Uber Removing Apple-Granted API That Could Have Let it Record a User’s iPhone Screen [Updated]

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Oct 5, 2017.

  1. MacRumors macrumors bot


    Apr 12, 2001

    When the Apple Watch was first released, Apple gave Uber what's known as an "entitlement" to run a special API to improve performance of the Uber app on the wrist worn device.

    That entitlement made headlines today when security researchers told Gizmodo that Uber could have used it to record a user's iPhone screen even with the Uber app just running in the background.

    In a statement, Uber said the entitlement was used for an old version of the Apple Watch app and was provided to Uber because the original Apple Watch couldn't render maps.
    The entitlement is no longer necessary and Uber is planning to remove it from the iOS codebase, according to both the statement given to Gizmodo and a tweet from Uber head of security and privacy communications Melanie Ensign.

    According to security researcher Will Strafach, who first brought attention to the issue, Apple does not often give out entitlements. Strafach said he could find no other apps on the App Store that have the permissions that the Uber app has.

    Strafach says there is no evidence that Uber ever misused the entitlement, but it could have been utilized to monitor activity on an iPhone, recording passwords and other personal information. "Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," another security researcher, Luca Todesco, told Gizmodo.

    Uber says the app is no longer connected to anything in the company's current codebase, but users will likely be wary anyway as there have been other privacy concerns with the Uber app. There was a feature that allowed riders to be tracked for up to five minutes after a trip, and Apple CEO Tim Cook even went so far as to threaten to remove the app from the App Store after it was found to be secretly recording the UDID of iPhones to identify them even after the Uber app had been deleted.

    Update: An Uber spokesperson said that an update released on Friday removed the API.

    Article Link: Uber Removing Apple-Granted API That Could Have Let it Record a User's iPhone Screen [Updated]
  2. Z400Racer37 macrumors 6502a

    Feb 7, 2011
    This company is constantly involved in scandal. I don't know why Apple deals with it. They are dishonest, they have no integrity. Ban them.
  3. Mr Dobey macrumors 6502

    Aug 8, 2008
    first fingering printing now this. Uber's track record is the shadiest.
  4. JPack macrumors 68040


    Mar 27, 2017
    Put down the pitchforks. This is an Apple-granted entitlement.
  5. dogolaca macrumors newbie

    Sep 30, 2013
  6. CarlJ macrumors 68030


    Feb 23, 2004
    San Diego, CA, USA
    This particular story sounds plausible the way it is explained, but I have permanent distrust for Uber, given how many shady/slimy things they have done in the past. I don't trust them to be able to reform, ever, given their long record of going out of their way to treat people horribly. Best for Apple to withdraw the entitlement and continue keeping a wary eye on Uber.
  7. WannaGoMac macrumors 68020


    Feb 11, 2007
    Apple is the one that gave them this capability. I am more upset with Apple than Uber. Was anyone told Uber was recording all actions on the device thanks to Apple?

    Yet folks are upset with Uber??? Seems like Apple is in the wrong here...
  8. redgreenski macrumors regular

    Aug 17, 2017
    Disappointed with Apple. Uber on the other hand has been long replaced with Lyft.
  9. Hustler1337 macrumors 68000


    Dec 23, 2010
    London, UK
    If Apple is issuing the "entitlement", why aren't they also vetting its use? It's like a security guard giving a known thief the keys to some of the rooms in the building but not checking what he's been up to.
  10. Chupa Chupa macrumors G5

    Chupa Chupa

    Jul 16, 2002
    Well I think the pitchforks need to stay raised -- just pointed at Apple. One of the features Apple uses to sell it's devices is privacy. So how the h* did it not catch this before it gave it out to Uber -- apparently some time ago. Uber has made it's share of sketchy moves but this one is on Apple. It really needs to explain how this won't happen again.
  11. Bacillus, Oct 5, 2017
    Last edited: Oct 6, 2017

    Bacillus Suspended


    Jun 25, 2009
    Huh !!!!??
    Essentially, this backdoor could give any granted party access to anything any user does.
    Isn't that exactly the backdoor that Tim assured it doesn't exist in the Nat. Security services discussion ?
  12. zakarhino macrumors demi-god


    Sep 13, 2014
    Bay Area, CA.
    What the f*** Apple? Why are these APIs being enabled for 3rd part devs at all? And Uber of all people, scumbag company with alarming coding practices, not to mention the disgusting history of employee treatment.
  13. CarlJ, Oct 5, 2017
    Last edited: Oct 5, 2017

