A damning new report claims that Uber got permission from Apple to record an iPhone user’s screen. This was possible even if the app was kept in the background, a serious security issue.
It seems Apple gave Uber a special ‘entitlement’ which allowed it to have full control over the framebuffer which in turn contains the colors of each pixel on an iPhone’s display. The application could have easily drawn or recorded the screen, silently monitoring a user’s activities. This may have lead to passwords and other sensitive information getting stolen by a hacker or the brand itself.
The big mystery here is why Apple would give Uber such unprecedented access. Sudo Security Group CEO Will Strafach claims that he couldn’t find any other apps with such a big entitlement in the App Store. Uber isn’t exactly trustworthy when it comes to security matters, as seen with its Hell and Greyball tracking tools.
In fact, Apple CEO Tim Cook reportedly called former Uber CEO Travis Kalanick to his office a few years ago and asked him to put an end to a shady practice called fingerprinting. The app is now defending the entitlement by stating that it was being used to improve the performance of its Apple Watch app.
An Uber spokesperson told Gizmodo that the code was specifically used to render heavy-duty maps on the iPhone and then send that data to its Apple Watch app. Early units apparently couldn’t do this by itself. Later versions of watchOS and the application changed this state of affairs, so the dependency was eliminated.
Uber is now planning to get rid of the API from its iOS codebase. It’s possible Apple gave the company special permission because of the short 4-month time window which was granted to the company to launch its watchOS app back in 2015. Still, both firms should have done something about this sooner once the issues were sorted out given the risks involved.