Uber’s seemingly endless quest to know (and potentially control) everything it could about the users of the company’s app, turns out to have had some help from Apple.
In an unprecedented move, Apple appears to have granted the ride-hailing company’s app the ability to access iOS devices’ frame buffer directly, which included the ability to see what was showing on the device’s screen. The capability was announced on Twitter by security researcher Will Strafach.
According to Strafach, the Uber app is the only instance he’s found during searches of thousands of apps that allows this. Despite its security and privacy implications, this capability was disclosed by neither Uber nor Apple. However, this is hardly the first time Uber has been found to violate its customers’ privacy and or pushed the boundaries of legality in the way its app works.
Uber, for example, had been prevented from tracking its customers even when they’re not using the app only because iOS 11 mandates the choice to allow location services only when the app is running, which is supposed to be the default condition.
However, even with that, I’ve noticed that the Uber app sometimes seems to quietly get switched to always allowing such location services once I’ve invoked the Uber app, until I specifically go and switch it back off.
But it’s not just me. Uber also went to the extent of tracking the location of law enforcement and regulatory officials, and then providing them with a fake app that ensured they couldn’t flag down a ride with an Uber driver.
Uber also reportedly found a way to track drivers working for its competitor Lyft. This pushing of the limits and other reports of bad behavior may have come home to roost as the city of London has announced that Uber’s license to operate will not be renewed because of such activities.
In this case the access to the frame buffer was due to the inability of the Apple Watch to render maps needed by the Uber app when displaying the location of an Uber ride. Because the Watch couldn’t do the rendering on its own, the Uber app would render the map on the iOS device and send the result to the phone, already rendered.
For this to happen, Apple had to give permission for such an action, which Apple calls an “entitlement.” This means that the specific app has the ability to invoke a function that’s normally restricted for use by Apple itself. Normally, Apple doesn’t allow this and when the company finds that app developers have used its private entitlements, it will remove the app from the App Store.
The reason the entitlement was allowed in this case is because Apple wanted to use the Uber app in its demonstration of the first Apple Watch in an on-stage presentation, and the only way to make it all work was to allow the entitlement.
According to reported statements from Uber, the use of the entitlement became unnecessary with subsequent updates to WatchOS and with new versions of the Apple Watch. However, the entitlement remained. Now, Uber says it has removed the capability from its app.
“This API has already been removed with an update now available in the App Store,” said Uber spokesperson Melanie Ensign in an email to eWEEK. “It was only used for short period of time with the 8.2 version of our Apple Watch app. It enabled the app to run memory-intensive renderings of Uber maps on the iPhone and then send the image to the Watch app. It was never used for any other purpose and has been nonfunctional for quite some time.”
At this point, there’s no indication that Uber used the entitlement for anything other than rendering maps on the original WatchOS version. However the fact that the capability was there, and continued to be available even with the latest versions of iOS, means that anyone with access to Uber’s network could have used the ability to see any screen where the Uber app was installed.
More disturbingly, the ability to see and record the frame buffer gives an attacker an effective keylogger since the frame buffer has access to login credentials. It’s not clear if such a capability might have been available to well-written software, but if it had been, then you had the beginning of a Trojan for iOS—something Apple has repeatedly said is not possible.
At this point, it’s not clear that there’s much you can do other than remove the Uber app from your iOS devices and even then it may not do much good. Uber has been accused in the past of finding ways to track devices even after the app is gone and even tracking devices even after the device was wiped clean and restarted as a new device.
In one case, Apple CEO Tim Cook reportedly summoned former Uber CEO Travis Kalanick to Apple HQ, where he was told that Uber would be banned from the App Store if he kept retained the ability to track iPhones even after they had been wiped.
The problem now is that Uber has created a huge security hole in iOS devices with Apple’s assistance. So the next question has to be, will Apple do anything to prevent Uber from using it? It would be interesting to hear about that, but so far Apple hasn’t responded to Apple’s request for comment on the state of Uber’s access to iOS devices.