Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

kdarling

macrumors P6
Not maybe it could. It could.

Only if not sandboxed. Something that open would be a very unusual API for Apple.

Giving them the benefit of the doubt is as unfounded as being incredibly suspicious they aren't doing some shady practice that you can't exactly pinpoint or prove just yet or hasn't come out just yet

Oh I'm not giving Uber the benefit of the doubt. They have too much history otherwise.

I'm giving Apple the benefit of the doubt.
 

thadoggfather

macrumors P6
Oct 1, 2007
15,539
16,253
Only if not sandboxed. Something that open would be a very unusual API for Apple.



Oh I'm not giving Uber the benefit of the doubt. They have too much history otherwise.

I'm giving Apple the benefit of the doubt.

It's tough to tho considering they allowed them to do it, and as mentioned it's a prominent high profile app and service

I could understand a more indie lesser known app slipping through the cracks

But this one is stranger than usual IMO
 

tooloud10

macrumors 6502
Aug 14, 2012
466
766
https://imgur.com/a/bxMCz

You're looking at it wrong

Finally an update addressed it!

So...like I've been saying the whole time?

I don't update uber every time a new build comes out and live on bleeding edge of poop software

"Update your understanding" is still quite rude and rather aggressive.

And deflection ("it's not my fault, I don't update so can't be expected to know how it works") and condescension ("I've been proven wrong, but I'm still going to talk down to you") isn't rude and aggressive?

And you are wrong in saying developers can't do ALWAYS or never. They did. I showed you a screen grab

Hoo boy, here we go again. I'm just gonna say it, bro--developers can't do always or never anymore, and posting a screen cap of an old version of the Uber app running on an old version of iOS doesn't change that. It may have worked that in the past, but it does not now.

Is it more palatable to you if I suggest that you're basing your arguments on outdated information?
 

kdarling

macrumors P6
It's tough to tho considering they allowed them to do it, and as mentioned it's a prominent high profile app and service

Allowed them to do WHAT, is the question.

If they only allowed them to grab a map screen within their own iPhone app, so they could send the image to their Watch app, then there is no security problem.

If, on the other hand (and this is a big IF), Apple gave Uber the ability to grab any screen, then there'll be hell to pay and Apple's privacy rep will suffer. But most of us don't believe this scenario.

I could understand a more indie lesser known app slipping through the cracks

There was no slipping through cracks here. It was a deliberate aid to a big name app developer, while other developers struggled without the same help at the time.
 
  • Like
Reactions: thadoggfather

ke-iron

macrumors 68000
Aug 14, 2014
1,536
1,020
I’m not sure why a lot of people are bashing Apple here. Sure mistakes were made, but if Uber is the one actively using exploits for malicious intent, then they are the one to be mad at. Apple didn’t intentionally put out bad software. Uber intentionally use exploits when they see loopholes.

If I were Apple I would impose a hefty fine and a promise never to use found exploits to their advantage again, or simply a ban from the AppStore for life. Choose.

Uber already has a huge strike against them. I don’t think Apple will wait till strike 3 to boot them. The next time they are found stealing customer info or tracking them. They will be banned.
 

Wildkraut

Suspended
Nov 8, 2015
3,583
7,673
Germany
Well, Apple fired Scott Forstall for not saying sorry, because of simple Apple Maps issues.
Now I want to see heads rolling for this privacy fiasco, a simple pub "Sorry" won’t help.
My trust got shaked up... :/
 

SpinThis!

macrumors 6502
Jan 30, 2007
480
135
Inside the Machine (Green Bay, WI)
If, on the other hand (and this is a big IF), Apple gave Uber the ability to grab any screen, then there'll be hell to pay and Apple's privacy rep will suffer. But most of us don't believe this scenario.

Well that's exactly what this is looking like.

com.apple.private.allow-explicit-graphics-priority

Allows apps to record the frame buffer. Jailbreak apps have used this, for example, to record in the background. So yeh this is pretty serious stuff.

However, the security researcher also admits there's no evidence that Uber even did use this nefariously. So unless he's got evidence the app was phoning home and sending frame buffer data secretly, why even mention this? That should be pretty easy to verify. Screenshots are also pretty large, you'd think sending a huge dump, someone would have noticed by now. Uber would also have to know exactly when to start recording too.

The worst part of this there's to be more headlines about this and every anti-Apple fanboy is going to rake them over the coals for a supposed gaffe for a "secure" company.
 
Last edited:

kdarling

macrumors P6
Well that's exactly what this is looking like.

com.apple.private.allow-explicit-graphics-priority

Allows apps to record the frame buffer. Jailbreak apps have used this, for example, to record in the background. So yeh this is pretty serious stuff.

Thank you. If so, and if Apple did not modify the API to sandbox it, then that removes half of my giving Apple the benefit of the doubt, and lends some support to those I've been debating with.

