Uber Removing Apple-Granted API That Could Have Let it Record a User’s iPhone Screen [Updated]

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Oct 5, 2017.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    When the Apple Watch was first released, Apple gave Uber what's known as an "entitlement" to run a special API to improve performance of the Uber app on the wrist worn device.

    That entitlement made headlines today when security researchers told Gizmodo that Uber could have used it to record a user's iPhone screen even with the Uber app just running in the background.

    In a statement, Uber said the entitlement was used for an old version of the Apple Watch app and was provided to Uber because the original Apple Watch couldn't render maps.
    The entitlement is no longer necessary and Uber is planning to remove it from the iOS codebase, according to both the statement given to Gizmodo and a tweet from Uber head of security and privacy communications Melanie Ensign.

    According to security researcher Will Strafach, who first brought attention to the issue, Apple does not often give out entitlements. Strafach said he could find no other apps on the App Store that have the permissions that the Uber app has.

    Strafach says there is no evidence that Uber ever misused the entitlement, but it could have been utilized to monitor activity on an iPhone, recording passwords and other personal information. "Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," another security researcher, Luca Todesco, told Gizmodo.

    Uber says the app is no longer connected to anything in the company's current codebase, but users will likely be wary anyway as there have been other privacy concerns with the Uber app. There was a feature that allowed riders to be tracked for up to five minutes after a trip, and Apple CEO Tim Cook even went so far as to threaten to remove the app from the App Store after it was found to be secretly recording the UDID of iPhones to identify them even after the Uber app had been deleted.

    Update: An Uber spokesperson said that an update released on Friday removed the API.

    Article Link: Uber Removing Apple-Granted API That Could Have Let it Record a User's iPhone Screen [Updated]
     
  2. Z400Racer37 macrumors 6502a

    Joined:
    Feb 7, 2011
    #2
    This company is constantly involved in scandal. I don't know why Apple deals with it. They are dishonest, they have no integrity. Ban them.
     
  3. Mr Dobey macrumors 6502

    Joined:
    Aug 8, 2008
    #3
    first fingering printing now this. Uber's track record is the shadiest.
     
  4. JPack macrumors 6502a

    JPack

    Joined:
    Mar 27, 2017
    #4
    Put down the pitchforks. This is an Apple-granted entitlement.
     
  5. dogolaca macrumors newbie

    Joined:
    Sep 30, 2013
  6. CarlJ macrumors 68020

    CarlJ

    Joined:
    Feb 23, 2004
    Location:
    San Diego, CA, USA
    #6
    This particular story sounds plausible the way it is explained, but I have permanent distrust for Uber, given how many shady/slimy things they have done in the past. I don't trust them to be able to reform, ever, given their long record of going out of their way to treat people horribly. Best for Apple to withdraw the entitlement and continue keeping a wary eye on Uber.
     
  7. WannaGoMac macrumors 68000

    Joined:
    Feb 11, 2007
    #7
    Apple is the one that gave them this capability. I am more upset with Apple than Uber. Was anyone told Uber was recording all actions on the device thanks to Apple?

    Yet folks are upset with Uber??? Seems like Apple is in the wrong here...
     
  8. redgreenski macrumors member

    Joined:
    Aug 17, 2017
    #8
    Disappointed with Apple. Uber on the other hand has been long replaced with Lyft.
     
  9. Hustler1337 macrumors 68000

    Hustler1337

    Joined:
    Dec 23, 2010
    Location:
    London, UK
    #9
    If Apple is issuing the "entitlement", why aren't they also vetting its use? It's like a security guard giving a known thief the keys to some of the rooms in the building but not checking what he's been up to.
     
  10. Chupa Chupa macrumors G5

    Chupa Chupa

    Joined:
    Jul 16, 2002
    #10
    Well I think the pitchforks need to stay raised -- just pointed at Apple. One of the features Apple uses to sell it's devices is privacy. So how the h* did it not catch this before it gave it out to Uber -- apparently some time ago. Uber has made it's share of sketchy moves but this one is on Apple. It really needs to explain how this won't happen again.
     
  11. Bacillus, Oct 5, 2017
    Last edited: Oct 6, 2017

    Bacillus macrumors 65816

    Bacillus

    Joined:
    Jun 25, 2009
    #11
    Huh !!!!??
    Essentially, this backdoor could give any granted party access to anything any user does.
    Isn't that exactly the backdoor that Tim assured it doesn't exist in the Nat. Security services discussion ?
     
  12. zakarhino macrumors 6502a

    zakarhino

    Joined:
    Sep 13, 2014
    Location:
    Bay Area, CA.
    #12
    What the f*** Apple? Why are these APIs being enabled for 3rd part devs at all? And Uber of all people, scumbag company with alarming coding practices, not to mention the disgusting history of employee treatment.
     
