Apple allowed Uber use of API to record iPhone screens, feature to be removed

Posted:
in General Discussion edited October 2017
Security researchers recently discovered Uber's app leveraged a powerful API to record users' iPhone screens in a bid to improve interoperability with its Apple Watch app, a permission only Apple could grant.




According to security researcher Will Strafach, Uber took advantage of an entitlement that allowed its app to record user screen information even while the app was running in the background, reports Gizmodo.

Entitlements are basic bits of code that allow access to hardware and software features, but certain high-level entitlements are usually restricted to first-party apps. These permissions are appended in code with the term "private," and are extremely guarded as they grant access to potentially sensitive user data.

Strafach says Apple's issuance of Uber's particular entitlement is extremely rare, noting no other apps on the App Store aside from Apple's own appear to benefit from the same functionality.

Uber claims Apple explicitly allowed the use of the entitlement, which was subsequently used to improve memory management on Apple Watch. Specifically, older versions of Apple's wearable were unable to render maps without the help of a paired iPhone, a main feature of Uber's software.

In a statement to Gizmodo, Uber said the permission is no longer in use and will be removed from the app.

"It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app," an Uber spokesperson said. "This dependency was removed with previous improvements to Apple's OS & our app. Therefore, we're removing this API from our iOS codebase."

With the entitlement in place, Uber or a nefarious actor could monitor a user's iPhone without their knowledge, potentially revealing passwords or other personal information.

"Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," said researcher Luca Todesco. "It can potentially steal passwords etc."

Despite its potential as a snooping tool, Strafach notes there is no evidence that the permission was used maliciously.

The entitlement saw initial integration when Apple first launched Apple Watch in 2015, according to Strafach. When the wearable debuted, developers were given strict deadlines to rework their apps to function on the pint-sized device, the report said, suggesting Apple afforded Uber the entitlement as a convenience to get its title out on time.

When Apple took the wraps off Watch at a special event in 2014, a number of apps, including Apple's own Maps, were shown off with mapping assets. Uber's app was one of the few demonstrated by Apple VP of Technology Kevin Lynch during Apple's March 2015 keynote.

Uber's access to the sensitive entitlement might surprise some, as the ride sharing firm was caught violating App Store guidelines when its app was found to be tracking individual devices through the collection of UUIDs. Then-CEO Travis Kalanick was called to Apple's headquarters for a chiding from CEO Tim Cook, who reportedly threatened to remove Uber's app from the App Store if the tracking feature was not removed.
«1

Comments

  • Reply 1 of 25
    Big Deal. Who cares.
  • Reply 2 of 25
    tallest skiltallest skil Posts: 42,703member
    Big Deal. Who cares.
    said the prole as the Hate Day parade streamed past, the Eurasian prisoners caged in the backs of vehicles…
    oseameeightzeromagman1979cgWerksSpamSandwich
  • Reply 3 of 25
    hmurchisonhmurchison Posts: 12,101member
    Fire Tim Cook on the 50!
  • Reply 4 of 25
    If Apple did allow it and didn’t rescind it when the Watch functioned well without it then that raises huge questions about Apple’s privacy emphasis. I certainly want to know more. Uber already has a very bad track record and I for one won’t be using their service any time. 
    RacerhomieXspheric
  • Reply 5 of 25
    dws-2dws-2 Posts: 148member
    I'm unclear on what was allowed. If this was used to render maps while Uber was in the background, then the frame buffer of the current screen would not show maps. It seems more likely, based on the purpose and on Apple's security focus, that Uber was allowed access to create a frame buffer of a view within the app while it was in the background, then send that view to the watch. That's pretty different from allowing access to a live video of whatever else the user was doing.
    randominternetpersonairnerd
  • Reply 6 of 25
    NSFW
  • Reply 7 of 25
    Big Deal. Who cares.
    said the prole as the Hate Day parade streamed past, the Eurasian prisoners caged in the backs of vehicles…
    Winston Smith?
  • Reply 8 of 25
    k2kwk2kw Posts: 1,057member
    Big Deal. Who cares.
    When you lay down with dogs you get fleas.
    magman1979fotoformat
  • Reply 9 of 25
    tomhqtomhq Posts: 22member
    Not cool, Apple, not cool
    curtis hannahairnerd
  • Reply 10 of 25
    dws-2 said:
    I'm unclear on what was allowed. If this was used to render maps while Uber was in the background, then the frame buffer of the current screen would not show maps. It seems more likely, based on the purpose and on Apple's security focus, that Uber was allowed access to create a frame buffer of a view within the app while it was in the background, then send that view to the watch. That's pretty different from allowing access to a live video of whatever else the user was doing.
    Yeah, that's my guess too.  
  • Reply 11 of 25
    RacerhomieXRacerhomieX Posts: 95unconfirmed, member
    Stop being triggered folks. Don't like Uber, dont use their apps.
  • Reply 12 of 25
    sphericspheric Posts: 1,446member
    Stop being triggered folks. Don't like Uber, dont use their apps.
    This is more than that. Uber has utilised what can only be called criminal energy and nefariously duped people – and Apple – about the information presented, and the information collected. 

