Uber Removing Apple-Granted API That Could Have Let it Record a User’s iPhone Screen [Updated]

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Oct 5, 2017.

  1. Bacillus, Oct 6, 2017
    Last edited: Oct 6, 2017

    Bacillus macrumors 65816

    Bacillus

    Joined:
    Jun 25, 2009
    #76
    In this case, the (continuous) screen capture/recording that was referred to reveals enough (password) info to make for a privacy breach of the highest order. With sandbox isolation in place or not.
     
  2. Chupa Chupa macrumors G5

    Chupa Chupa

    Joined:
    Jul 16, 2002
    #77
    I have read the complete original Gizmodo article and that is not the implication that is being made. The article rather implies that the API could be used to capture, plural, passwords and other personal information, i.e., not just information Uber already had on its servers or data bases because you can only use one password at a time, and most people don't have multiple Uber accounts like they might for Amazon or iTunes:

    Although the entitlement isn’t intended for this, the worry is that Uber—or a hacker who managed to break into Uber’s network—could silently monitor activity on an iPhone user’s screen, harvesting passwords and other personal information. “Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” explained Luca Todesco, a researcher and iPhone jailbreaker. “It can potentially steal passwords etc.”

    Further, even if Apple did intend to restrict the API to Uber's screens Apple is still complicit in issuing an API that clearly had these vulnerabilities given it was a one-off just for Uber.
     
  3. nburwell macrumors 68040

    nburwell

    Joined:
    May 6, 2008
    Location:
    PHL
    #78
    Couldn't agree more with this point. Another shady practice by Uber, but definitely disappoint in Apple too.

    I still have the Uber app installed on my phone, but it's Lyft all the way for me. I'll only book Uber if it looks like Lyft will take too long to get to where I'm at.
     
  4. brian3uk macrumors regular

    Joined:
    Sep 15, 2016
    Location:
    Orlando
    #79
    Apple was so desperate to make Apple Watch work that they did this; how disappointing. :(
     
  5. kdarling, Oct 6, 2017
    Last edited: Oct 6, 2017

    kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #80
    Implications != reality. When an article is full of weasel words like "potentially", watch out! It's exactly the same kind of clickbait that we see about Android "viruses".

    First off, you left out the most important sentence in the article:

    "Alternatively, it’s possible that Apple sandboxed the entitlement to prevent it from accessing data outside Uber’s app."

    If Apple did that... and it does seems likely that an iOS API would indeed be limited only to its own space, as Apple does that a lot... then all the other conjecture about looking at other apps is totally bogus and it's a non-story.

    ---

    As for the idea that someone could break into Uber's network and somehow get access to everyone's iPhone, well think about that.

    What they're implying is that someone could hack Uber's source code and put in some code in their app so it would record and send screens to a third party server... without anyone noticing the code had changed.

    Trouble is, companies like that use source control. So there'd be a record of a change, and the change would likely require a developer's password to commit.

    Secondly, if we're going to bring up scenarios like that, a similar kind of hack would apply to ANY iPhone app. Gosh, somebody could break into Wells Fargo's developer network and modify the banking app to send them our bank passwords. Ditto for keyboard apps.
     
  6. tooloud10 macrumors member

    Joined:
    Aug 14, 2012
    #81
    I'd be shocked if anyone could determine whether they were in a Lyft or Uber car based on how 'nice' the driver was.

    Hell, for that matter am I the only Lyft/Uber rider that doesn't even notice such things? I'm not looking for a new friend, I just need a quick ride.
    --- Post Merged, Oct 6, 2017 ---
    Nah, Uber is definitely 'fundamentally good' as compared to the taxi cab industry. You want to go back?

    The 'worst' Uber ride I ever had (I couldn't even name one) was better in every measurable way than any cab ride.
     
  7. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #82
    If the API is sandboxed, the app could only capture screen info from itself.

    (Assuming Apple's smart enough that any of its own payment screens that Uber might link to are isolated.)
     
  8. tooloud10 macrumors member

    Joined:
    Aug 14, 2012
    #83
    Google doesn't spy on its users? What do you call that long-term feature where they would read all your Gmails so they could serve you up advertising?

    Literally every comparison I've ever seen places Apple higher than Google when it comes to privacy and security of its users' data.
     
  9. Chupa Chupa macrumors G5

    Chupa Chupa

    Joined:
    Jul 16, 2002
    #84
    "Alternatively." "possible." Now who is using "weasel words" to make there point?

    My point is that there seems to be a vulnerability baked into this API and either Apple didn't think it through or missed it. Obviously, all's well that end's well here. But if me and others are jumping to conclusions then Apple should set the record straight. From what Uber has admitted to something "potentially" harmful was baked into the API.
     
  10. kdarling, Oct 6, 2017
    Last edited: Oct 6, 2017

    kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #85
    Virtually every public mail server in the world already has a computer scanning through the info looking for spam.

    Remember the brouhaha when Apple's mail scanner started deleting mails that had the phrase "almost teenage" (or something similar), since it assumed that meant it was porn :rolleyes:
     
  11. tooloud10 macrumors member

    Joined:
    Aug 14, 2012
    #86
    It's almost like Gizmodo is holding a grudge against Apple for something.
    --- Post Merged, Oct 6, 2017 ---
    I hated that too, but it's in the past. Time to update your understanding of the issue.
     
