Security researchers recently discovered Uber's app leveraged a powerful API to record users' iPhone screens in a bid to improve interoperability with its Apple Watch app, a permission only Apple could grant.
According to security researcher Will Strafach, Uber took advantage of an entitlement that allowed its app to record user screen information even while the app was running in the background, reports Gizmodo.
Entitlements are basic bits of code that allow access to hardware and software features, but certain high-level entitlements are usually restricted to first-party apps. These permissions are appended in code with the term "private," and are extremely guarded as they grant access to potentially sensitive user data.
Strafach says Apple's issuance of Uber's particular entitlement is extremely rare, noting no other apps on the App Store aside from Apple's own appear to benefit from the same functionality.
Uber claims Apple explicitly allowed the use of the entitlement, which was subsequently used to improve memory management on Apple Watch. Specifically, older versions of Apple's wearable were unable to render maps without the help of a paired iPhone, a main feature of Uber's software.
In a statement to Gizmodo, Uber said the permission is no longer in use and will be removed from the app.
"It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app," an Uber spokesperson said. "This dependency was removed with previous improvements to Apple's OS & our app. Therefore, we're removing this API from our iOS codebase."
With the entitlement in place, Uber or a nefarious actor could monitor a user's iPhone without their knowledge, potentially revealing passwords or other personal information.
"Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen," said researcher Luca Todesco. "It can potentially steal passwords etc."
Despite its potential as a snooping tool, Strafach notes there is no evidence that the permission was used maliciously.
The entitlement saw initial integration when Apple first launched Apple Watch in 2015, according to Strafach. When the wearable debuted, developers were given strict deadlines to rework their apps to function on the pint-sized device, the report said, suggesting Apple afforded Uber the entitlement as a convenience to get its title out on time.
When Apple took the wraps off Watch at a special event in 2014, a number of apps, including Apple's own Maps, were shown off with mapping assets. Uber's app was one of the few demonstrated by Apple VP of Technology Kevin Lynch during Apple's March 2015 keynote.
Uber's access to the sensitive entitlement might surprise some, as the ride sharing firm was caught violating App Store guidelines when its app was found to be tracking individual devices through the collection of UUIDs. Then-CEO Travis Kalanick was called to Apple's headquarters for a chiding from CEO Tim Cook, who reportedly threatened to remove Uber's app from the App Store if the tracking feature was not removed.
25 Comments
Big Deal. Who cares.
Fire Tim Cook on the 50!
If Apple did allow it and didn’t rescind it when the Watch functioned well without it then that raises huge questions about Apple’s privacy emphasis. I certainly want to know more. Uber already has a very bad track record and I for one won’t be using their service any time.
I'm unclear on what was allowed. If this was used to render maps while Uber was in the background, then the frame buffer of the current screen would not show maps. It seems more likely, based on the purpose and on Apple's security focus, that Uber was allowed access to create a frame buffer of a view within the app while it was in the background, then send that view to the watch. That's pretty different from allowing access to a live video of whatever else the user was doing.