(To the reader: access to third party apps reading the display frame buffer was removed in iOS 9 in Fall 2015, with the above entitlement used to lock it down to Apple's own use only. After that, only jailbroken phones could use it. However, apparently Uber's regular store app was also given access by Apple.)

So, if not sandboxed, then public trust would rely greatly on a belief that Apple thoroughly vetted the Uber app, to make sure it did not have any code using that API, that could run in the background. I would think and hope that to be the case.

The worst part of this there's to be more headlines about this and every anti-Apple fanboy is going to rake them over the coals for a supposed gaffe for a "secure" company.

They're not the ones to worry about, as they already don't believe in Apple's privacy claims.

The big PR problem would be from all those iOS fans who had trusted Apple to always take the path of highest security.
 
Last edited:

SpinThis!

macrumors 6502
Jan 30, 2007
480
135
Inside the Machine (Green Bay, WI)
if Apple did not modify the API to sandbox it, then that removes half of my giving Apple the benefit of the doubt, and lends some support to those I've been debating with.

Well, that's exactly what we don't know—was this sandboxed? I'm guessing, it probably was.

Also, most researchers also hack on jailbroken devices so there's going to be differences there. App Store apps also can't necessarily run in background so even if Uber had access, they couldn't do anything with it. You'd want to be able to stealthily record on demand. Since iOS 9, Apple has also blocked sysctl that let apps read what other processes were running. So any articles that claim about "spying" on Lyft drivers if they had the app installed is bogus.

If Uber were really spying/recording users, the app would have to:

a) run in the background for an extended period of time (not that easy to do)
b) record the screen (which is a pretty intensive process)
c) save that data in its own app space (that could get big quickly)
d) compress the data somehow (so it takes less time to transmit)
e) send that data off somewhere (again, seems unlikely)

If you don't do e), everything else is really moot. I'd imagine it'd be pretty easy to see how much data Uber would be transmitting. Also Uber is not Google NOR the NSA: I don't think they could even handle every piece of data that would even come in.

So, let's say Uber WAS really doing this. There's really 2 sides to security: is it feasible and is it practical? It certainly SEEMS technical possible to phone home and record user's screens.

However practically speaking, it would likely not really be all that feasible. Uber is super shady. But not shady enough to get around most iOS and networking limitations.
 
Last edited:
  • Like
Reactions: mw360 and kdarling

stevekr

macrumors newbie
Nov 14, 2014
19
17
Agree. This needs to be established. And without including this statement, the current article can be called inflammatory in nature. Look at how the people are riled up. It would be nice for Apple to clarify on the kind of "entitlements" it gives to developers and make a statement on this particular entitlement.

Also, passwords COULD NOT have been stolen as long as they were starred-out, since they could be deduced only by analyzing screen captures. So if people have not checked the "show password" box, the possibility of passwords leaking doesn't exist.
If they could screen capture passwords that were starred couldn't they also see the letters and numbers entered on the keyboard as you typed your password?
 

Phonephreak

macrumors 6502a
Aug 24, 2017
572
530
Here and there
We haven't heard Apple's side of this. It's entirely possible that Apple has carefully monitored the Uber app to ensure it doesn't use the entitlement for shady purposes. I suspect it has gotten considerable attention from Apple since Uber and its app were found to be actively trying to dodge Apple's vetting process. It sounds like you're making the assumption that Apple was asleep at the wheel. I don't know that that is the case. Do you have evidence otherwise?
[doublepost=1507238065][/doublepost]Has anyone shown that Uber was, indeed, recording all actions on the device? Or are you just assuming that? What I got from the article was that their app had a grant of special permissions that could have been used to do that, not that they actually did it.
[doublepost=1507238293][/doublepost]Where have you read authoritative statements that Apple wasn't vetting its use?

To be clear, I don't like Uber, I think they've done horrible things. But it seems like a lot of people are reading "could have used this API to..." and conveniently ignoring the "could have" and treating this as proof that they did use the API in the way proposed by the security researchers. I've seen no evidence that warrants this leap to judgement. Unless you just really like pitchforks. There's enough things to get upset about that Uber has done. No need to get upset at hypotheticals, unless/until they are proved true.
Apple publicly states that user privacy is one of their primary concerns. Then things like this come to the public eye. I love Apples product and appreciate their privacy platform. Not saying Apple is guilty of anything here, but it is ironic.
 

Bacillus

Suspended
Jun 25, 2009
2,681
2,200
OMG and ignorant me was soo assured by Yahoo that only a few accounts got hacked.
Which turned out to be a near billion (after some particular example of the retain-the-badnews-until-thejoesixpackpublic-is-busy-with-itself-again tactics)
So I will go and sleep well tonight, until the moment that all Uber customers were hacked - which might be sooner or later
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.