Apple gave Uber ‘iPhone backdoor’ allowing covert screens & data access

6 Oct, 2017 12:24 / Updated 7 years ago

Apple granted Uber’s iPhone app special privileges by giving the car-hailing service a potential ability to record their customers’ phone screens and access other personal data without their knowledge, cyber security experts say.

READ MORE: Uber CEO apologizes to Londoners: ‘We’ve got things wrong’

The extremely sensitive permission, also known as ‘entitlement,’ was discovered by security researcher Will Strafach, CEO of Sudo Security Group.

Entitlement is a piece of code which app developers can use to interact with certain Apple systems like the camera or Apple Pay on iPhones and iPads.

What is extremely unusual about the particular entitlement granted to Uber is that it would have required Apple’s explicit permission, Strafach told Business Insider. 

He told Business Insider that Uber was the only app currently available in the App Store which possesses the entitlement coded as ‘com.apple.private.allow-explicit-graphics-priority,’ stressing that such a revelation is “very odd,” especially as he checked “tens of thousands of other apps.”

“Granting such a sensitive entitlement to a third-party is unprecedented as far as I can tell, no other app developers have been able to convince Apple to grant them entitlements they’ve needed to let their apps utilize certain privileged system functionality,” Strafach said.

Uber has acknowledged the situation, saying Apple gave it permission to use the private entitlement for a previous version of its Apple Watch app, to aid in the supply of maps on the iPhone. It said the entitlement is not currently being used.

“Apple gave us this permission because early versions of Apple Watch were unable to adequately handle the level of map rendering in the Uber app,” Uber representative Melanie Ensign told Business Insider. “Subsequent updates to Apple Watch and our app removed this dependency and we’re working with Apple to remove the API completely.”

Referring to the piece of code, an Uber spokesperson told BuzzFeed that the company is “working with Apple to remove it completely ASAP.”

The spokesperson said the entitlement “isn’t connected to anything in our current codebase, meaning it’s non-functional and there’s no existing feature using it.”

According to Strafach, the entitlement first appeared in Uber’s app around the time of the original Apple Watch launch in 2015.

Experts worry that although entitlement isn’t intended for malicious use, it could be used by Uber or a hacker who broke into Uber’s network to silently monitor activity on an iPhone user’s screen, allowing them to collect passwords or other personal data.

“Essentially it gives you full control over the framebuffer, which contains the colors of each pixel of your screen. So they can potentially draw or record the screen,” Luca Todesco, a researcher and iPhone jailbreaker, told Gizmodo. “It can potentially steal passwords etc.”

Strafach told Gizmodo that although he looked for indications that the entitlement had been used for malicious purposes, he was unable to find any evidence of such activity. 

It’s not the first time Uber has made headlines for alleged surveillance infringements. Last month, the FBI opened an investigation into Uber over its ‘Hell’ program, in which the company allegedly tracked drivers for rival company Lyft from 2014 to 2016, according to The Wall Street Journal. 

In April, it was revealed that Apple’s CEO met with Uber’s then-CEO to discuss the fact that the car-hailing company had tagged iPhones that had deleted the app – a clear violation of Apple’s rules, The New York Times reported at the time.

The company also came under fire in 2014 for its ‘God View’ tool, which allowed employees to track the location of Uber riders and customers without obtaining permission.