  12. kdarling, Oct 6, 2017
    Last edited: Oct 6, 2017

    kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #87
    Your point has no evidence to support it yet.

    All that's happened so far is typical internet clickbaiting. I mean, get real. The assumption that it's not sandboxed is a pretty big one.

    Hey, I'm not a fan of the way Apple uses its customer's gullibility to claim privacy is always a top priority, but I'd be really surprised if they let Uber have a wide open screen capture API.

    Yes, they should. I'd rather a third party actually analyze the code, though.

    Where did Uber say that?

    What they've said is that it was only in one old version of the app, before Apple created an alternative method.
     
  13. thadoggfather macrumors 604

    thadoggfather

    Joined:
    Oct 1, 2007
    #88
    That's sounds incredibly arrogant "update my understanding"

    Do elaborate by what you mean please

    How could apple not dictate "while using" instead of "always"?

    Why is that a blasphemous point to bring up? Since apple sets the rules and guidelines for their App Store and apps and is one of two only viable mobile OS platforms

    You may not care about your privacy or battery life concerns personally but others may.

    Uber has 2.5 stars on App Store by the way. I'm supposed to trust everything a shady company does? Hmm
     
  14. tooloud10 macrumors member

    Joined:
    Aug 14, 2012
    #89
    It's not arrogant to point out that your current understanding of how the "While using..." privacy feature of iOS currently works is incorrect as it pertains to the Uber app.
     
  15. thadoggfather macrumors 604

    thadoggfather

    Joined:
    Oct 1, 2007
    #90
    Then again please do elaborate.
    On how perfect this 2.5 star app is in implementation and execution



    Edit-

    Also I'm not arguing it's ALWAYS running 24/7 your battery would last an hour

    I'm arguing ALWAYS permission gives them permission ALWAYS

    And from a company with a bunch of scandals on their hands and a low quality app, I would prefer a while using
     
  16. tooloud10 macrumors member

    Joined:
    Aug 14, 2012
    #91
    What is there to elaborate on? It's incorrect to say that "location services can only be set to 'never' or 'always' for Uber app".

    What sense does it make to demand that I elaborate on something and say "I'm waiting" in the same post? You got impatient for my answer before you even asked me to elaborate?
     
  17. thadoggfather macrumors 604

    thadoggfather

    Joined:
    Oct 1, 2007
    #92
    In settings location services there are two toggles for location. Never or ALWAYS

    Some have while using or never. Or some wit all 3.
    Uber used to have all 3. Read my above post edit for previous post.
     
  18. tooloud10 macrumors member

    Joined:
    Aug 14, 2012
    #93
    Who's being arrogant here? I'm very simply pointing out the huge flaw in your argument and instead of listening, you edit your post and imply that surely I must not actually understand your argument. You're incorrect that the only privacy options for the iOS Uber app are "always" or "never".

    There are currently three options, including "while using..." I'm not sure that any developers even have the option to not include the "while using..." function at this point.
     
  19. thadoggfather macrumors 604

    thadoggfather

    Joined:
    Oct 1, 2007
    #94
    https://imgur.com/a/bxMCz

    You're looking at it wrong

    Finally an update addressed it!

    I don't update uber every time a new build comes out and live on bleeding edge of poop software

    "Update your understanding" is still quite rude and rather aggressive. And you are wrong in saying developers can't do ALWAYS or never. They did. I showed you a screen grab
     
  20. iBrooker macrumors 6502

    Joined:
    Nov 20, 2016
    Location:
    Wales
    #95
    Why TF did Apple allow this?

    Massive breach of privacy - I hope Apple get sued for it! They have no right to allow anyone to spy on us.
     
  21. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #96
    Hello and Welcome to the Internet! Useful rules include:

    * Don't assume that what you think you read, really meant what you think it did.

    In this case, if you read very carefully (especially the source links), you'll see that no one has claimed the app version that included the API could actually spy on other apps.

    Instead, they conjectured that if the API wasn't sandboxed, then maybe it could. And then someone threw in some really far-fetched scenarios that sounded scary.
     
  22. thadoggfather macrumors 604

    thadoggfather

    Joined:
    Oct 1, 2007
    #97
    Not maybe it could. It could.

    It's not far fetched they wanna keep tabs on where every one is for data analytics etc

    Uber again has a shady track record Too.

    So I would not at all say far fetched

    Giving them the benefit of the doubt is as unfounded as being incredibly suspicious they aren't doing some shady practice that you can't exactly pinpoint or prove just yet or hasn't come out just yet

    It's a double standard
     
  23. Leguna24 macrumors member

    Joined:
    Jun 29, 2017
    Location:
    Hamilton
    #98
    But that’s taking the fun out of the bashing :-( .
     
  24. gweedo macrumors member

    gweedo

    Joined:
    Jul 23, 2002
    Location:
    TX
    #99
    The researcher pointed out what was possible not that uber was actually doing it. In fact he went on to say that there was no evidence that uber ever attempted to use the API in this way. No reason to freak out. :rolleyes:
     
  25. Bacillus macrumors 65816

    Bacillus

    Joined:
    Jun 25, 2009
    #100
    Like it is possible that regularly, Uber treats women like gentlemen ?
     

Share This Page