In this case, the (continuous) screen capture/recording that was referred to reveals enough (password) info to make for a privacy breach of the highest order. With sandbox isolation in place or not.
Last edited:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Uber Removing Apple-Granted API That Could Have Let it Record a User’s iPhone Screen [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
I have read the complete original Gizmodo article and that is not the implication that is being made. The article rather implies that the API could be used to capture, plural, passwords and other personal information, i.e., not just information Uber already had on its servers or data bases because you can only use one password at a time, and most people don't have multiple Uber accounts like they might for Amazon or iTunes:
Although the entitlement isn’t intended for this, the worry is that Uber—or a hacker who managed to break into Uber’s network—could silently monitor activity on an iPhone user’s screen, harvesting passwords and other personal information. “Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” explained Luca Todesco, a researcher and iPhone jailbreaker. “It can potentially steal passwords etc.”
Further, even if Apple did intend to restrict the API to Uber's screens Apple is still complicit in issuing an API that clearly had these vulnerabilities given it was a one-off just for Uber.
Couldn't agree more with this point. Another shady practice by Uber, but definitely disappoint in Apple too.
I still have the Uber app installed on my phone, but it's Lyft all the way for me. I'll only book Uber if it looks like Lyft will take too long to get to where I'm at.
Implications != reality. When an article is full of weasel words like "potentially", watch out! It's exactly the same kind of clickbait that we see about Android "viruses".
First off, you left out the most important sentence in the article:
"Alternatively, it’s possible that Apple sandboxed the entitlement to prevent it from accessing data outside Uber’s app."
If Apple did that... and it does seems likely that an iOS API would indeed be limited only to its own space, as Apple does that a lot... then all the other conjecture about looking at other apps is totally bogus and it's a non-story.
---
As for the idea that someone could break into Uber's network and somehow get access to everyone's iPhone, well think about that.
What they're implying is that someone could hack Uber's source code and put in some code in their app so it would record and send screens to a third party server... without anyone noticing the code had changed.
Trouble is, companies like that use source control. So there'd be a record of a change, and the change would likely require a developer's password to commit.
Secondly, if we're going to bring up scenarios like that, a similar kind of hack would apply to ANY iPhone app. Gosh, somebody could break into Wells Fargo's developer network and modify the banking app to send them our bank passwords. Ditto for keyboard apps.
Last edited:
I'd be shocked if anyone could determine whether they were in a Lyft or Uber car based on how 'nice' the driver was.
Hell, for that matter am I the only Lyft/Uber rider that doesn't even notice such things? I'm not looking for a new friend, I just need a quick ride.
[doublepost=1507303565][/doublepost]
Nah, Uber is definitely 'fundamentally good' as compared to the taxi cab industry. You want to go back?
The 'worst' Uber ride I ever had (I couldn't even name one) was better in every measurable way than any cab ride.
If the API is sandboxed, the app could only capture screen info from itself.
(Assuming Apple's smart enough that any of its own payment screens that Uber might link to are isolated.)
Google doesn't spy on its users? What do you call that long-term feature where they would read all your Gmails so they could serve you up advertising?
Literally every comparison I've ever seen places Apple higher than Google when it comes to privacy and security of its users' data.
"Alternatively." "possible." Now who is using "weasel words" to make there point?
My point is that there seems to be a vulnerability baked into this API and either Apple didn't think it through or missed it. Obviously, all's well that end's well here. But if me and others are jumping to conclusions then Apple should set the record straight. From what Uber has admitted to something "potentially" harmful was baked into the API.
Virtually every public mail server in the world already has a computer scanning through the info looking for spam.
Remember the brouhaha when Apple's mail scanner started deleting mails that had the phrase "almost teenage" (or something similar), since it assumed that meant it was porn
Last edited:
It's almost like Gizmodo is holding a grudge against Apple for something.
[doublepost=1507304131][/doublepost]
I hated that too, but it's in the past. Time to update your understanding of the issue.
Your point has no evidence to support it yet.
All that's happened so far is typical internet clickbaiting. I mean, get real. The assumption that it's not sandboxed is a pretty big one.
Hey, I'm not a fan of the way Apple uses its customer's gullibility to claim privacy is always a top priority, but I'd be really surprised if they let Uber have a wide open screen capture API.
Yes, they should. I'd rather a third party actually analyze the code, though.
Where did Uber say that?
What they've said is that it was only in one old version of the app, before Apple created an alternative method.
Last edited:
That's sounds incredibly arrogant "update my understanding"
Do elaborate by what you mean please
How could apple not dictate "while using" instead of "always"?
Why is that a blasphemous point to bring up? Since apple sets the rules and guidelines for their App Store and apps and is one of two only viable mobile OS platforms
You may not care about your privacy or battery life concerns personally but others may.
Uber has 2.5 stars on App Store by the way. I'm supposed to trust everything a shady company does? Hmm
It's not arrogant to point out that your current understanding of how the "While using..." privacy feature of iOS currently works is incorrect as it pertains to the Uber app.
Then again please do elaborate.
On how perfect this 2.5 star app is in implementation and execution
Edit-
Also I'm not arguing it's ALWAYS running 24/7 your battery would last an hour
I'm arguing ALWAYS permission gives them permission ALWAYS
And from a company with a bunch of scandals on their hands and a low quality app, I would prefer a while using
What is there to elaborate on? It's incorrect to say that "location services can only be set to 'never' or 'always' for Uber app".
What sense does it make to demand that I elaborate on something and say "I'm waiting" in the same post? You got impatient for my answer before you even asked me to elaborate?
In settings location services there are two toggles for location. Never or ALWAYS
Some have while using or never. Or some wit all 3.
Uber used to have all 3. Read my above post edit for previous post.
Who's being arrogant here? I'm very simply pointing out the huge flaw in your argument and instead of listening, you edit your post and imply that surely I must not actually understand your argument. You're incorrect that the only privacy options for the iOS Uber app are "always" or "never".
There are currently three options, including "while using..." I'm not sure that any developers even have the option to not include the "while using..." function at this point.
https://imgur.com/a/bxMCz
You're looking at it wrong
Finally an update addressed it!
I don't update uber every time a new build comes out and live on bleeding edge of poop software
"Update your understanding" is still quite rude and rather aggressive. And you are wrong in saying developers can't do ALWAYS or never. They did. I showed you a screen grab
Why TF did Apple allow this?
Massive breach of privacy - I hope Apple get sued for it! They have no right to allow anyone to spy on us.
Massive breach of privacy - I hope Apple get sued for it! They have no right to allow anyone to spy on us.
Hello and Welcome to the Internet! Useful rules include:
* Don't assume that what you think you read, really meant what you think it did.
In this case, if you read very carefully (especially the source links), you'll see that no one has claimed the app version that included the API could actually spy on other apps.
Instead, they conjectured that if the API wasn't sandboxed, then maybe it could. And then someone threw in some really far-fetched scenarios that sounded scary.
Not maybe it could. It could.
It's not far fetched they wanna keep tabs on where every one is for data analytics etc
Uber again has a shady track record Too.
So I would not at all say far fetched
Giving them the benefit of the doubt is as unfounded as being incredibly suspicious they aren't doing some shady practice that you can't exactly pinpoint or prove just yet or hasn't come out just yet
It's a double standard
The researcher pointed out what was possible not that uber was actually doing it. In fact he went on to say that there was no evidence that uber ever attempted to use the API in this way. No reason to freak out.
Like it is possible that regularly, Uber treats women like gentlemen ?The researcher pointed out what was possible not that uber was actually doing it. In fact he went on to say that there was no evidence that uber ever attempted to use the API in this way. No reason to freak out.