yet if it can be launched without the user's knowledge and without displaying any UI, and still transmit GPS data, that would be something relevant to this conversation, since many people think you can stop the app from doing that without disabling location services for the app.

 

[Rigby]

Have you ever ran Wireshark or any pcap tool? You can 100% see the IPs making the requests. Only the data is encrypted.

"Only" the data? That's precisely what the previous poster claimed you could see. But go ahead, explain how you can determine if the Uber app transmits location information without being able to decrypt the data.

You said I'm wrong that they can't send data if the app's not running and back it up by saying they can while running in the background? lol. It's either running or not.

You are playing word games. An app that has been closed can be triggered to run in the background without the user knowing it.

Based on what they said they were using it for it's not. In fact, there's really no reason for them to even use "Always" authorization if what they are saying they are doing is true because they can get the same exact data with "In Use" auth until the user terminates the app.

This is false. The "While Using" option prevents apps that are not in the foreground from accessing location information.

 

[ubereverywhere]

"Only" the data? That's precisely what the previous poster claimed you could see. But go ahead, explain how you can determine if the Uber app transmits location information without being able to decrypt the data.

But you can SEE the data. He never said you could READ the data...lol He said you could see exactly what server is requesting it and where it's being sent to, which is entirely true whether encrypted or not. Regardless whether you can read the data, you'd still be able to see it, where it's going to/from, and over what period of time. Certainly more than enough information to determine if they are doing anything for more than 5 minutes or not. If you want a real simple explanation on how you'd read SSL requests from your device, use SSL proxying, which acts as a basic MITM attack. I've used it extensively for reverse engineering APIs behind SSL, and with programs like Charles, it's a breeze to do for any lay person.

You are playing word games. An app that has been closed can be triggered to run in the background without the user knowing it.

I'm really not though. Show me any app that can run in the background without the user knowing it or one that can send data without running. If Apple allowed such functionality, the AppStore would be flooded with spyware. I actually made such an app once using private APIs, hid the app icon, and looped silent audio to keep it running in the background. Only ran on jailbroken devices and some guy wanted it to spy on his kids and make it lock out their screen with a big red button to call him while blasting an alarm if they didn't answer a call from him. Worked pretty good, but there was no way it was getting in the AppStore.

This is false. The "While Using" option prevents apps that are not in the foreground from accessing location information.

Nope. All you have to do is register background services for location data and background app refresh and it can use location data while running in the background with "In Use" auth. The API docs are just confusing because it says "In USe" auth is only for foreground, but you need to research and read further to see that it actually allows background services, just not by default. Just look at Google Maps. It'll even put a nice blue bar at the top of the screen to let the user know it's using location services in the background. As I said previously, this is actually the way Apple currently recommends monitoring location data in the background with "In Use" auth.

 

[C DM]

An app that has been closed can be triggered to run in the background without the user knowing it.

That's rather bad if Apple changed to allow for something like that.

 

[E.Lizardo]

I love it when uber agents/employees jump into the discussion to tell paying customers why they are a bunch of crybabies.

Yes they seem completely unbiased!
[doublepost=1481348629][/doublepost]

If you were a driver wanting to rob or do something illegal to a rider... would you do it on camera in the car, or wait until you get your money and finish the official drive, then do it? Anyone smart would consider the second option...

If uber thinks that a big problem I'll just stick with the old fashioned yellow cab.thank you very much.
[doublepost=1481349482][/doublepost]

How can they know you were kidnapped juts by tracking your location?
Imagine this, you got off the uber and walked a bit then someone shows you a gun and ask them to walk in front of them, how can uber possibly know something going on?

What no one seems willing to say is this: Uber is afraid a driver will murder/rape/assault/rob a customer and want to be able to prove the driver was not at the scene if"anything happens"so they can hopefully avoid a lawsuit. Also they probably hope the knowlege that they are both being tracked will deter all their serial killer drivers.

 

[Rigby]

That's rather bad if Apple changed to allow for something like that.

I gave an example where this can happen in an earlier post. I think this has been around since iOS 8. Below's a bit more detail on what happens in this case. You can prevent this from happening by setting the location permissions to "While Using" (if the app allows it) or turning off Background App Refresh for the app. There are a few other scenarios where terminated apps can be automatically relaunched in the background as well.

https://developer.apple.com/library...ionAwarenessPG/CoreLocation/CoreLocation.html

"If you leave the significant-change location service running and your iOS app is subsequently suspended or terminated, the service automatically wakes up your app when new location data arrives. At wake-up time, the app is put into the background and you are given a small amount of time (around 10 seconds) to manually restart location services and process the location data."

 

[C DM]

I gave an example where this can happen in an earlier post. I think this has been around since iOS 8. Below's a bit more detail on what happens in this case. You can prevent this from happening by setting the location permissions to "While Using" (if the app allows it) or turning off Background App Refresh for the app. There are a few other scenarios where terminated apps can be automatically relaunched in the background as well.

https://developer.apple.com/library...ionAwarenessPG/CoreLocation/CoreLocation.html

"If you leave the significant-change location service running and your iOS app is subsequently suspended or terminated, the service automatically wakes up your app when new location data arrives. At wake-up time, the app is put into the background and you are given a small amount of time (around 10 seconds) to manually restart location services and process the location data."

So with background refresh disabled (and the app closed or never started to begin with) it won't start the app then?

 

[Rigby]

So with background refresh disabled (and the app closed or never started to begin with) it won't start the app then?

Yes, I think so.

 

[C DM]

Yes, I think so.

Well, at least it sounds like there's still a way to keep the app closed (and not starting up on its own) then.

 

[Rigby]

Well, at least it sounds like there's still a way to keep the app closed (and not starting up on its own) then.

My solution is safer: I deleted Uber's app from my phone. There are good alternatives in my area. We shouldn't be forced to find workarounds to prevent apps from collecting sensitive personal information against our will.

 

[makr]

correct.

hence i force-quite Facebook (background battery hog) and Uber (privacy invader) when not in use.

Thanks for explaining. How about the app called Dark Sky, it's an app lets me know if it's gonna rain in the next few minutes. Even if I turn it off (double click, swipe up) I still get notification. How that works?

 

[C DM]

Thanks for explaining. How about the app called Dark Sky, it's an app lets me know if it's gonna rain in the next few minutes. Even if I turn it off (double click, swipe up) I still get notification. How that works?

Notifications come in via push using Apple Push Notificaiton Service. Apps don't have to be running for notifications related to those apps to come in.