Will Strafach, a US-based security researcher, discovers that the online ride service Uber had an official permission by Apple to access the screen-recording feature. This accessibility makes app capable of recording your iPhone screen, even when the app is closed. The company, however, rejected the security breach fears, stating the code was installed to improve the experience on Apple Watch version of the app.
Notably, Apple gives “entitlements”, a code to developers for enabling access to key features of an iPhone. Access to the screen-recording feature, however, is not available to all developers. Strafach claims that no other third-party apps except Uber had this special privilege. The permission is known as “com.apple.private.allow-explicit-graphics-priority” and allows developers to access and alter parts iPhone’s memory that contains data on pixel and display.
However, there is no concrete evidence that Uber actually took advantage of this access so far. The company claims it has now removed the API (application program interface) from the app.
“It’s not connected to anything else in our current codebase and the diff [sic] to remove it is already being pushed into production. This API would allow maps to render on your phone in the background and then be sent to your Apple Watch,” an Uber spokesperson is quoted as saying by Cnet.
“Subsequent updates to Apple Watch and our app removed this dependency, so we’re removing the API completely,” added the spokesperson.
Even though Uber claims it hasn’t been accessing users’ sensitive data, such features could put users’ security at high risk. Luca Todesco, a security expert, told ZDNet that it was tantamount to giving keylogging ability to apps. Once it is breached, any hacker could get access to users’ iPhone screens.”This move by Uber and Apple has opened up its users to a massive privacy risk. Even if Uber doesn’t have any ulterior motive and the special ‘entitlement’ is only for rendering the maps, malicious hackers if gain access to the internal controls in Uber could spy on users at mass,” said Ankush Johar, Director at HumanFirewall.io, a cybersecurity company.
“This move by Uber and Apple has opened up its users to a massive privacy risk. Even if Uber doesn’t have any ulterior motive and the special ‘entitlement’ is only for rendering the maps, malicious hackers if gain access to the internal controls in Uber could spy on users at mass,” said Ankush Johar, Director at HumanFirewall.io, a cybersecurity company.
“Millions of users use the application on Apple’s iOS and this access could be exploited gravely if in wrong hands. If a state-sponsored hacker gains access to this feature, it could give a spying agency whether governmental or private, complete access to the targets daily activities including precise location, complete conversations on even the most encrypted channels and all secure passwords that the target is using,” he added.
The Uber’s poor record on maintaining user privacy in past is something that makes this revelation more serious. Earlier this year, the company was found using software to track the location of drivers of the rival company, Lyft, in the US. The software, known as Hell, allowed Uber to gather information including location, rides availability and even drivers’ record on whether they previously worked with Uber, reported TheInformation.
In April this year, Apple CEO Tim Cook had warned Uber for violating Apple’s guidelines. He even threatened to remove the app from the Apple App Store altogether. Uber was reportedly caught tracking iPhones even after the app was removed from the device.
Despite dismal history on user privacy, it’s quite surprising how Apple is still allowing the company to have the special treatment. For this, Apple is yet to respond to the report.