    If Apple willingly allowed them to do so, that's kind of big news.
    cgWerksairnerd
  • Reply 13 of 25
    cgWerkscgWerks Posts: 805member
    re: "With the entitlement in place, Uber or a nefarious actor could monitor a user's iPhone without their knowledge, potentially revealing passwords or other personal information."

    Nefarious actor.... like certain 3-letter organizations?
  • Reply 14 of 25
    dws-2 said:
    I'm unclear on what was allowed. If this was used to render maps while Uber was in the background, then the frame buffer of the current screen would not show maps. It seems more likely, based on the purpose and on Apple's security focus, that Uber was allowed access to create a frame buffer of a view within the app while it was in the background, then send that view to the watch. That's pretty different from allowing access to a live video of whatever else the user was doing.
    Yeah, that's my guess too.  
    I agree, Too many people, that don’t know enough about coding, are writing articles that shouldn’t ever be published.
    SpamSandwich
  • Reply 15 of 25
    foggyhillfoggyhill Posts: 4,341member
    tomhq said:
    Not cool, Apple, not cool
    Right.. Or clickbait, just more clickbait... Cause well, it's Apple huh. Did you just register to tell us Apple is "no cool'" or maybe it's a lot more complicated than that and implicates a company, Uber, who has been underhanded in many many ways.
  • Reply 16 of 25
    Stop being triggered folks. Don't like Uber, dont use their apps.
    Oh their app is long deleted, but they have our data  from when we trusted them, including whatever was on our screen while running in the background! And they have a new Privacy policy kicking in soon. And they don't get the benefit of the doubt concerning their explanation (or anything else). Will SEC protect SoftBank so the funds go to a company that will hire people and buy capital goods rather than bail out foolish VCs?
  • Reply 17 of 25
    croprcropr Posts: 676member
    Big Deal. Who cares.
    I do.  And I think it is a very big deal
    Anybody who thinks that Apple really cares about our privacy, must be extremely naive, as this case shows. 
    Apple is only interested in our privacy as long as it good for its bottom line. An that is sad
  • Reply 18 of 25
    nhtnht Posts: 4,000member
    cropr said:
    Big Deal. Who cares.
    I do.  And I think it is a very big deal
    Anybody who thinks that Apple really cares about our privacy, must be extremely naive, as this case shows. 
    Apple is only interested in our privacy as long as it good for its bottom line. An that is sad
    Bollocks.  

    At worst it was an oversight by Apple not to remove this access when it was no longer needed to render in the background.  Probably Uber didn't have the kind access reported by these guys or wasn't aware what else they could do with it.

    Deliberately abusing a favor granted by Apple would have resulted in an immediate app ban and the end of Uber as a viable service in comparison to Lyft.
    randominternetperson
  • Reply 19 of 25
    sphericspheric Posts: 1,446member
    nht said:
    cropr said:
    Big Deal. Who cares.
    I do.  And I think it is a very big deal
    Anybody who thinks that Apple really cares about our privacy, must be extremely naive, as this case shows. 
    Apple is only interested in our privacy as long as it good for its bottom line. An that is sad
    Bollocks.  

    At worst it was an oversight by Apple not to remove this access when it was no longer needed to render in the background.  Probably Uber didn't have the kind access reported by these guys or wasn't aware what else they could do with it.

    Deliberately abusing a favor granted by Apple would have resulted in an immediate app ban and the end of Uber as a viable service in comparison to Lyft.
    You really haven’t been following Uber, have you? They’ve done far worse, and Apple actually DID call them in because they were about to ban them at one point for abusing private APIs to track devices.
    airnerd
  • Reply 20 of 25
    nhtnht Posts: 4,000member
    spheric said:
    nht said:
    cropr said:
    Big Deal. Who cares.
    I do.  And I think it is a very big deal
    Anybody who thinks that Apple really cares about our privacy, must be extremely naive, as this case shows. 
    Apple is only interested in our privacy as long as it good for its bottom line. An that is sad
    Bollocks.  

    At worst it was an oversight by Apple not to remove this access when it was no longer needed to render in the background.  Probably Uber didn't have the kind access reported by these guys or wasn't aware what else they could do with it.

    Deliberately abusing a favor granted by Apple would have resulted in an immediate app ban and the end of Uber as a viable service in comparison to Lyft.
    You really haven’t been following Uber, have you? They’ve done far worse, and Apple actually DID call them in because they were about to ban them at one point for abusing private APIs to track devices.
    I have and this is different.  Uber was using IOKit to attempt to halt fraud in China and then hiding that from Apple.  This would be abusing granted access for nefarious purpose and Uber at this point has exhausted it's good will with pretty much everyone and Lyft is a viable competitor.
Sign In or Register to comment.