Uber Removing Apple-Granted API That Could Have Let it Record a User’s iPhone Screen [Updated]

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Oct 5, 2017.

  1. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #101
    Only if not sandboxed. Something that open would be a very unusual API for Apple.

    Oh I'm not giving Uber the benefit of the doubt. They have too much history otherwise.

    I'm giving Apple the benefit of the doubt.
     
  2. thadoggfather macrumors 604

    thadoggfather

    Joined:
    Oct 1, 2007
    #102
    It's tough to tho considering they allowed them to do it, and as mentioned it's a prominent high profile app and service

    I could understand a more indie lesser known app slipping through the cracks

    But this one is stranger than usual IMO
     
  3. tooloud10 macrumors member

    Joined:
    Aug 14, 2012
    #103
    So...like I've been saying the whole time?

    And deflection ("it's not my fault, I don't update so can't be expected to know how it works") and condescension ("I've been proven wrong, but I'm still going to talk down to you") isn't rude and aggressive?

    Hoo boy, here we go again. I'm just gonna say it, bro--developers can't do always or never anymore, and posting a screen cap of an old version of the Uber app running on an old version of iOS doesn't change that. It may have worked that in the past, but it does not now.

    Is it more palatable to you if I suggest that you're basing your arguments on outdated information?
     
  4. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #104
    Allowed them to do WHAT, is the question.

    If they only allowed them to grab a map screen within their own iPhone app, so they could send the image to their Watch app, then there is no security problem.

    If, on the other hand (and this is a big IF), Apple gave Uber the ability to grab any screen, then there'll be hell to pay and Apple's privacy rep will suffer. But most of us don't believe this scenario.

    There was no slipping through cracks here. It was a deliberate aid to a big name app developer, while other developers struggled without the same help at the time.
     
  5. SeaFox macrumors 68020

    SeaFox

    Joined:
    Jul 22, 2003
    Location:
    Somewhere Else
    #105
    Like your life... by using their app/service.
     
  6. sdz macrumors 6502

    Joined:
    May 28, 2014
    Location:
    Europe/Germany
  7. ke-iron macrumors 6502a

    Joined:
    Aug 14, 2014
    #107
    I’m not sure why a lot of people are bashing Apple here. Sure mistakes were made, but if Uber is the one actively using exploits for malicious intent, then they are the one to be mad at. Apple didn’t intentionally put out bad software. Uber intentionally use exploits when they see loopholes.

    If I were Apple I would impose a hefty fine and a promise never to use found exploits to their advantage again, or simply a ban from the AppStore for life. Choose.

    Uber already has a huge strike against them. I don’t think Apple will wait till strike 3 to boot them. The next time they are found stealing customer info or tracking them. They will be banned.
     
  8. Wildkraut macrumors 6502

    Joined:
    Nov 8, 2015
    Location:
    Germany
    #108
    Well, Apple fired Scott Forstall for not saying sorry, because of simple Apple Maps issues.
    Now I want to see heads rolling for this privacy fiasco, a simple pub "Sorry" won’t help.
    My trust got shaked up... :/
     
  9. SpinThis!, Oct 6, 2017
    Last edited: Oct 6, 2017

    SpinThis! macrumors 6502

    Joined:
    Jan 30, 2007
    Location:
    Inside the Machine (Green Bay, WI)
    #109
    Well that's exactly what this is looking like.

    com.apple.private.allow-explicit-graphics-priority

    Allows apps to record the frame buffer. Jailbreak apps have used this, for example, to record in the background. So yeh this is pretty serious stuff.

    However, the security researcher also admits there's no evidence that Uber even did use this nefariously. So unless he's got evidence the app was phoning home and sending frame buffer data secretly, why even mention this? That should be pretty easy to verify. Screenshots are also pretty large, you'd think sending a huge dump, someone would have noticed by now. Uber would also have to know exactly when to start recording too.

    The worst part of this there's to be more headlines about this and every anti-Apple fanboy is going to rake them over the coals for a supposed gaffe for a "secure" company.
     
  10. kdarling, Oct 6, 2017
    Last edited: Oct 7, 2017

    kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 46 years ago
    #110
    Thank you. If so, and if Apple did not modify the API to sandbox it, then that removes half of my giving Apple the benefit of the doubt, and lends some support to those I've been debating with.

    (To the reader: access to third party apps reading the display frame buffer was removed in iOS 9 in Fall 2015, with the above entitlement used to lock it down to Apple's own use only. After that, only jailbroken phones could use it. However, apparently Uber's regular store app was also given access by Apple.)

    So, if not sandboxed, then public trust would rely greatly on a belief that Apple thoroughly vetted the Uber app, to make sure it did not have any code using that API, that could run in the background. I would think and hope that to be the case.

    They're not the ones to worry about, as they already don't believe in Apple's privacy claims.

    The big PR problem would be from all those iOS fans who had trusted Apple to always take the path of highest security.
     
  11. SpinThis!, Oct 7, 2017
    Last edited: Oct 7, 2017

    SpinThis! macrumors 6502

    Joined:
    Jan 30, 2007
    Location:
    Inside the Machine (Green Bay, WI)
    #111
    Well, that's exactly what we don't know—was this sandboxed? I'm guessing, it probably was.

    Also, most researchers also hack on jailbroken devices so there's going to be differences there. App Store apps also can't necessarily run in background so even if Uber had access, they couldn't do anything with it. You'd want to be able to stealthily record on demand. Since iOS 9, Apple has also blocked sysctl that let apps read what other processes were running. So any articles that claim about "spying" on Lyft drivers if they had the app installed is bogus.

    If Uber were really spying/recording users, the app would have to:

    a) run in the background for an extended period of time (not that easy to do)
    b) record the screen (which is a pretty intensive process)
    c) save that data in its own app space (that could get big quickly)
    d) compress the data somehow (so it takes less time to transmit)
    e) send that data off somewhere (again, seems unlikely)

    If you don't do e), everything else is really moot. I'd imagine it'd be pretty easy to see how much data Uber would be transmitting. Also Uber is not Google NOR the NSA: I don't think they could even handle every piece of data that would even come in.

    So, let's say Uber WAS really doing this. There's really 2 sides to security: is it feasible and is it practical? It certainly SEEMS technical possible to phone home and record user's screens.

    However practically speaking, it would likely not really be all that feasible. Uber is super shady. But not shady enough to get around most iOS and networking limitations.
     
  12. stevekr macrumors newbie

    Joined:
    Nov 14, 2014
    #112
    If they could screen capture passwords that were starred couldn't they also see the letters and numbers entered on the keyboard as you typed your password?
     
  13. Phonephreak macrumors regular

    Phonephreak

    Joined:
    Aug 24, 2017
    Location:
    Here and there
    #113
    Apple publicly states that user privacy is one of their primary concerns. Then things like this come to the public eye. I love Apples product and appreciate their privacy platform. Not saying Apple is guilty of anything here, but it is ironic.
     
  14. Bacillus macrumors 65816

    Bacillus

    Joined:
    Jun 25, 2009
    #114
    OMG and ignorant me was soo assured by Yahoo that only a few accounts got hacked.
    Which turned out to be a near billion (after some particular example of the retain-the-badnews-until-thejoesixpackpublic-is-busy-with-itself-again tactics)
    So I will go and sleep well tonight, until the moment that all Uber customers were hacked - which might be sooner or later
     

Share This Page