Uber is apparently in possession of a special permission granted by Apple that allows its app to record the screen of an iPhone, even when the app is closed. The information was brought to light last week by security researcher Will Strafach.
The permission in question, "com.apple.private.allow-explicit-graphics-priority", is an undocumented private entitlement, meaning users would have no knowledge of giving the app the special permission. Its status as an entitlement means the permission is normally withheld from developers and only granted in special cases.
Indeed, Strafach has claimed that Uber is the only third-party app known to be given such a private entitlement, out of thousands of indexed app binaries. The move was unprecedented according to other app developers.
According to Apple expert Luca Tudesco, it's the equivalent of giving an app keylogging abilities - meaning it can be used to steal sensitive information like log-ins and passwords - and it's unclear why Apple would grant such special privileges to the ride-sharing app, given its already poor record with regard to privacy. Apple had even contemplated removing Uber from the app store due to alleged violations of users' privacy, making the move even more bizarre.
While Apple did not comment on the matter, Uber explained its need for the permission as being related to the company's Apple Watch app in a statement:
"It's not connected to anything else in our current codebase and the diff [sic] to remove it is already being pushed into production. This API would allow maps to render on your phone in the background and then be sent to your Apple Watch. Subsequent updates to Apple Watch and our app removed this dependency, so we're removing the API completely."
In the meantime, if users of the Uber app on iOS remain concerned about their privacy until the update is made available, the best course of action would be to uninstall the app from their devices.
Source: Will Strafach via ZDNet
27 Comments - Add comment