    CarlJ macrumors 68030


    Feb 23, 2004
    San Diego, CA, USA
    We haven't heard Apple's side of this. It's entirely possible that Apple has carefully monitored the Uber app to ensure it doesn't use the entitlement for shady purposes. I suspect it has gotten considerable attention from Apple since Uber and its app were found to be actively trying to dodge Apple's vetting process. It sounds like you're making the assumption that Apple was asleep at the wheel. I don't know that that is the case. Do you have evidence otherwise?
    --- Post Merged, Oct 5, 2017 ---
    Has anyone shown that Uber was, indeed, recording all actions on the device? Or are you just assuming that? What I got from the article was that their app had a grant of special permissions that could have been used to do that, not that they actually did it.
    --- Post Merged, Oct 5, 2017 ---
    Where have you read authoritative statements that Apple wasn't vetting its use?

    To be clear, I don't like Uber, I think they've done horrible things. But it seems like a lot of people are reading "could have used this API to..." and conveniently ignoring the "could have" and treating this as proof that they did use the API in the way proposed by the security researchers. I've seen no evidence that warrants this leap to judgement. Unless you just really like pitchforks. There's enough things to get upset about that Uber has done. No need to get upset at hypotheticals, unless/until they are proved true.
  14. Tech198 macrumors G5

    Mar 21, 2011
    Australia, Perth

    Bugger you Uber..!! so if Uber could still identify you even after the app was deleted, what does that say about anything else then? Not saying it would happen, but if Uber did it, then why not others?
  15. miniyou64 macrumors 6502


    Jul 8, 2008
    This reflects much more poorly on the ever “security conscious” Apple than it does on Uber.
  16. jdillings macrumors 68000

    Jun 21, 2015
    Apple is in the news lately for all the wrong reasons...every day it's a new security issue. Maybe it's time Timmy spent more time on security than emoji.
  17. whizstachio macrumors newbie

    Jul 26, 2016
    --- Post Merged, Oct 5, 2017 ---
    I no longer trust Apple
  18. TheIntruder macrumors 6502a


    Jul 2, 2008

    Apple "commitment" to the user privacy only goes as far as not impacting its business.

    Uber's surreptitious and deceptive actions in going so far as to actively conceal its violation of Apple's guidelines (not to mention Project Greyball) was as much as any principled leader would have needed to flick the app from the store.

    That would have happened with any lesser developer. But, Uber's market position, and potential user backlash was too much for Cook to do anything but let them off with a scolding. Money > principle.

    Don't fall for the hype. Ultimately, nobody has your own interests as heart except you. Certainly not these multi-$B corporations.
  19. antiprotest macrumors 65816


    Apr 19, 2010
    NO. We should pick up ten times the pitchforks and direct them at both Apple and Uber for something like this.
  20. Bacillus, Oct 5, 2017
    Last edited: Oct 5, 2017

    Bacillus Suspended


    Jun 25, 2009
    Pffeuww, feeling sooooo comfortable now that Uber didn't misuse the privAPI to follow us.
    Like an intruder in my house saying he was only checking my safety.
    A flavor of privacy that only Apple could facilitate...
  21. imran5720 macrumors regular


    Dec 21, 2013
    So much talk about privacy and yet we find this...
  22. mw360, Oct 5, 2017
    Last edited: Oct 5, 2017

    mw360 macrumors 65816


    Aug 15, 2010
    I looked at the Gizmodo article. Here's where I stopped reading...

    "Alternatively, it’s possible that Apple sandboxed the entitlement to prevent it from accessing data outside Uber’s app."

    That Apple built in safeguards to prevent abuse is exactly the first thing I though of. Shame nobody else wants to find out that part before getting all fired up.
  23. cmwade77 macrumors 65816

    Nov 18, 2008
    I stick with Lyft the 2 or 3 times a year I need such a service because their drivers are nicer in general, but then add in all of these issues and you really do want to stick with Lyft or other competitors to Uber.
  24. antiprotest macrumors 65816


    Apr 19, 2010
    Right, this is almost a backdoor. Or a side window at least. Shame on Apple.
  25. SeattleMoose macrumors 68000

    Jul 17, 2009
    Der Wald
    Don't worry. Uber is 100% safe. And Google doesn't spy on it's users.

Share This Page