  13. CarlJ, Oct 5, 2017
    Last edited: Oct 5, 2017

    CarlJ macrumors 68020

    CarlJ

    Joined:
    Feb 23, 2004
    Location:
    San Diego, CA, USA
    #13
    We haven't heard Apple's side of this. It's entirely possible that Apple has carefully monitored the Uber app to ensure it doesn't use the entitlement for shady purposes. I suspect it has gotten considerable attention from Apple since Uber and its app were found to be actively trying to dodge Apple's vetting process. It sounds like you're making the assumption that Apple was asleep at the wheel. I don't know that that is the case. Do you have evidence otherwise?
    --- Post Merged, Oct 5, 2017 ---
    Has anyone shown that Uber was, indeed, recording all actions on the device? Or are you just assuming that? What I got from the article was that their app had a grant of special permissions that could have been used to do that, not that they actually did it.
    --- Post Merged, Oct 5, 2017 ---
    Where have you read authoritative statements that Apple wasn't vetting its use?

    To be clear, I don't like Uber, I think they've done horrible things. But it seems like a lot of people are reading "could have used this API to..." and conveniently ignoring the "could have" and treating this as proof that they did use the API in the way proposed by the security researchers. I've seen no evidence that warrants this leap to judgement. Unless you just really like pitchforks. There's enough things to get upset about that Uber has done. No need to get upset at hypotheticals, unless/until they are proved true.
     
  14. Tech198 macrumors G4

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
    #14

    Bugger you Uber..!! so if Uber could still identify you even after the app was deleted, what does that say about anything else then? Not saying it would happen, but if Uber did it, then why not others?
     
  15. miniyou64 macrumors 6502

    miniyou64

    Joined:
    Jul 8, 2008
    #15
    This reflects much more poorly on the ever “security conscious” Apple than it does on Uber.
     
  16. jdillings macrumors 65816

    Joined:
    Jun 21, 2015
    #16
    Apple is in the news lately for all the wrong reasons...every day it's a new security issue. Maybe it's time Timmy spent more time on security than emoji.
     
  17. whizstachio macrumors newbie

    Joined:
    Jul 26, 2016
    #17
    --- Post Merged, Oct 5, 2017 ---
    I no longer trust Apple
     
  18. TheIntruder macrumors 6502a

    TheIntruder

    Joined:
    Jul 2, 2008
    #18
    $$$$

    Apple "commitment" to the user privacy only goes as far as not impacting its business.

    Uber's surreptitious and deceptive actions in going so far as to actively conceal its violation of Apple's guidelines (not to mention Project Greyball) was as much as any principled leader would have needed to flick the app from the store.

    That would have happened with any lesser developer. But, Uber's market position, and potential user backlash was too much for Cook to do anything but let them off with a scolding. Money > principle.

    Don't fall for the hype. Ultimately, nobody has your own interests as heart except you. Certainly not these multi-$B corporations.
     
  19. antiprotest macrumors 65816

    antiprotest

    Joined:
    Apr 19, 2010
    #19
    NO. We should pick up ten times the pitchforks and direct them at both Apple and Uber for something like this.
     
  20. Bacillus, Oct 5, 2017
    Last edited: Oct 5, 2017

    Bacillus macrumors 65816

    Bacillus

    Joined:
    Jun 25, 2009
    #20
    Pffeuww, feeling sooooo comfortable now that Uber didn't misuse the privAPI to follow us.
    Like an intruder in my house saying he was only checking my safety.
    A flavor of privacy that only Apple could facilitate...
     
  21. imran5720 macrumors regular

    imran5720

    Joined:
    Dec 21, 2013
    #21
    So much talk about privacy and yet we find this...
     
  22. mw360, Oct 5, 2017
    Last edited: Oct 5, 2017

    mw360 macrumors 65816

    mw360

    Joined:
    Aug 15, 2010
    #22
    I looked at the Gizmodo article. Here's where I stopped reading...

    "Alternatively, it’s possible that Apple sandboxed the entitlement to prevent it from accessing data outside Uber’s app."

    That Apple built in safeguards to prevent abuse is exactly the first thing I though of. Shame nobody else wants to find out that part before getting all fired up.
     
  23. cmwade77 macrumors 6502a

    Joined:
    Nov 18, 2008
    #23
    I stick with Lyft the 2 or 3 times a year I need such a service because their drivers are nicer in general, but then add in all of these issues and you really do want to stick with Lyft or other competitors to Uber.
     
  24. antiprotest macrumors 65816

    antiprotest

    Joined:
    Apr 19, 2010
    #24
    Right, this is almost a backdoor. Or a side window at least. Shame on Apple.
     
  25. SeattleMoose macrumors 65816

    Joined:
    Jul 17, 2009
    Location:
    Der Wald
    #25
    Don't worry. Uber is 100% safe. And Google doesn't spy on it's users.
     

Share This Page