Apple allowed Uber use of API to record iPhone screens, feature to be removed
Security researchers recently discovered Uber's app leveraged a powerful API to record users' iPhone screens in a bid to improve interoperability with its Apple Watch app, a permission only Apple could grant.
According to security researcher Will Strafach, Uber took advantage of an entitlement that allowed its app to record user screen information even while the app was running in the background, reports Gizmodo.
Entitlements are basic bits of code that allow access to hardware and software features, but certain high-level entitlements are usually restricted to first-party apps. These permissions are appended in code with the term "private," and are extremely guarded as they grant access to potentially sensitive user data.
Strafach says Apple's issuance of Uber's particular entitlement is extremely rare, noting no other apps on the App Store aside from Apple's own appear to benefit from the same functionality.
Uber claims Apple explicitly allowed the use of the entitlement, which was subsequently used to improve memory management on Apple Watch. Specifically, older versions of Apple's wearable were unable to render maps without the help of a paired iPhone, a main feature of Uber's software.
In a statement to Gizmodo, Uber said the permission is no longer in use and will be removed from the app.
"It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app," an Uber spokesperson said. "This dependency was removed with previous improvements to Apple's OS & our app. Therefore, we're removing this API from our iOS codebase."
With the entitlement in place, Uber or a nefarious actor could monitor a user's iPhone without their knowledge, potentially revealing passwords or other personal information.
"Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," said researcher Luca Todesco. "It can potentially steal passwords etc."
Despite its potential as a snooping tool, Strafach notes there is no evidence that the permission was used maliciously.
The entitlement saw initial integration when Apple first launched Apple Watch in 2015, according to Strafach. When the wearable debuted, developers were given strict deadlines to rework their apps to function on the pint-sized device, the report said, suggesting Apple afforded Uber the entitlement as a convenience to get its title out on time.
When Apple took the wraps off Watch at a special event in 2014, a number of apps, including Apple's own Maps, were shown off with mapping assets. Uber's app was one of the few demonstrated by Apple VP of Technology Kevin Lynch during Apple's March 2015 keynote.
Uber's access to the sensitive entitlement might surprise some, as the ride sharing firm was caught violating App Store guidelines when its app was found to be tracking individual devices through the collection of UUIDs. Then-CEO Travis Kalanick was called to Apple's headquarters for a chiding from CEO Tim Cook, who reportedly threatened to remove Uber's app from the App Store if the tracking feature was not removed.
According to security researcher Will Strafach, Uber took advantage of an entitlement that allowed its app to record user screen information even while the app was running in the background, reports Gizmodo.
Entitlements are basic bits of code that allow access to hardware and software features, but certain high-level entitlements are usually restricted to first-party apps. These permissions are appended in code with the term "private," and are extremely guarded as they grant access to potentially sensitive user data.
Strafach says Apple's issuance of Uber's particular entitlement is extremely rare, noting no other apps on the App Store aside from Apple's own appear to benefit from the same functionality.
Uber claims Apple explicitly allowed the use of the entitlement, which was subsequently used to improve memory management on Apple Watch. Specifically, older versions of Apple's wearable were unable to render maps without the help of a paired iPhone, a main feature of Uber's software.
In a statement to Gizmodo, Uber said the permission is no longer in use and will be removed from the app.
"It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app," an Uber spokesperson said. "This dependency was removed with previous improvements to Apple's OS & our app. Therefore, we're removing this API from our iOS codebase."
With the entitlement in place, Uber or a nefarious actor could monitor a user's iPhone without their knowledge, potentially revealing passwords or other personal information.
"Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," said researcher Luca Todesco. "It can potentially steal passwords etc."
Despite its potential as a snooping tool, Strafach notes there is no evidence that the permission was used maliciously.
The entitlement saw initial integration when Apple first launched Apple Watch in 2015, according to Strafach. When the wearable debuted, developers were given strict deadlines to rework their apps to function on the pint-sized device, the report said, suggesting Apple afforded Uber the entitlement as a convenience to get its title out on time.
When Apple took the wraps off Watch at a special event in 2014, a number of apps, including Apple's own Maps, were shown off with mapping assets. Uber's app was one of the few demonstrated by Apple VP of Technology Kevin Lynch during Apple's March 2015 keynote.
Uber's access to the sensitive entitlement might surprise some, as the ride sharing firm was caught violating App Store guidelines when its app was found to be tracking individual devices through the collection of UUIDs. Then-CEO Travis Kalanick was called to Apple's headquarters for a chiding from CEO Tim Cook, who reportedly threatened to remove Uber's app from the App Store if the tracking feature was not removed.
Comments
If Apple willingly allowed them to do so, that's kind of big news.
Nefarious actor.... like certain 3-letter organizations?
At worst it was an oversight by Apple not to remove this access when it was no longer needed to render in the background. Probably Uber didn't have the kind access reported by these guys or wasn't aware what else they could do with it.
Deliberately abusing a favor granted by Apple would have resulted in an immediate app ban and the end of Uber as a viable service in comparison to Lyft.